We use Jenkins and Active Directory plugin for authentication.
For some reason, I need to add a specific account in Jenkins but not in Active Directory.
Is it possible to use both Active Directory and internal user ?
If it's impossible, I think I can modify the plugin to add an account in it.
I know it's not a good idea, but we need this function.
I think it's in ActiveDirectoryAuthenticationProvider.java's retrieveUser() function.
If you have Jenkins deployed to an app server and the app server supports your use case, you can use the "Delegate to servlet container" option in the Security Realm.
You might be able to utilize the Script Security Realm Plugin
Related
When writing Groovy workflow code that is loaded via SCM and uses third party classes and methods, is it possible to avoid the sandbox and have my methods executed by default, without being rejected with security exceptions?
Create the workflow item as an administrator (a user with Overall/RunScripts permission)
I Installed the Active Directory Plugin and users from the domain can access to the jenkins.
Now I need to create new user but this user can't be in the domain so it need to be local user or something.
Is it possible while the Active Directory is enabled in the Access Control ?
Thanks
Not really.
You can make something yourself with Script Security plugin. But then you need to manually script AD/LDAP authentication through that script, plus add the exception for your new user
I am creating an msi-package of a Windows service using Wix. I want to run the service under a regular user account without administrative priviliges. For better security I want to put the files of the service in the personal user folders (such as AppData\Local\Programs\CompanyName... for binaries and AppData\Local\CompanyName... for config and data files) with the appropriate file access permissions for the user. I imagine the following scenario:
Start the msi in the per-machine context.
During the client stage of the installation ask for the user name and password.
During the server stage of the installation:
a) create the user
b) change to its context and install the program files to ProgramFilesFolder and the data files to LocalAppDataFolder
c) change back to the admin context and install and configure the service to be run under the user account
I am stuck at the step 3 b) as from what I've learned I can't change the installation context after switching to the server side of the installation. Please could you advice me on how I could achive my goal described in the first lines. In particular if I have to copy files to another user's personal folders, what would be the most reliable way to get their paths? Or maybe I am wrong and installing a service into a personal user folder is bad practice at all?
I am aware of the presence of the built-in Local Service account but would like to narrow the service context even more.
The local appdata folder is the problem. If you create a user account the user folders aren't created until the user does an interactive login, and even then in some environments it may be redirected via policy. I am unaware of any reason that local data is better (in a security sense) then the ProgramFiles folder, which is write-restricted to administrators. I'd just install the service binaries to ProgramFiles. In the UI you can collect credentials and use them when the service is installed. A problem with using external credentials is that things like Repair and sometimes patching will fail unless you have the credentials available, having saved them somewhere safe, because otherwise the property values you use will be empty on repair. If localservice works then use it.
It normally doesn't matter what privileges a service has because it usually knows what it's doing. It's only an issue if it calls unknown external code that may try to do something bad, or if it gets asked to do random things such as "run this program" or "copy this file" without doing any internal validation or having a whitelist of what it's allowed to do. So it might be useful to know if there's a specific problem you're trying to address or just following good practices.
I don't think you're being overcautious, service isolation is definitely a good goal. If you can require Win7/2008R2 or later, then you can run the service under a virtual account. There is no password required for virtual accounts, and they don't have the ability to completely wreck the machine like SYSTEM does. You should be able to use it like this:
<ServiceInstall Account="NT SERVICE\$(var.ServiceName)" Name="$(var.ServiceName)".../>
It's actually better for the service executables to be in Program Files, that way the service can't modify its own exe.
Is there a way to use the credential store with the CVS plugin to access a CVS repository? Looking for a way to store credential once and have one place to change it, despite many jobs making use of it.
The CVS plugin doesn't use the credentials store directly (although there are potential plans to move to this in a future overhaul of the plugin), but it does have a concept of global credentials which should provide what you need. The reason for having something separate from global credentials was that CVS introduced this prior to the credentials plugin being available and the steps have never been taken to try and perform a migration.
To use this credential feature, ensure you have version 2.4 or above of the CVS plugin, goto your 'Manage Configuration' screen, scroll down to the CVS section and click the 'Add' button next to the 'Authentication' option. Once you've added any credentials in here, go back to the jobs you're wanting to use the global credentials on, check the CVS root matches what you put in the authentication section and that it doesn't contain a username and then run your job. When running, the console should then show 'Using globally configured credentials for...' when trying to connect to CVS.
I am creating files with a custom version number during the build that I want to be publicly available through http.
Assuming I am building the project "MyTestApp", I want the version number text file I created to be available at a location like http://jenkins.company/job/MyTestApp/revision.txt
Any idea how to achieve this?
David, this depends on what you mean by "publicly available". If your Jenkins instance is secured (jenkins.company/configureSecurity/), then access to artifacts requires that your http session be authenticated. If all users who need access have accounts on the Jenkins server, then you just need to use the post-build action "archive the artifacts", and your text file would be available here:
jenkins.company/job/MyTestApp/jobnumber/artifact/revision.txt
Or here:
jenkins.company/job/MyTestApp/lastSuccessfulBuild/artifact/revision.txt
See this screenshot: http://note.io/17oiykI
If you need unauthenticated access, you could publish your artifacts to another web server on the same or a different host. Or you could upload them to an Amazon S3 bucket.