Yesterday, I locked myself out of jenkins while trying to configure ldap authentication, so I followed the instructions in the wiki and disabled security in the config.xml file via ssh. Now I want to get back to the normal jenkins security, but the possibility is not given under "Configure Jenkins" anymore. So I'm looking for a possibility to restore normal security through the config.xml.
Here is the relevant part of the current config.xml file:
<hudson>
<disabledAdministrativeMonitors/>
<version>1.477</version>
<numExecutors>3</numExecutors>
<mode>NORMAL</mode>
<useSecurity>true</useSecurity>
<authorizationStrategy class="hudson.security.AuthorizationStrategy$Unsecured"/>
<securityRealm class="hudson.security.SecurityRealm$None"/>
...
</hudson>
Has anyone an idea or maybe a valid part of a config.xml?
<hudson>
<disabledAdministrativeMonitors/>
<version>2.130</version>
<numExecutors>2</numExecutors>
<mode>NORMAL</mode>
<useSecurity>true</useSecurity>
<authorizationStrategy class="hudson.security.FullControlOnceLoggedInAuthorizationStrategy">
<denyAnonymousReadAccess>true</denyAnonymousReadAccess>
</authorizationStrategy>
<securityRealm class="hudson.security.HudsonPrivateSecurityRealm">
<disableSignup>true</disableSignup>
<enableCaptcha>false</enableCaptcha>
</securityRealm>
...
</hudson>
I think you are looking for this as i am able to revert it back to my default config.xml remember always make a backup of config before modifying it.
just update those two tags authorizationStrategy & securityRealm and your are good to go. And for further reference check out
jenkins_xml_reference
Don't forget to remove authorizationStrategy and securityRealm as per point #6:
https://wiki.jenkins-ci.org/display/JENKINS/Disable+security
<useSecurity>true</useSecurity>
Just change it to False. Then you can access the Jenkins Config from the very beginning.
you missed to set the following:
<useSecurity>false</useSecurity>
Adding/replacing these three settings to config (~/jenkins_home/config.xml) did the trick (i.e. restored login page after it was gone for good when I changed the <useSecurity>true</useSecurity> to <useSecurity>false</useSecurity> and later restoring it to true did not restore status quo as expected):
<useSecurity>true</useSecurity>
<authorizationStrategy class="hudson.security.FullControlOnceLoggedInAuthorizationStrategy">
<denyAnonymousReadAccess>true</denyAnonymousReadAccess>
</authorizationStrategy>
Side note: the lock-out happened in my case when I switched from BasicAuth to OAuth forgetting to add a new user to the internal users database managed by Jenkins (that would match the Github username:)
Even I faced the same issue but later I could figure it out the issue.
we need to remove / at the end of the below line.
<securityRealm class="hudson.security.SecurityRealm$None"/>
it should be <securityRealm class="hudson.security.SecurityRealm$None">
This has worked for me.
Related
I need to set the flags to enable the default redirect_uri behavior for keycloak 19.0.3-legacy.
However, nothing I've tried so far has worked.
We're using the standalone-ha.xml configuration file. (not sure if this is the could be the right place to configure this.)
I need to set the following flags:
spi-login-protocol-openid-connect-suppress-logout-confirmation-screen=true
spi-login-protocol-openid-connect-legacy-logout-redirect-uri=true
https://www.keycloak.org/docs/19.0.3/upgrading/#openid-connect-logout-prompt
https://www.keycloak.org/docs/latest/upgrading/#openid-connect-logout
However, I run a standalone instance and don't run using kc.sh.
I've tried setting environment variables without success:
KC_SPI_LOGIN_PROTOCOL_OPENID_CONNECT_LEGACY_LOGOUT_REDIRECT_URI=true
KC_SPI_LOGIN_PROTOCOL_OPENID_CONNECT_SUPPRESS_LOGOUT_CONFIRMATION_SCREEN=true
and
KEYCLOAK_SPI_LOGIN_PROTOCOL_OPENID_CONNECT_LEGACY_LOGOUT_REDIRECT_URI=true
KEYCLOAK_SPI_LOGIN_PROTOCOL_OPENID_CONNECT_SUPPRESS_LOGOUT_CONFIRMATION_SCREEN=true
and
SPI_LOGIN_PROTOCOL_OPENID_CONNECT_LEGACY_LOGOUT_REDIRECT_URI=true
SPI_LOGIN_PROTOCOL_OPENID_CONNECT_SUPPRESS_LOGOUT_CONFIRMATION_SCREEN=true
and
LEGACY_LOGOUT_REDIRECT_URI=true
SUPPRESS_LOGOUT_CONFIRMATION_SCREEN=true
I've also tried to adding to a config file, but it doesn't seem to have been picked up from where it was put in the Dockerfile.
