I have a Jenkins server with multiple users that are able to create and modify Global credentials. Is there any way I can audit and see who did what with the credentials - who modified them, who added new creds, etc. Preferably, presented in nice way similar to Job Config History plugin. Thanks
I had a similar question a few days ago. You can use the Audit Trail Plugin (GitHub) to audit changes to credentials. It logs the HTTP requests that modify credentials. However, it doesn't have a "config history"-style visualisation.
(Soon, it may also be able to log what jobs access the credentials)
You can do that using the Job Configuration History Plugin.
Link should be something like:
https://your.jenkins.url/jobConfigHistory/history?name=credentials
What I noticed is that all changes are shown as if they were been done by 'System' - though they all were done by a specific user.
Related
I'm looking for something like the Job Config history plugin but to log the changes in the Jenkins server itself (any change under the /manage section or credentials).
I tested the Audit Trail plugin, but it only logs who and when, but nothing about the content of the change.
I'm using the roles based strategy, so there is a reduced group of people able to do changes, but I still need more precise information.
Job Config History Plugin also tracks system configuration. Just click on Job Config History (on the left-side menu) on the main dashboard (outside of any job). When there, you can see all server configuration changes with all features like diffs and raw XML access.
Currently in order to enable or disable a job, a user must have Job Configure permissions in the Matrix-based security configuration.We would like to be able to manage the enable / disable job permission independently from the job configure permission.
There are some nightly jobs that we want every user to be able to enable and disable the project without touching/breaking the configuration.
Thanks
Provide a script for the users that will do this using the credentials of 'root' user and set only the execute bit on the script so that no one can read/copy it.
At least 3 ways to make a script:
HTTP POST request:
1.
curl -X POST http(s)://<your_jenkins_url>/jenkins/job/<nightly-build_job_name>/disable
2.
Use python JenkinsAPI.
Documentation is very good, easy to understand much like the API.
3.
The third one can be a script which will use jenkins-cli: accepted answer describes this well .
The Job Configure permission is bounded to the disable/enable function in each job, that's true.
One alternative to disable/enable jobs without the corresponding permission is to create new jobs which do this internally. For example, a job that needs job names as parameters, and disables them.
You could use curl + credentials of a Jenkins user with the Job Configure permission.
You could use plugins. For example, this script using the Job DSL Plugin:
job("jobname"){
using("jobname")
disabled(true)
}
For other options, check out this question.
You may try to install this plugin to get the enable/disable button for the individual project-
I checked in my Jenkins and I could see this:
But when I checked under plugins section I don't see this extra column plugin installed. Probably this is the default behavior in latest versions of Jenkins.
Is there a way to use the credential store with the CVS plugin to access a CVS repository? Looking for a way to store credential once and have one place to change it, despite many jobs making use of it.
The CVS plugin doesn't use the credentials store directly (although there are potential plans to move to this in a future overhaul of the plugin), but it does have a concept of global credentials which should provide what you need. The reason for having something separate from global credentials was that CVS introduced this prior to the credentials plugin being available and the steps have never been taken to try and perform a migration.
To use this credential feature, ensure you have version 2.4 or above of the CVS plugin, goto your 'Manage Configuration' screen, scroll down to the CVS section and click the 'Add' button next to the 'Authentication' option. Once you've added any credentials in here, go back to the jobs you're wanting to use the global credentials on, check the CVS root matches what you put in the authentication section and that it doesn't contain a username and then run your job. When running, the console should then show 'Using globally configured credentials for...' when trying to connect to CVS.
On my Jenkins build server, I want to set an Authentication Token so that only users that know the token can fire off builds. (As described here.)
This doc page says that it should be configurable under my job's "Build Triggers" configuration.
However, my server has no such fields, and I'm running the latest version (1.546). Mine looks like this:
.
As you can see, this doesn't really look like the docs say it should.
How can I set this token?
You're missing the Trigger builds remotely (e.g., from scripts) Build Trigger:
This is only visible with Security enabled. To get this option from a freshly downloaded 1.546 WAR, I changed Configure Global Security from Anyone can do anything to at least Logged-in users can do anything. For ease/speed of testing, under Security Realm I selected Jenkins’ own user database and Allow users to sign up:
You can go to http://Jenkins-IP/jobs/me/configure to check and change your API access token. Also check whether the user you intend to use has necessary permissions to execute the builds in Manage Jenkins>Configure Global Security
Each jenkins user gets an authentication token - applicable since version 1.426 (more).
You can see yours, provided you are logged in your jenkins server, at http://your.jenkins.server/me/configure
(press 'show API token' button)
Then you can copy and paste it in your scripts (e.g. see here for an example usage).
I don't know why "logged in users can do anything" means Jenkins will happily allow non-authenticated users to view project details and access artifacts... Regardless, I need to know how to get Jenkins to allow logged in users to to anything AND hide EVERYTHING for users who AREN'T logged in. Help please?
This can be done with the Role-Strategy plugin.
Install the plugin, add a new group called "Anonymous" and uncheck everything. Then you want to add another group called "authenticated" and check everything. Add your existing users to this group. Jenkins will immediately prompt you for a login this way.
You can use https://wiki.jenkins-ci.org/display/JENKINS/Role+Strategy+Plugin
it allows to specify to define roles and assign roles to users, users with no roles won't even see the jenkins ui.
Answer to an old question but I came searching here as I am trying to auto spin up a Jenkins instance on Docker and found the same issue.
Good chance this option wasn't available when the question was asked. As of this moment (v2.222.3 but not sure how far back), it turns out you can do this without installing any additional plugins.
Manually
Navigate to Global Security (Jenkins > Manage Jenkins > Global Security)
Update the Authorization section to "Logged-in users can do anything".
UNCHECK Allow anonymous read access
Any unauthenticated access will redirect to login now.
I would note that if you setup Jenkins through the setup wizard then anonymous read access is disabled by default. If you want this behaviour AND want to configure jenkins automatically, read on.
Automated with Docker
My situation is that I wanted to check out my repo, run my compose file and have all my config/users/plugins etc ready to go. Great post here with more detail if interested.
In a nutshell:
Dockerfile
FROM jenkins/jenkins:lts-alpine
# Disable setup wizard since security.groovy creates our user
ENV JAVA_OPTS="-Djenkins.install.runSetupWizard=false"
COPY security.groovy /usr/share/jenkins/ref/init.groovy.d/security.groovy
security.groovy
#!groovy
import jenkins.model.*
import hudson.security.*
def instance = Jenkins.getInstance()
// Create Admin User
def hudsonRealm = new HudsonPrivateSecurityRealm(false)
hudsonRealm.createAccount("admin", "admin") // Dont do this. This is bad
instance.setSecurityRealm(hudsonRealm)
// Set Auth to Full Control Once Logged In and prevent read-only access
def strategy = new FullControlOnceLoggedInAuthorizationStrategy()
strategy.setAllowAnonymousRead(false)
instance.setAuthorizationStrategy(strategy)
instance.save()
In particular, strategy.setAllowAnonymousRead(false) is what's needed
Additionally, if you use GitHub as your version control system -- you can use the GitHub OAuth plugin. Once the "Anonymous" reach your page, they will be redirected to GitHub automatically.