anonymous access to jenkins workspaces - jenkins

I am using Jenkins installed on CentOS release 6.3 and Jenkins 1.474. I am using Project-based Matrix Authorization Strategy so that only users in specific AD groups are allowed to log in to Jenkins and view particular jobs.
However I am trying to give anonymous access to workspaces for jobs so I can do a wget and specify the http URL. This is so the hosts I am managing via Jenkins can get certain hosts.
I have added Anonymous to the Project-based Matrix Authorization Strategy section and ticked workspaces but this isn't working. When doing a wget I can access forbidden and when I put the URL in to a browser, I am asked to login. I have also configured Anonymous to have access to the workspace on the job itself, but still get access forbidden.
Has anyone got any ideas as to why his is not working?

We are using Jenkins version 1.475
We have the following enabled for anonymous access:
Overall:
Read -> Enabled
Job:
Read -> Enabled
Workspace -> Enabled
This allows access to anonymous users to view the Dashboard and the Jobs and also to the workspace...

As of Jenkins ver. 1.609.1, the changes can be made under
Configure Global Security | Configure Global Security (or htTps://<your jenkins host>/configureSecurity/).
Similar to sdmythos_gr's answer just set Overall Read and Job Read for Anonymous.

Related

Jenkins Plugin Development - how to log in as a user

I'm trying to work on a plugin for Jenkins that requires access to the logged in user. It appears that when i'm running the mvn hpi:run, the Jenkins server that is spun up appears to have a user called 'Anonymous' without the option to login/logout etc.
As per the documentation on developing a plugin, i'm using the following settings export MAVEN_OPTS="-Xdebug -Xrunjdwp:transport=dt_socket,server=y,address=8000,suspend=n". Is there any way to enable user authentication on this spun up Jenkins Server?
This ended up being more of an administration task. Had to manually allow authentication on the server (i got a warning on the Manage Jenkins page). This allowed me to create users.

jenkins slave runs as user

I have a jenkins setup with multiple users which are logging in with Active Directory plugin. This is useful so that each user can access his own tasks.
However each user also has different permissions on the local network, such as access to different folders etc. I have noticed that the permissions given to each task is not linked to the user but to the account under which the slave is running as service. Is there a way to change that so that the task is executed on the slave under the credential (and hence permissions) of the user?
Thank you
The problem is: there is only one slave process running the different job assigned to that server by the Jenkins master.
So the slave itself runs as one user (generally, a dedicated account or a system account).
Since you can get the user id as environment variable (with a plugin like JENKINS Build User Vars Plugin), you might consider configuring the job in order for it build step to "run as" the user who triggered the build.
See for instance the JENKINS Authorize Project plugin.
However, as mentioned this answer:
The "Authorize Project" plugin does not change the OS level user that is running commands.
It only sets the Jenkins user that is running the job and any downstream jobs, using Jenkins authentication (whatever it might be).
So you are left with build step with runas or su -c commands in order to be sure that your task does run with the right user.
I had the similar issue and I can recall for managing more control on projects I used role strategy plugin and setup global security using LDAP servers (Active directory should also be ok).
And I used authorized project plugin.
Have a look and I hope it should solve your purpose. Let me know on comment section for any clarification.
you can partially fix your problem this way:
install the slave as a service using the Java Web Start method and JLNP
go to Services control panel in windows
under Properties -> Connection replace the local system connection with a specific user
rebooted the service
This at least gives you the ability to use one account instead of system.

How to allow only specific credential for project in jenkins?