Dockerfile:
COPY conf.d/keycloak.conf /opt/jboss/keycloak/conf/keycloak.conf
and
COPY conf.d/keycloak.conf /opt/keycloak/conf/keycloak.conf
keycloak.conf
spi-login-protocol-openid-connect-suppress-logout-confirmation-screen=true
spi-login-protocol-openid-connect-legacy-logout-redirect-uri=true
and
suppress-logout-confirmation-screen=true
legacy-logout-redirect-uri=true
I also tried adding it to thedocker-entrypoint.sh parameters:
exec /opt/jboss/tools/docker-entrypoint.sh $# -Dspi-login-protocol-openid-connect-suppress-logout-confirmation-screen=true -Dspi-login-protocol-openid-connect-legacy-logout-redirect-uri=true
and
--This one won't even start up. It fails stating that the parameters are invalid.
exec /opt/jboss/tools/docker-entrypoint.sh $# --spi-login-protocol-openid-connect-suppress-logout-confirmation-screen=true --spi-login-protocol-openid-connect-legacy-logout-redirect-uri=true
Update 1/24/23
Tried updating standalone-ha.xml, but it seems to have been ignored:
<subsystem xmlns="urn:jboss:domain:keycloak-server:1.1">
<web-context>auth</web-context>
<providers>
<provider>
classpath:${jboss.home.dir}/providers/*
</provider>
<provider>
module:org.keycloak.storage.ldap.LDAPSyncOnly
</provider>
</providers>
<master-realm-name>master</master-realm-name>
<scheduled-task-interval>900</scheduled-task-interval>
<theme>
<staticMaxAge>2592000</staticMaxAge>
<cacheThemes>false</cacheThemes>
<cacheTemplates>false</cacheTemplates>
<welcomeTheme>${env.KEYCLOAK_WELCOME_THEME:keycloak}</welcomeTheme>
<default>${env.KEYCLOAK_DEFAULT_THEME:keycloak}</default>
<dir>${jboss.home.dir}/themes</dir>
</theme>
... Bunch of other spi tags. ...
<spi name="login-protocol">
<provider name="openid-connect" enabled="true">
<properties>
<property name="suppress-logout-confirmation-screen" value="true"/>
<property name="legacy-logout-redirect-uri" value="true"/>
</properties>
</provider>
</spi>
</subsystem>
Useful links:
https://github.com/keycloak/keycloak/blob/10b7475b0431ed380d45b840578bc666ecb3263a/services/src/main/java/org/keycloak/protocol/oidc/OIDCLoginProtocolFactory.java#L106-L121
Shows the warning message that will print to the logs if this is set correctly.
https://www.keycloak.org/server/configuration#_example_configuring_the_db_url_host_parameter
Shows alternate ways to configure keycloak.
https://github.com/keycloak/keycloak-containers/tree/19.0.3
https://quay.io/repository/keycloak/keycloak?tab=tags
We figured it out.
By adding the following CLI commands we can properly update the high availability config file to enable the legacy flag.
embed-server --server-config=standalone-ha.xml --std-out=echo
/subsystem=keycloak-server/spi=login-protocol:add
/subsystem=keycloak-server/spi=login-protocol/provider=openid-connect:add(enabled=true)
/subsystem=keycloak-server/spi=login-protocol/provider=openid-connect:write-attribute(name=properties.legacy-logout-redirect-uri,value=true)
/subsystem=keycloak-server/spi=login-protocol/provider=openid-connect:write-attribute(name=properties.suppress-logout-confirmation-screen,value=true)
stop-embedded-server
I don't know why this worked but manually editing the standalone-ha.xml config didn't.
Jenkins - 2.263.1(LTS) deployed through tomcat on CentOS-8.2and have Nginx reverse proxy running in-front of Jenkins.
