Gliffy Diagram
Edit in Word
|
Immediately after installation, Jenkins will allow anyone to run anything as user jenkins, which is bad. This page shows you how to set up basic security using the Configure Global Security page. The Configure Global Security page has two sections in which you:
Security RealmFirst, establish the user authentication method. For smaller, more informal installations, you can use Jenkins' own user database. For enterprise installations, you will want to use your corporate service, which allows users to log in to Jenkins with their usual username and password. Jenkins' Own User DatabaseThis is the simplest authentication scheme--Jenkins maintains its own independent user database. People can sign up for their own accounts, and you as the administrator decide who can do what in Jenkins.
Active Directory On Linux ServerIf Jenkins is running on a Windows server then it is better to install the Active Directory plugin. On a Linux host you have an option to either use the Active Directory plugin or an LDAP based authentication. To configure the LDAP to work with Active Directory, provide the following:
Note that the correct Manager DN value can vary greatly depending on your Active Directory set up. UNIX NISTo set up Network Information System:
LDAPSee LDAP Plugin. Then continue with Authorization, below. In particular, do not forget to press the Save button at the bottom of the page. AuthorizationThe Authorization section of the Configure Global Security page allows you to configure what users are allowed to do once authenticated. Matrix-based SecurityMatrix-based security offers the most precise control over user privileges.
If you set up a service like NIS, Active Directory or LDAP, you can now log in to Jenkins using your network credentials. If you are using Jenkins' own user database, create a user account for yourself:
If everything works smoothly, you are now logged on as yourself with full permissions. If something goes wrong, follow this to reset the security setting. TBDMore docs to come. Suggestions on what needs to be written are greatly appreciated. |
Standard Security Setup
Skip to end of metadata
Go to start of metadata
Comments (30)
Feb 08, 2008
Anonymous says:
More info on how to create and manage groups of users would be great. There also...More info on how to create and manage groups of users would be great. There also doesn't seem to be a way of telling what users have registered appart from looking at the filesystem.
Sep 01, 2008
Alvin Chang says:
One has to add groups prefixing with "ROLE_" (without quotes). I'm using OpenLDA...One has to add groups prefixing with "ROLE_" (without quotes). I'm using OpenLDAP as its backend.
Mar 07, 2011
Christian Höltje says:
Just to be clear, the full format is "ROLE_" + (cn.toUpper()) .... right? How d...Just to be clear, the full format is "ROLE_" + (cn.toUpper()) .... right?
How do you deal with spaces? I have a group with a CN of "Some Group". I don't seem to be able to get "ROLE_SOME_GROUP" nor "ROLE_SOME GROUP" to work.
Sep 20, 2008
Jojo Paderes says:
I just downloaded v1.252 and tried out this guide for setting up the admin accou...I just downloaded v1.252 and tried out this guide for setting up the admin account. Logging in using the newly created admin account will cause a NPE:
The workaround to this bug is to restart the server. This however will be a pain for every new user added to the application.
Oct 10, 2008
Jojo Paderes says:
This issue was fixed already in v1.253. See issue 2376.This issue was fixed already in v1.253. See issue 2376.
Oct 14, 2008
robcranfill - says:
Funny. I'm running 1.255 and get what looks to be the same error (albeit with a ...Funny. I'm running 1.255 and get what looks to be the same error (albeit with a slightly different line number, as is to be expected):
SEVERE: Servlet.service() for servlet Stapler threw exception java.lang.NullPointerException at hudson.security.HudsonPrivateSecurityRealm.createAccount(HudsonPrivateSecurityRealm.java:131) at hudson.security.HudsonPrivateSecurityRealm.doCreateAccount(HudsonPrivateSecurityRealm.java:86) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) ...I will poke around some more and submit a bug report if warranted...
- rob
Nov 02, 2008
haiko - says:
I got the same NPE at logging in with a new created user. I am running version 1...I got the same NPE at logging in with a new created user. I am running version 1.258. I had this in the logs
Nov 21, 2008
Grégory Joseph says:
is there a way, with the per-project matrix-based security, to "hide" certain jo...is there a way, with the per-project matrix-based security, to "hide" certain jobs from the anonymous ? It seems the "read" permission is global and can't be refined per-job ?
