Jenkins project-based security - jenkins

In jenkins you can enable a project-based security matrix.
Unfortunatly I can't find any documentation the option Credentials.
The documentation of the matrix based security describes these options:
Job: Create, start, cancel a Job
Run: Delete or update builds in build history
SCM: Create tags in repository
But I've found no documentation for Credentials:
Why should I manage Credentials per project? I thought it's a global configuration.

I confirm it's to configure the global credentials, there is no credentials per project.
By checking the option "Enable project-based security", this will allow you to customize the permissions per job (but not the credentials).
I hope it help :)

Related

Github OAuth with Jenkins for organisation

I was reading this https://medium.com/#vsreelasya/github-oauth-for-jenkins-d21d76a3ff09
It is pretty straight forward.
There are a few points I have to clear:
in my case, in the context of organization, should I create a separate account for Jenkins?
if no separate account is needed there is / settings / OAuth App where I can fill almost the same things as in the tutorial
In Jenkins seems there are a lot of places where I can insert credentials:
in "Configure Global Security" > "Github Authentication Plugin" > "Global GitHub OAuth Settings"
in "Configure system" > "Github"
in the job "Source Code Management" > "Git" > "Repositories"
Do I have to add the credentials to all of those places?
Github OAuth lets Jenkins depend on Github as an identity provider. Users will use Github to log into Jenkins. No extra "Jenkins" account is necessary on Github. You may set up Github OAuth in "Configure Global Security" > "Authentication" > "Security Realm" > "Github Authentication Plugin" as per this how-to. Just make sure you adjust the system authorization so you won't end up losing admin access to Jenkins.
"Configure system" > "Github" lets you manage the Github endpoints your Jenkins jobs may use for SCM checkout. You may add the public Github API or an on-premise Github Enterprise installation. It has nothing to do with Github OAuth.
I presume "Source Code Management" > "Git" > "Repositories" is a job configuration, but it definitely has nothing to do with Github OAuth.

How to set 'UpdateCauses ' user permission on Jenkins

I am trying to use the build failure analyzer plugin for Jenkins.
https://wiki.jenkins-ci.org/display/JENKINS/Build+Failure+Analyzer
In the documentation it says
The link is shown only if the permission UpdateCauses is set for the current user.
But it doesn't give any information on how what that is or how to set it.
I'm the only user for my Jenkins.
Thanks!
Go to Manage Jenkins > Configure Global Security and under the Access Control section on Authorization there will be the users and their permissions (if you use matrix base security) you will see the Build Failure Analyzer permissions:
So short answer, you configure the plugin permissions using Jenkins configurations.

How to handle TFS password on multiple Jenkins jobs?

I have set up a few Jenkins jobs which are using TFS. For each one I had to manually input TFS username and password inside the TFS plugin.
Is there a way to change password in all jobs using some king of global setting? Or do I have to manually change password on all jobs when I change my password.
Any help would be appreciated.
Thanks,
Daniel
Get latest TFS (5.0.0) and Credentials (2.1.4) plugins.
Add domain and credentials usable to connect to your TFS server via Jenkins > Configure Credentials.
Now select just added domain, click "Configure", and add your TFS server hostname (or proper wildcard) under Hostname > Include, so jenkins will know where provided credentials can be used.
Now, you can just leave user/password fields empty in job's TFS SCM configuration.
Instructions are mostly taken from TFS plugin GitHub page
Even though TFS Plugin bug Allow use of credentials from Credentials Plugin isn't resolved, all is working fine.
The TFS Plugin for Jenkins does not read the global credentials. You need to enter the username and password for each job manually.
In the Jenkins admin you can add "global" credentials. For this, as a Jenkins admin, go in :
Manage Jenkins > Manage Credentials > Add Credentials > Username with password and save it.
These credentials will be available in all the jobs configuration of this Jenkins instance.
If you don't the the Manage Credentials item, you'll maybe need to install the Jenkins Credentials Plugin

How can i use Jenkins with Atlassian Stash?

I've just setup Jenkins and i have some Repositories in my Stash.
I installed the "Git plugin" in jenkins.
I can now enter the repository url but there is nothing to enter my credentials.
It's possible using
http://username:password#mydomain/xx/yy.git
but that is something i dont want to do.
What else can i do to authenticate?
I am the author of this stash plugin that might help you: https://github.com/palantir/stashbot
Taking selectively from the readme:
To work with Jenkins, you MUST install the following jenkins plugins first.
Jenkins GIT plugin
Post build task
Next, build and install the plugin using the plugin SDK (more details in the readme)
Next, the stash admin goes into the Stashbot Admin page and creates a jenkins server config - here you give it the URL, username/password, etc details of the jenkins server.
Next, for each repository a "Stashbot CI Admin" link shows up for repo admins. From there you can check the "enabled" checkbox and tell it what branches you want build (via a regex) and what command it should run to do the build (optionally verifies and publishes).
After this point, the remainder is completely self-service. Any repo admin can ask for their project to "have CI" by filling out that form, and the jobs will automatically be created in the jenkins server.
Hope that helps.
Set up an SSH key for the user that runs your Jenkins builds and add it to the repository's SSH keys in Stash. See the Stash docs for instructions.
Two things to add to Gareth's answer.
While I agree that using SSH keys are definitely better than hard-coding the username/password, it's worth mentioning that Stash (currently) scales better with HTTP when it comes to CI. If you have quite a few builds we generally recommend using HTTP. We are currently extending our Git cache support to support SSH so this no longer an issue.
Somewhat related, you might be interested in watching and voting for the following feature which will make it easier to create CI specific keys.
Lastly having build icons show up in Stash is surprisingly handy, and you should have a look at the following plugin if you haven't already:
https://github.com/jenkinsci/stashNotifier-plugin
Since version 2.0 of "Git Plugin" for jenkins you should be able to directly add the required credentials for both ssh and username/password (based on credentials plugin).
See changelog of Git plugin: https://wiki.jenkins-ci.org/display/JENKINS/Git+Plugin#GitPlugin-Changelog for details.
For further integration of git and stash regarding pull requests you additionally need the "Stash Webhook for jenkins" add-on in stash and the "Stash Notifier" plugin for jenkins to connect each other.

anonymous access to jenkins workspaces

I am using Jenkins installed on CentOS release 6.3 and Jenkins 1.474. I am using Project-based Matrix Authorization Strategy so that only users in specific AD groups are allowed to log in to Jenkins and view particular jobs.
However I am trying to give anonymous access to workspaces for jobs so I can do a wget and specify the http URL. This is so the hosts I am managing via Jenkins can get certain hosts.
I have added Anonymous to the Project-based Matrix Authorization Strategy section and ticked workspaces but this isn't working. When doing a wget I can access forbidden and when I put the URL in to a browser, I am asked to login. I have also configured Anonymous to have access to the workspace on the job itself, but still get access forbidden.
Has anyone got any ideas as to why his is not working?
We are using Jenkins version 1.475
We have the following enabled for anonymous access:
Overall:
Read -> Enabled
Job:
Read -> Enabled
Workspace -> Enabled
This allows access to anonymous users to view the Dashboard and the Jobs and also to the workspace...
As of Jenkins ver. 1.609.1, the changes can be made under
Configure Global Security | Configure Global Security (or htTps://<your jenkins host>/configureSecurity/).
Similar to sdmythos_gr's answer just set Overall Read and Job Read for Anonymous.

Resources