Securing builds on Hudson - jenkins

We have an enterprise Hudson setup wherein I want to restrict the ability to trigger new builds to logged in users only. I do not have access to "manage Hudson" but I do have enough karma to create/edit jobs.
I tried adding "users" to the "job-based security" list and unchecked build rights from "Anonymous", but that doesn't seem to work for me. Is there a catch-all group for logged in users?

A "catch all" group for logged in users is authenticated.
However if authenticated have build permissions on global configuration (through manage Hudson), unchecking them on per-job will not remove permissions. These are "allow" permissions and are cumulative, there are no "deny" permissions.
If you really want to restrict a job from being run by others, you can make a "password" type parameter in the job, and fail the job if that value is not something that's expected... but of course any admin with "configure" permission on your job could see it.

Related

How to remove Credentials section from Jenkins homepage?

I currently have the Jenkins Credentials plugin installed on an apache webserver. The global jenkins security is set to "logged in users can do everything" and anonymous users can only read.
I want to remove this section from the homepage on the left side:
How can I achieve this?
Under 'Configure Global Security', try changing from 'Logged in users can do anything' to 'Matrix-based security' or 'Project-based Matrix Authorization Strategy', and you should see a table that allows you to disable the credentials options for authenticated users.
https://jenkins.io/doc/book/using/using-credentials/#configuring-credentials
Although if you're an admin I think it shows up regardless.

Which permission allows a user to create Task Groups in TFS 2017 Build?

When I try to create a task group from a task in my build definition in TFS 2017, I get an error that says
Access denied. (user name) needs Edit task group permissions to
perform the action. For more information, contact the Team Foundation
Server administrator.
I've checked the following documentation pages, but none of them seem to mention how to grant edit task group permission:
Task Groups
Permissions and groups in VSTS and TFS
Build and release permissions
I'd like to know the correct way to grant this permission.
Additional information:
My account is a member of a Builders group in the appropriate project, and that Builders group has Allow set for every permission listed at the above Build and release permissions link, except override check-in validation by build and Update build information which are both Not Set, and the documentation recommends leaving those permissions as they are.
There are three related permission Administer task group permissions, Delete task group, Edit task group for task groups configuration.
You could set it from Build&Release --Task Group--right click it in left pane--select security.
However just like some other permission settings, you could also directly add a user or TFS group here. After add a user, there should be a users list under TFS group list.
"Build Administrators", "Contributors","Project Administrators" or "Release Administrators" there are just four default groups here. You don't have to add your user account in these groups and set the permission for a specific group to grant related permission of "task group". For example, if you don't want to give all users in a group the correspondingly permission, you could simply give the permission for a user.
In your case, you could add your old "Builders" group here or just add your owner account either directly here or one of a default group.
The other answer is good, except that I have no Builders group... perhaps due to the upgrade path that had been followed on that server.
Go to Task Groups hub, e.g. http://{server}:8080/tfs/{collection}/{project}/_apps/hub/ms.vss-releaseManagement-web.hub-metatask, and hover on Task Groups in left pane, click Ellipsis and choose Security. By default, the old Builders group is not in there, but Build Administrators is. The permission Edit task group can be set here, if needed, but it looks like the correct thing to do is add the user to one of the groups Build Administrators, Project Administrators or Release Administrators.

How to create a user in jenkins?