Dec 15, 2008
Steve Owens says:
I'm not sure if this is the right place for this, but I'm trying to set up matri...I'm not sure if this is the right place for this, but I'm trying to set up matrix-based security in Hudson 1.261 running on Java 1.6, with the ability for the users to create their own accounts. When I reboot the server, I can get to the page that allows me to create an account, but the captcha image just displays the missing image icon. Is there anything simple I should be looking for to debug this?
I'm also trying to work this by adding the accounts in myself, but I can't seem to find instructions on how to add a user manually. Am I missing a page on this wiki?
Other than that I'm very impressed with the level of functionality Hudson provides. Hopefully I can get to the point of contributing to the project sometime in the future.
Apr 17, 2009
Bartek Kuczynski says:
I use Hudson 1.299 with per-project matrix-based. I have some questions: 1. Ho...I use Hudson 1.299 with per-project matrix-based. I have some questions:
1. How to add user to group?
2. How to add owner to project?
3. Is any posibility to create configuration that only owner (and admin) can see job?
May 22, 2009
Chris Hines says:
Looking at the Hudson source code circa 1.306, user groups are only supported by...Looking at the Hudson source code circa 1.306, user groups are only supported by the LDAP and Unix Security Realms.
Sep 21, 2009
Wolfgang Hauser says:
Since version 1.323 we can't login from an Internet Explorer Version 6 (unfortun...Since version 1.323 we can't login from an Internet Explorer Version 6 (unfortunitely our company default yet).
Using Firefox or Iceweasel (3.0.14) the login works.
On IE 6 we don't get the username, always the "Login" text appears in upper right corner.
We get no "start build" or administration rights after an login attempt that don't report errors to the browser.
our security settings:
Any ideas ?
on stdout (debian lenny) we got this:
Sep 21, 2009 2:54:02 PM hudson.ExpressionFactory2$JexlExpression evaluate
WARNING: Caught exception evaluating: h.hasPermission(it, permission). Reason: java.lang.NullPointerException
java.lang.NullPointerException
at hudson.security.AuthorizationStrategy.getACL(AuthorizationStrategy.java:102)
at hudson.model.View.getACL(View.java:269)
at hudson.model.View.hasPermission(View.java:277)
at hudson.Functions.hasPermission(Functions.java:581)
at sun.reflect.GeneratedMethodAccessor60.invoke(Unknown Source)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
at java.lang.reflect.Method.invoke(Method.java:597)
at org.apache.commons.jexl.util.introspection.UberspectImpl$VelMethodImpl.invoke(UberspectImpl.java:258)
at org.apache.commons.jexl.parser.ASTMethod.execute(ASTMethod.java:104)
at org.apache.commons.jexl.parser.ASTReference.execute(ASTReference.java:83)
at org.apache.commons.jexl.parser.ASTReference.value(ASTReference.java:57)
at org.apache.commons.jexl.parser.ASTReferenceExpression.value(ASTReferenceExpression.java:51)
at org.apache.commons.jexl.ExpressionImpl.evaluate(ExpressionImpl.java:80)
at hudson.ExpressionFactory2$JexlExpression.evaluate(ExpressionFactory2.java:72)
at org.apache.commons.jelly.expression.ExpressionSupport.evaluateRecurse(ExpressionSupport.java:61)
at org.apache.commons.jelly.expression.ExpressionSupport.evaluateAsBoolean(ExpressionSupport.java:71)
at org.apache.commons.jelly.tags.core.IfTag.doTag(IfTag.java:41)
