Jenkins authorization and access control

1. Jenkins authorization and access control
By default, Jenkins does not contain any security checks. Anyone can modify Jenkins settings, job, and start build. Obviously, when a large company needs multiple departments to coordinate their work together, no security check will cause many problems. We can enhance Jenkins security through the following two aspects:
1) security realm is used to determine the user name and password and specify the group to which the user belongs;
2) Authorization strategy is used to determine the user's access permissions to those resources;

Under manage Jenkins-> Configure system-> enable security, you can see that Jenkins's authorization and access control can be enhanced in multiple ways.

 

 

 

2. Create an administrator account + anonymous read-only

Set an administrator account to manage Jenkins settings, modify jobs, and execute build. Other anonymous users only have read-only permissions. They cannot modify Jenkins settings, modify jobs, and run build. However, they can access build structures and view build logs.

1) Add the following startup parameters to Jenkins to create an Administrator Account:
Java-jar Jenkins. War -- argumentsrealm. passwd. User = password -- argumentsrealm. roles. User = Admin

For example, set the administrator user to Jenkins and the password to swordfish, as follows:
Java-jar Jenkins. War -- argumentsrealm. passwd. Jenkins = swordfish -- argumentsrealm. roles. Jenkins = Admin

2) After starting, You need to select enable security in manage Jenkins-> Configure system, then select delegate to servlet container for security realm, and select legacy mode for authorization.

3) then, you can click Login or http: // yourhost/Jenkins/loginentry in the upper right corner to log on. After logon, you have the administrator privilege and can perform any operations. After the operation is completed, you can select logout.

4) Add the rebuild permission to developers. Log on to the job that requires developer rebuild as an administrator, select trigger builds remotely, and set authentication token. For example, set it to devbuild, And Then developers can access HTTP: // jenkinshost/job/project/build? Token = token to start build.
Project is the job you need to start build.
Here, token is the authentication token you set.
If you have a webserver, you can create the following webpage for developers to start build:
<H1> Jenkins Force build page <Ul>
<Li>
<A href = "http: // Jenkins: 8080/job/Foo/build? Token = build "> Force build of Project Foo on Jenkins </a>
</LI>
</Ul>

3. Use the Jenkins database to manage users and set their Access Permissions

1) Under manage Jenkins-> Configure system-> enable security, select Jenkins's own user database for security realm and make sure that allow users to sign up is selected, select matrix-based security for authentication. As follows:

2) create the first Administrator Account Jenkins on the signup page as follows:

 

3) In addition to the first account, the signup account requires the Administrator to assign permissions to the read-only account. For example, you can use signup to create the dev account and assign permissions so that Dev can start the build of the job. As follows:

 

Note:

You can view and modify the permission settings of all users in % jenkins_home % \ config. XML, but restart jenkins After modification.

 

 

Refer:

Https://wiki.jenkins-ci.org/display/JENKINS/Quick+and+Simple+Security
Https://wiki.jenkins-ci.org/display/JENKINS/Standard+Security+Setup