I need to prevent using credentials by every projects. I.e. test1 project should be able to access only test1-cred and only if it is started by user1 from Gitlab or directly in Jenkins. Also this should be supported by Jenkins declarative pipeline. If you use specific credentials in Jenkinsfile which are not allowed for current project - Jenkins shouldn't allow to use them.
How can I implement such a behavior?
As far as I know there are three common places to configure credentials in Jenkins: by user, by folder or globally
It seems that the folder plugin would suit your use case. It allows to organize your projects in folders. For each folder you can configure access rights and credentials.
More informations on credentials: https://plugins.jenkins.io/credentials

How to set 'UpdateCauses ' user permission on Jenkins

I am trying to use the build failure analyzer plugin for Jenkins.
https://wiki.jenkins-ci.org/display/JENKINS/Build+Failure+Analyzer
In the documentation it says
The link is shown only if the permission UpdateCauses is set for the current user.
But it doesn't give any information on how what that is or how to set it.
I'm the only user for my Jenkins.
Thanks!
Go to Manage Jenkins > Configure Global Security and under the Access Control section on Authorization there will be the users and their permissions (if you use matrix base security) you will see the Build Failure Analyzer permissions:
So short answer, you configure the plugin permissions using Jenkins configurations.

How can we execute Jenkins job using other user credential

I need to execute few of the Jenkins jobs such as "Release to Production" through Jenkins UI using logged on user credential. The reason is, we have separate Support Team Members, who have access to the production boxes and not the Dev team members. So, in order to deploy any code base to production, all the Windows Deploy Commands (ex, create, update files, folder etc.) needs to be run with specific user credential who has access to the Production Box. So that even the Dev team members who don't have access to the Production box but are Jenkins Admin, execute the same job should result in failure due to "Access Denied". The job should succeed only if its been run by Support Team members with their credential.
I tried using parameterized plugin but couldn't able to pass the Password successfully to the batch file which contains MSDeploy instructions. Even the Jenkins console log displays the parameter passed in its console output, which is a security issue.
I checked Role based security plugin, but that doesn't help me much. I just need a plugin which should ask for user to provide their credential before start building the Job and should use the user credential to get the job executed, so that my MSDeploy command will be able to deploy the code on Production boxes, when the Support team member build that Job using their credential. I wish there was support for impersonation.
Right now all the Jenkins Jobs are getting executed using the service account which the Tomcat service is configured to run with on which Jenkins is hosted.
Any help would be appreciated.
Just in case there is any confusion a Jenkins job will always run as the same OS user. The Matrix based security applies to users who log into the Jenkins server and controls features like creating or launching jobs.
You could configure the job to use a set of generic production credentials and then prevent your developers from invoking the job.
Perhaps a better approach would be to separate the process that builds the code from the one that deploys the code. The following diagram (Taken from the xebia-france project) demonstrates how some of my favourite tools Rundeck and Nexus can be integrated with Jenkins.
Finally, I highly recommend reading the following link:
Using Rundeck and Chef to build devops tool chains
Hi I know I'm coming late on this thread, but I just fell on this issue and had a hard time solving it, so I thought I might just share what I managed to set-up.
First things first: if you want to run a Jenkins job "as a specific user" (with all the correct habilitations) the easiest way is to run a Jenkins SLAVE as this user.
Then you might very well stumble into the following: you probably want to run serveral slaves on the same windows machine as windows services. This is very fine, as long as each slave has his own Remote root directory and probably have a specific "label" too.
Once you managed to run your slave as a windows service, launch the service console (run services.msc). Edit the newly created service properties, go to Log On tab. Select "Log on as: This account" and enter your account credentials.
Cheers :)
You can utilize the built in windows runas or Powershell InvokeCommand cmdlet and -Credential to run - Both these would store the username/password in plain text - So do think about the risks, but this gives you flexibility.
I'm surprised this doesn't have a better answer of set an agent on another machine to run as another service and define agent as a special "type" which picks up the jobs - Something along those lines is what I would expect but I haven't seen an implementation like that in Jenkins (I'm new to Jenkins so was looking for an answer and found this thread).
Something else that could be considered for someone more familiar with Jenkins is when you set the custom path to MSBuild could you set that to runas /user:... msbuild.exe perhaps? I don't have an extra Jenkins server currently to try that on.

Resources