When opening my Jenkins in the URL I cant seem to log in it throws out the message "User is missing the Overall/Read permission". I have tried the answer from a similar question but disabling the security does not work. Jenkins continue's to throw out the error. Somebody recommended that I remove the file all together but also failed. Any other solution anybody could supply me with?
Posts I have visited already include: Jenkins Wiki
Edit the /var/lib/jenkins/config.xml file and add you as an Admin as follows:
<authorizationStrategy class="hudson.security.ProjectMatrixAuthorizationStrategy">
.
.
<permission>hudson.model.Hudson.Administer:***Here is your username***</permission>
.
.
</authorizationStrategy>
Don't forget to go to restart the Server.
Hope this helps!
I discovered one additional scenario where this might occur:
I had a user that was defined with an all lowercase username (e.g. "john.doe"), but when this user was assigned a role their username was entered with different casing (e.g. "John.Doe"). In this case, the user was able to login, but the role was not associated correctly and therefore the overall/read permission was not granted.
To fix this, I simply deleted the bad record for the role assignment and recreated it with proper casing.
Disabling Security
One may accidentally set up security realm / authorization in such a way that you may no longer able to reconfigure Jenkins.
When this happens, you can fix this by the following steps:
Stop Jenkins (the easiest way to do this is to stopthe servlet container.)
Go to $JENKINS_HOME in the file system and find config.xml file.
Open this file in the editor.
Look for the <useSecurity>true</useSecurity> element in this file.
Replace true with false
Remove the elements authorizationStrategy and securityRealm
Start Jenkins
When Jenkins comes back, it will be in an unsecured mode where everyone gets full access to the system.
If this is still not working, trying renaming or deleting config.xml.
above was quoted from https://jenkins.io/doc/book/system-administration/security/
So Once we come back to jenkins in unsecured mode we need to delete the users and add a new user .
[Project-based Matrix Authorization Strategy related]
Hello there,
the same error happened to me when I unchecked the global/read permission for anonymous.
If you are using the project based matrix ahtorization plugin, for an unclear reason, this read permission seems to be required by the plugin.
In Windows: When I've enabled the LDAP under Global security, I lost my admin right too. with error as "Access Denied is missing the Overall/Read permission jenkins windows".
In such case, Please retain the existing instance, have a new jenkins install on someother machine or VM. Copy the config.xml from Jenkins_Home and replace it with config.xml from your Jenkin_Home directory. While performing this, ensure Jenkins service is stopped. once replaced, Start the instance and VOILA.
Restart your jenkins server using below command,
service jenkins restart
It works for me.
I was also having the same issue. Adding fresh roles from Manage and assign Roles section and assigning them to the users worked for me.
In my case (Jenkins v 2.205) I edited JENKINS_HOME in jenkins.xml in windows, to move the workspace due to a bug from angular / webpack in a project. What I didn't realize is that you must move a whole host of files and folders, not just workspace and jobs subfolders.
Here's a list of what I ended up moving to the new location (with Jenkins stopped, of course):
[folder] fingerprints
[folder] jobs
[folder] logs
[folder] nodes
[folder] plugins
[folder] secrets
[folder] tools
[folder] updates
[folder] userContent
[folder] users
[folder] workflow-libs
[folder] workspace
[file] .lastStarted
[file] config.xml
[file] credentials.xml
[file] **plugin-configuration.xml (any file that is configuring one of your plugins)
[file] hudson.*.xml (all hudson files)
[file] identity.key.enc
[file] jenkins.* (all Jenkins files)
[file] locale.xml
[file] nodeMonitors.xml
[file] org.*.xml (all org config files)
[file] queue.xml
[file] scriptApproval.xml
[file] secret.key
[file] secret.key.not-so-secret
I'm not entirely sure if ALL of them were required, but I'm pretty sure all the hudson, jenkins and users/secrets/credentials are needed
User is missing the Overall/Read permission sometime we forget to update the security configuration after adding the user in jobs,
https://<jenkins-url>/configureSecurity/
under Authorization Strategy, Provide Overall permission to list and access the jobs that has permission to access
Related
I want to update Jenkins plugin via Artifactory.