Under Manage Jenkins > Configure Systems - Apply and Save not working, Due to this error, i cannot Apply (or) Save any of my configurations, It always shows below error on browser (Firefox & Chrome).
HTTP Status 403 – Forbidden
Type Status Report
Message No valid crumb was included in the request
Description The server understood the request but refuses to authorize
it. Apache Tomcat/9.0.30
Also Jenkins > Manage Jenkins > Configure Global Security - Apply works. But Save not working this too results same above given error.
Systems log error message.
Feb 19, 2021 10:56:05 AM WARNING hudson.security.csrf.CrumbFilter
doFilter No valid crumb was included in request for
/jenkins/configSubmit by ankit.sahu. Returning 403.
Workaround tried:-
1) Under Configure Global security > CSRF Protection > Enable proxy compatibility( Tick marked Enabled). - Didn't work so disabled with below command.
2) hudson.security.csrf.GlobalCrumbIssuerConfiguration.DISABLE_CSRF_PROTECTION = true - Even this didn't solve the problem.
3) Installed the Strict Crumb Issuer plugin.
Enabled this plugin and unchecked Check the session ID from its configuration (Under Jenkins Configure Global Security).
4) Restated the Jenkins.
Even tried by adding below in /apache-tomcat-9.0.30/conf/tomcat-users.xml file.
<?xml version='1.0' encoding='utf-8'?>
<tomcat-users>
<role rolename="manager-gui"/>
<role rolename="manager-script"/>
<role rolename="manager-jmx"/>
<role rolename="manager-status"/>
<role rolename="admin-gui"/>
<role rolename="admin-script"/>
<user username="user" password="password" roles="manager-gui,manager-script,manager-jmx,manager-status,admin-gui,admin-script"/>
</tomcat-users>
However still experiencing same problem. I don't know how to fix it, Can someone help me?
You can (temporarily) disable CSRF with below groovy script. Go to Manage Jenkins >> Script Console, then execute the below groovy script.
import jenkins.model.Jenkins
def instance = Jenkins.instance
instance.setCrumbIssuer(null)
The nonces embedded into web output from Jenkins with CSRF protection are based (at least in part as I've read) on values from the requesting client. In addition to making sure your reverse proxy is correctly configured to pass X-Forwarded-For and X-Forwarded-Proto, make sure that Tomcat valve is in place to expose those header values in the servlet request API so Jenkins has access to them.
Add the following to $CATALINA_BASE/conf/server.xml, subordinate to the <Host> element:
<Valve className="org.apache.catalina.valves.RemoteIpValve" remoteIpHeader="x-forwarded-for" protocolHeader="x-forwarded-proto" />
ref: https://www.jenkins.io/doc/book/system-administration/reverse-proxy-configuration-troubleshooting/
ref: https://www.jenkins.io/doc/book/system-administration/reverse-proxy-configuration-with-jenkins/
ref: https://tomcat.apache.org/tomcat-9.0-doc/config/valve.html#Remote_IP_Valve
If you're using jenkinsapi, I resolved this error by specifying useCrumb=True in the constructor:
j = Jenkins(base_url, username=username, password=password, useCrumb=True)
I've just installed the latest version of Jenkins and enabled the so-called "Project-based Matrix Authorization Strategy".
I have added a few users with all privileges and some of them can see the "Manage Jenkins" option after logging into Jenkins, but there are people who can log in but can't see this option.
Really strange behavior. I have checked the configuration in jenkins.xml but it seems ok. Do you have any idea what can be an issue?
Thank you for any suggestions,
Foxrafi
Try using the link https://<JENKINS_URL>:8080/manage loaded the Manage Jenkins option on the UI.
OS: CentOS
Java Version: 1.8
It seems the permissions in config.xml are case-sensitive. So when there is such an entry :
<permission>hudson.model.Item.Build:mysuperuserlogin</permission>
and you log using LDAP authentication and this variant of password MySuperUserLogin, you will be able to log in successfully but you won't be able to use the permission.
Looks like your authorizationStrategy has been updated
Step 1: Go to your config.xml file and open this to any editor
sudo vim /var/lib/jenkins/config.xml
Step 2: Search authorizationStrategy tag inside xml file and change the value to
<authorizationStrategy class="hudson.security.FullControlOnceLoggedInAuthorizationStrategy">
Step 3: Restart Jenkins:
sudo systemctl restart jenkins
Try to log in now!