I just installed Jenkins in my machine running Ubuntu.
But when I access http://localhost:8080/ jenkins asks me for my username and password... but I have no idea what they are!
How can I log in Jenkins? (Sorry for the noob question, first time using Jenkins)
Any help is welcome!
Edit: So far I got this:
I can remove security by changing the config.xml setting
<useSecurity>true</useSecurity>
to
<useSecurity>false</useSecurity>
And now I can access my Jenkins... But I still dont know how to create a user =/
in jenkins go to Manage Jenkins > Configure Global Security and select the "Enable Security" check box.
select "Jenkins Own User Database" for the security realm and then select "Logged in Users can do anything" or a matrix based strategy (If you have multiple users with different permissions) for the Authorization.
Once you log in Jenkins as admin, Manage Jenkins > Configure Global Security and select the "Enable Security" check box. select "Jenkins Own User Database" for the security realm under access control and then select "Logged in Users can do anything" under Authorization and Save it.
click on Manage jenkins>>Manage User >> Create User
Complete the details.
Jenkins asks me for my username and password... but I have no idea what they are!
It depends how you configured Jenkins Access Control/Security Realm in your Configure Global Security page which determines the user authentication method, whether to use Jenkins own independent user database or external database (such as LDAP, Active Directory, Unix NIS, etc.).
If its using its own database, you can try to decrypt Jenkins passwords from credentials.xml. Otherwise disable useSecurity in your config.xml file, restart Jenkins and follow the steps. You should be asked to provide the initial password from the initialAdminPassword file (if you don't, make sure you've changed the right file and restarted Jenkins correctly).
To create user, you need to go to select your authentication method in Configure Global Security and create user either externally or if you've selected Jenkins’ own user database and tick Allow users to sign up, then hit Save button which would allow you to create user from the Jenkins interface.
Login to your Jenkins server via web URL. (http://jenkins_ip or jenkins_url:8080)
Jenkins >> Manage Jenkins >> Manage Users >> Create User >> Provide the username, password, email & click on Create User.
To edit or reset or modify the password of the Jenkins' own user database users,
Jenkins >> Manage Jenkins >> Manage Users >> Click the user-id from the existing user list >> Configure >> Save
You should find a file in secrets folder called initialAdminPassword with the info
Steps to create a new user
Login into Jenkins
Go to Manage Jenkins
Go to Create Users
Enter all the details – Username, Password, Confirm Pwd, FullName, Email
Select Create User
This LINK has detailed steps on how to create Jenkins user.
Here is the summary:
After setting
<useSecurity>false</useSecurity>
Restart Jenkins:
sudo systemctl restart jenkins
Click on People on the left-hand navigation menu.
Click on the Admin. (Skip and move on to step 4 if you don't have any user).
Delete the user account.
Navigate to Jenkins / Manage Jenkins.
Click on Configure Global Security
Check the Enable Security check box. (If you don't have this item, skip and move on to next and you will able to create/add user)
Under Security Realm, select Jenkins’ own user database
In the Authorization section, select Logged-in users can do
anything.
Unselect Allow anonymous read access.
Click Save to save your changes.
By default Jenkins uses it's own database for user management.
Go to People on Jenkins dashboard to see Users that you have, if you are not able to find an option to add user there, don't be disheartened, read on.
Go to Manage Jenkins and scroll down to bottom, second last option should be Manage Users.
By default every logged-in user can do anything, to change this, go to Manage Jenkins -> Configure Global Security -> Access Control -> Authorization -> Matrix-based security
AT THIS POINT IF YOU DON'T KNOW WHAT TO DO, PLEASE DON'T MAKE ANY CHANGES. DON'T SAVE OR APPLY.

How to restrict credentials in Jenkins?

I have multiple users on a Jenkins server, each with their own credentials for external secured servers needed to run their builds. I am using the credentials plugin to manage the stored credentials. Currently, when a user configures a project, they can use anyones credentials for doing external jobs. I need to make it so that each user only sees the credentials they own when they configure jobs on the jenkins server. How would I do this?
The Folders plugin allows to limit the scope of credentials to a specific folder.
If you're fine with restricting access of different users to different folders (e.g., with the Role Strategy plugin), then this could be a solution.
Just create the folder, enter the folder, then select the "Credentials" link on the sidebar. A new link should appear called "Folder" click that and then define your credentials. Jobs in other folders will not be able to use those.

How can I set the jenkins authentication token?

On my Jenkins build server, I want to set an Authentication Token so that only users that know the token can fire off builds. (As described here.)
This doc page says that it should be configurable under my job's "Build Triggers" configuration.
However, my server has no such fields, and I'm running the latest version (1.546). Mine looks like this:
.
As you can see, this doesn't really look like the docs say it should.
How can I set this token?
You're missing the Trigger builds remotely (e.g., from scripts) Build Trigger:
This is only visible with Security enabled. To get this option from a freshly downloaded 1.546 WAR, I changed Configure Global Security from Anyone can do anything to at least Logged-in users can do anything. For ease/speed of testing, under Security Realm I selected Jenkins’ own user database and Allow users to sign up:
You can go to http://Jenkins-IP/jobs/me/configure to check and change your API access token. Also check whether the user you intend to use has necessary permissions to execute the builds in Manage Jenkins>Configure Global Security
Each jenkins user gets an authentication token - applicable since version 1.426 (more).
You can see yours, provided you are logged in your jenkins server, at http://your.jenkins.server/me/configure
(press 'show API token' button)
Then you can copy and paste it in your scripts (e.g. see here for an example usage).

Resources