Create a remote repo named Jenkins-update
Create a local repo named jenkins-update-center
Get the update-center.json from repo Jenkins-update to local and modify the URL from 'http://updates.jenkins-ci.org/' to my own URL 'https://artifacts.xxx.com/artifactory/Jenkins-update/' in update-center.json, then put update-center.json into local repo.
#!/bin/sh
curl -L -o /tmp/update-center.json http://localhost:8081/artifactory/Jenkins-update-cache/update-center.json
sed -i 's#http://updates.jenkins-ci.org/#https://artifacts.xxx.com/artifactory/Jenkins-update/#g' /tmp/update-center.json
curl -L -uuser:pass -T /tmp/update-center.json "http://localhost:8081/artifactory/jenkins-update-center/update-center.json"
Change the default update site from 'http://updates.jenkins-ci.org/' to 'https://artifacts.xxx.com/artifactory/jenkins-update-center/update-center.json' in Jenkins
There is an error 'SHA-512 digest mismatch: expected=49a22dc23f739a76623d10128b6803f79e0489de3ded0f1d01f3dfba4557136c7f318baaf4749a7713ec4b3f56633f2ac3afc4703e87d423ede029d68f84c74d in 'update site 'default''' when I click 'check now' button.
What should I do to make Jenkins update plugins from Artifactory?
Tkx
As soon as the content of update-center.json changed you need to re-generate "signature" section of this file.
For that you need to generate your key pair (see more details in How to create a local mirror of public Jenkins update site?)
Also you may use the following proposed approach :
there is probably a better way, by having a sandbox Jenkins on a system that has access to the internet. You update the server using the UI and then you can test that updated Jenkins thoroughly. When done, you just need to copy the war and hpi files over to your 'production' Jenkins. now you have even a nice process and QA in place.
Another way is to setup a transparent https proxy between your Jenkins and Artifactory server - in that case update-center.json will not change and signature verification should work fine.
With best regards,
Dmytro Gorbunov
As of 2023-01-10 there is a problem with making a mirror of the jenkins plugins on artifactory.
Artifactory documentation decribes only how to create a mirror: https://jfrog.com/knowledge-base/how-to-configure-artifactory-as-a-mirror-for-jenkins-plugins/
But this is not a complete solution. Because this leads to the situation when every plugin shall be manually updated. Having plugins with bunch of dependencies it is huge effort.
There is a need to generate a file: update-center.json
There is an internal jenkins tool to do this: https://github.com/jenkins-infra/update-center2, but documentation is poor and contains vague statements like:
With a few modifications it could easily be used to generate your corporate update center as well.
Without clear description, what shall be done.
I tried to follow steps and completely failed. Tool require some special environment variables, which are also not documented and so on.
So as of my experience mirroring jenkins plugins on artifactory is practically not possible. And honestly spoken, I would like to be wrong here.
The Jenkins CLI provides the function to export&import single jobs, e.g.:
java -jar jenkins-cli.jar -s http://foo-jenkins.tld:8080 get-job myjob > myjob.xml
java -jar jenkins-cli.jar -s http://bar-jenkins.tld:8080 create-job newmyjob < myjob.xml
Is it also possible / How to backup&restore the configs?
I mean the whole settings:
the system configuration,
the global security configuration,
the credentials,
the global tool configuration,
the plugins configuration (the "HTTP Proxy Configuration" and the list of the installed plugins)
the nodes
the users
is anything missing?
The whole settings at once or maybe even as single backup/restore processes like e.g. MozBackup with its "Components selection"
or eclipse with its "Export Preferences" dialog
There is no simple way to backup/export selected parts of the configuration, since Jenkins configuration data is scattered among
several files (global config.xml, lots of plugin-specific files)
several sub-directories (credentials, nodes) and
some of the files are encrypted (credentials), so you must also backup the encryption keys
The cleanest solution will be to back-up the entire $JENKINS_HOME, and to exclude those parts that you do not want to be part of the backup (e.g., exclude jobs/*/builds). With that you'll end up with a resonable backup size also.
Such a backup must be done on filesystem level, as there's no API to access all those files/data.
Do not rely on thinBackup, as you depend on the plugin maintainers to not miss anything important. E.g., as of version 1.7.4, thinBackup does not backup Jenkins' secret keys, so it's impossible to restore credentials from scratch.