Here is the default xml file of Jenkins you can crosscheck your other configurations
<?xml version='1.1' encoding='UTF-8'?>
<hudson>
<disabledAdministrativeMonitors/>
<version>2.277.2</version>
<numExecutors>2</numExecutors>
<mode>NORMAL</mode>
<useSecurity>true</useSecurity>
<authorizationStrategy class="hudson.security.FullControlOnceLoggedInAuthorizationStrategy">
<denyAnonymousReadAccess>false</denyAnonymousReadAccess>
</authorizationStrategy>
<securityRealm class="hudson.security.HudsonPrivateSecurityRealm">
<disableSignup>true</disableSignup>
<enableCaptcha>false</enableCaptcha>
</securityRealm>
<disableRememberMe>false</disableRememberMe>
<projectNamingStrategy class="jenkins.model.ProjectNamingStrategy$DefaultProjectNamingStrategy"/>
<workspaceDir>${JENKINS_HOME}/workspace/${ITEM_FULL_NAME}</workspaceDir>
<buildsDir>${ITEM_ROOTDIR}/builds</buildsDir>
<markupFormatter class="hudson.markup.EscapedMarkupFormatter"/>
<jdks/>
<viewsTabBar class="hudson.views.DefaultViewsTabBar"/>
<myViewsTabBar class="hudson.views.DefaultMyViewsTabBar"/>
<clouds/>
<scmCheckoutRetryCount>0</scmCheckoutRetryCount>
<views>
<hudson.model.AllView>
<owner class="hudson" reference="../../.."/>
<name>all</name>
<filterExecutors>false</filterExecutors>
<filterQueue>false</filterQueue>
<properties class="hudson.model.View$PropertyList"/>
</hudson.model.AllView>
</views>
<primaryView>all</primaryView>
<slaveAgentPort>-1</slaveAgentPort>
<label></label>
<crumbIssuer class="hudson.security.csrf.DefaultCrumbIssuer">
<excludeClientIPFromCrumb>false</excludeClientIPFromCrumb>
</crumbIssuer>
<nodeProperties/>
<globalNodeProperties/>
</hudson>
I am only allowed to work with the command line terminal on Ubuntu.
I need to create a job in Jenkins with security credentials.
I already installed Jenkins in my machine, but the access is open. If I set-up security credentials on Jenkins, how can I specify these on the command line?
Follow these steps:
Generate a public ssh-key in the user you want to work with from the command line:
ssh-keygen
Just press enter whenever yo are asked to enter some value.
Copy the content of the file ~/.ssh/id_rsa.pub.
Go to your jenkins home screen in a browser and login with a user with full access, Then click on the right on Users and then on the user you are currently logged with. Then click on settings (or configuration??).
In the field SSH public keys paste the content of the id_rsa.pub file. Save the changes.
And that's all! Now you are able to work with jenkins from the command line.
From the command line
The following is the configuration file of my jenkins main user (with all the privileges). Pay attention to the setting <authorizedKeys>. You should paste there the public ssh key. I haven't made that, but surely if you add the necessary lines to your config file it works. The file is in /path_to_jenkins/users/user_name/config.xml
<?xml version='1.0' encoding='UTF-8'?>
<user>
<fullName>admin</fullName>
<description></description>
<properties>
<jenkins.security.ApiTokenProperty>
<apiToken>pP08W9tzs2jlCrVCY9I2o6y2RNu3Huw85Y2f99/Uif7dia1W7piGpzsrpstln/jw</apiToken>
</jenkins.security.ApiTokenProperty>
<com.cloudbees.plugins.credentials.UserCredentialsProvider_-UserCredentialsProperty plugin="credentials#1.4">
<credentials/>
</com.cloudbees.plugins.credentials.UserCredentialsProvider_-UserCredentialsProperty>
<hudson.tasks.Mailer_-UserProperty plugin="mailer#1.4">
<emailAddress>admin#mail.com</emailAddress>
</hudson.tasks.Mailer_-UserProperty>
<hudson.model.MyViewsProperty>
<primaryViewName></primaryViewName>
<views>
<hudson.model.AllView>
<owner class="hudson.model.MyViewsProperty" reference="../../.."/>
<name>Alle</name>
<filterExecutors>false</filterExecutors>
<filterQueue>false</filterQueue>
<properties class="hudson.model.View$PropertyList"/>
</hudson.model.AllView>
</views>
</hudson.model.MyViewsProperty>
<hudson.security.HudsonPrivateSecurityRealm_-Details>
<passwordHash>1DF2ykjkkkjkkQXW</passwordHash>
</hudson.security.HudsonPrivateSecurityRealm_-Details>
<org.jenkinsci.main.modules.cli.auth.ssh.UserPropertyImpl>
<authorizedKeys>ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEA4P1b/5RpibQgDZpKPD7lTQLjtyMrIQH43ns62PO72koL9zJe6qrAYcTIDNOUvSYNYyKfrgt6Z5zB8MvvENQLWezDKTWNXINhZml0PxOlc9ZaHbQX6UqyFbTS6o+ZEGs+K92Yi/XwK5hTmN5Igsw5BQYEs5cOsd5H2PoEZdhK1X0XAEBX/+p6aNy585+/scgZj0jSIvcX+pnzsCJLKmeYadlLnbrvebf9u6pu8MI9RuAY5dvPfpSL4WynWwS1QvY4z535TqPaaAlM3qXqH0pcOlxgW1iUkJqti3JnnxpBNXLmXalmq+4/d7mUrRBx+HKbh5ZpNZad9vaelAjAsNg+uw== user#machine_name</authorizedKeys>
</org.jenkinsci.main.modules.cli.auth.ssh.UserPropertyImpl>
<hudson.search.UserSearchProperty>
<insensitiveSearch>false</insensitiveSearch>
</hudson.search.UserSearchProperty>
</properties>
</user>
I just changed the starting prompt location to the folder in which the jar file is located. For example, if your jar file's location and name is:
C:\Users\Tod\file.jar
you can do two commands:
cd C:\Users\Tod
java -jar file.jar
I am trying to setup openbravo on eclipse environment with the above URL.
Development stack setup is done successfully. (ANT, Java, Postgresql)
At the openbravo source directory when i apply the command
ant install.source
Build failure due to errors -
/home/pos/sourcecode_openbravo/Openbravo-3.0MP21/build.xml:480: The following error occurred while executing this line:
480 <ant dir="${base.src}" target="compile.complete.development" inheritAll="true" inheritRefs="true" />
/home/pos/sourcecode_openbravo/Openbravo-3.0MP21/src/build.xml:874: The following error occurred while executing this line:
874 <jvmarg line="${env.CATALINA_OPTS}" />
/home/pos/sourcecode_openbravo/Openbravo-3.0MP21/src/build.xml:880: Directory
880 <jvmarg value="-Djava.io.tmpdir=${env.CATALINA_BASE}/temp" />
/var/lib/tomcat6/webapps/openbravo/WEB-INF/lib creation was not successful for an unknown reason
Any help would be appreciated. Thanks.
Sounds like a permission problem.
See the related section 'Permission issues' in openbravo wiki
EDIT
for the remaining issues, i believe the properties base.src, CATALINA_OPTS and CATALINA_BASE are not set properly. Check this via :
<echo>
$${base.src} => ${base.src}
$${env.CATALINA_OPTS} => ${env.CATALINA_OPTS}
$${env.CATALINA_BASE} => ${env.CATALINA_BASE}
</echo>
or simply output all available properties use :
<echoproperties/>
also consider, before using ${env.whatever} you need to use :
<property environment="env"/>
before !
/var/lib/tomcat6/webapps/openbravo/WEB-INF/lib creation was not successful for an unknown reason
Give the permission to webapps folder
sudo chmod -R 777 /var/lib/tomcat6/webapps/
/var/lib/tomcat6/webapps/openbravo/WEB-INF/lib creation was not
successful for an unknown reason
it seem permission problem. It is important to always us the correct user account to start / stop tomcat!
Conceptually there are two user accounts involved in working with Openbravo:
command-line user used to work with files & compile Openbravo
user account used by Apache Tomcat service
There are several overlapping areas in which one of the accounts needs to access and modify files from the other account in both directions.
To avoid any problems Openbravo strongly recommends to run Apache Tomcat services with the same user account which is used on command line. As that way the above topic will be perfectly solved easily.
source: http://wiki.openbravo.com/wiki/Installation/Custom/Apache_Tomcat