Maybe thinBackup plugin will help you.
The mentioned requirement can be easily achieved using the below plugin
https://wiki.jenkins-ci.org/display/JENKINS/JobConfigHistory+Plugin
Below issues will be solved while using this plugin
Config changes are versioned
Config changes can be compared
Config changes can be reverted back
Background
I have the following Jenkins config.
Ubuntu machine
Jenkins installed using apt-get, and is started as a service (service jenkins start).
To this point I have not made any modifications to Jenkins config.
We have several Ant projects for which I want to publish Javadocs using Jenkins.
After configuring the Javadoc plugin, I quickly hit this issue where only the Javadoc frames are displaying, without any content.
Some reading (here and here) told me that I need to configure Jenkins' Content Security Policy, and that this is done by modifying system properties passed to Jenkins.
However, despite digging around I have not found clear docs on how to pass these system properties to the Jenkins service. How do I do that?
Answering my own question.
To set system properties for the Jenkins service:
Steps
Stop Jenkins (service jenkins stop). You will need root privileges.
Edit the /etc/defaults/jenkins file.
Add an additional line for the JAVA_ARGS that you want to pass.
JAVA_ARGS="-Dhudson.model.DirectoryBrowserSupport.CSP=\"your CSP configuration here\""
Start Jenkins (service jenkins start).
Explanation
Look at /etc/init.d/jenkins for a line similar to:
NAME=jenkins
SCRIPTNAME=/etc/init.d/$NAME
[ -r /etc/default/$NAME ] && . /etc/default/$NAME
These tell us that the Jenkins daemon will look for a file named /etc/default/jenkins. If present, it .s that file.
If you set $JAVA_ARGS in /etc/default/jenkins it will be substituted in the line below, located later in the /etc/init.d/jenkins file:
$SU -l $JENKINS_USER --shell=/bin/bash -c "$DAEMON $DAEMON_ARGS -- $JAVA $JAVA_ARGS -jar $JENKINS_WAR $JENKINS_ARGS" || return 2
Notes
Even after you do the above, the Javadoc may not load properly. Try doing a hard refresh (Ctrl-Shift-R on Chrome).
As detailed in (the Jenkins docs)[https://wiki.jenkins-ci.org/display/JENKINS/Configuring+Content+Security+Policy] there is a temporary way to do this as well. Read that page and try to understand the implications well.
Changing the Content Security Policy has serious implications especially if your Jenkins is public. It's worth the effort to understand just what policies you are modifying.
In any answer and in jenkins website tell me to set
<useSecurity>true</useSecurity>
in config.xml but in my jenkins folder don't have this file
config.xml doesn't get written until server is restarted at least once since installation.
Try restarting the Jenkins server.
This likely sounds like invalid Jenkins installation, or the file is in another place pointed by $JENKINS_HOME or $CATALINA_OPTS (e.g. ~/.jenkins or /var/usr/jenkins/.jenkins).
Another reason could be that by default Jenkins load all data from memory and you need to reload the configuration files from file system, so try restarting Jenkins.
Then double check in System Properties (at /systemInfo) that user.home points to the folder where you expect that file. Check also your System Log (/log/all) for any issues.
If above won't help, check the folder permission and if there is enough space (but you should have some error anyway). Or try reinstalling Jenkins.
According to Administering Jenkins documentation page, the config.xml Jenkins root configuration should be always in your JENKINS_HOME folder.
Once you've got config.xml, to disable security remove the lines with useSecurity and authorizationStrategy and restart Jenkins, or try executing these commands:
sudo ex +g/useSecurity/d +g/authorizationStrategy/d -scwq /var/lib/jenkins/config.xml
sudo /etc/init.d/jenkins restart
I accidentally turned require login on before adding any users for my Jenkins server. It is on an EC2 instance, is there any way to SSH into the command line and add a user?
To fix this follow the instructions
Stop Jenkins (the easiest way to do this is to kill the servlet
container.)
Go to $JENKINS_HOME in the file system and find config.xml file.
Open this file in the editor.
Look for the <useSecurity>true</useSecurity> element in this file.
Replace true with false
Remove the elements authorizationStrategy and securityRealm
Start Jenkins