at org.apache.commons.jelly.impl.TagScript.run(TagScript.java:262)
at org.apache.commons.jelly.impl.ScriptBlock.run(ScriptBlock.java:95)
at org.apache.commons.jelly.TagSupport.invokeBody(TagSupport.java:186)
at org.apache.commons.jelly.tags.core.JellyTag.doTag(JellyTag.java:45)
at org.apache.commons.jelly.impl.TagScript.run(TagScript.java:262)
at org.apache.commons.jelly.impl.DynamicTag.doTag(DynamicTag.java:81)
at org.apache.commons.jelly.impl.TagScript.run(TagScript.java:262)
at org.apache.commons.jelly.impl.ScriptBlock.run(ScriptBlock.java:95)
at org.apache.commons.jelly.TagSupport.invokeBody(TagSupport.java:186)
at org.apache.commons.jelly.impl.StaticTag.doTag(StaticTag.java:65)
at org.apache.commons.jelly.impl.StaticTagScript.run(StaticTagScript.java:112)
at org.apache.commons.jelly.impl.ScriptBlock.run(ScriptBlock.java:95)
at org.apache.commons.jelly.TagSupport.invokeBody(TagSupport.java:186)
at org.apache.commons.jelly.tags.core.JellyTag.doTag(JellyTag.java:45)
at org.apache.commons.jelly.impl.TagScript.run(TagScript.java:262)
at org.apache.commons.jelly.impl.DynamicTag.doTag(DynamicTag.java:81)
at org.apache.commons.jelly.impl.TagScript.run(TagScript.java:262)
at org.apache.commons.jelly.impl.ScriptBlock.run(ScriptBlock.java:95)
at org.apache.commons.jelly.TagSupport.invokeBody(TagSupport.java:186)
at org.apache.commons.jelly.impl.StaticTag.doTag(StaticTag.java:65)
at org.apache.commons.jelly.impl.StaticTagScript.run(StaticTagScript.java:112)
at org.apache.commons.jelly.impl.ScriptBlock.run(ScriptBlock.java:95)
at org.kohsuke.stapler.jelly.CustomTagLibrary$StaplerDynamicTag$1.run(CustomTagLibrary.java:147)
at org.apache.commons.jelly.tags.define.InvokeBodyTag.doTag(InvokeBodyTag.java:91)
at org.apache.commons.jelly.impl.TagScript.run(TagScript.java:262)
at org.apache.commons.jelly.impl.ScriptBlock.run(ScriptBlock.java:95)
at org.apache.commons.jelly.TagSupport.invokeBody(TagSupport.java:186)
at org.apache.commons.jelly.tags.core.IfTag.doTag(IfTag.java:42)
at org.apache.commons.jelly.impl.TagScript.run(TagScript.java:262)
at org.apache.commons.jelly.impl.ScriptBlock.run(ScriptBlock.java:95)
at org.apache.commons.jelly.TagSupport.invokeBody(TagSupport.java:186)
at org.apache.commons.jelly.tags.core.JellyTag.doTag(JellyTag.java:45)
at org.apache.commons.jelly.impl.TagScript.run(TagScript.java:262)
at org.apache.commons.jelly.impl.DynamicTag.doTag(DynamicTag.java:81)
at org.apache.commons.jelly.impl.TagScript.run(TagScript.java:262)
at org.apache.commons.jelly.impl.ScriptBlock.run(ScriptBlock.java:95)
at org.kohsuke.stapler.jelly.CustomTagLibrary$StaplerDynamicTag$1.run(CustomTagLibrary.java:147)
at org.apache.commons.jelly.tags.define.InvokeBodyTag.doTag(InvokeBodyTag.java:91)
at org.apache.commons.jelly.impl.TagScript.run(TagScript.java:262)
at org.apache.commons.jelly.impl.ScriptBlock.run(ScriptBlock.java:95)
at org.apache.commons.jelly.TagSupport.invokeBody(TagSupport.java:186)
at org.apache.commons.jelly.impl.StaticTag.doTag(StaticTag.java:65)
at org.apache.commons.jelly.impl.StaticTagScript.run(StaticTagScript.java:112)
at org.apache.commons.jelly.impl.ScriptBlock.run(ScriptBlock.java:95)
at org.apache.commons.jelly.TagSupport.invokeBody(TagSupport.java:186)
at org.apache.commons.jelly.impl.StaticTag.doTag(StaticTag.java:65)
at org.apache.commons.jelly.impl.StaticTagScript.run(StaticTagScript.java:112)
at org.apache.commons.jelly.impl.ScriptBlock.run(ScriptBlock.java:95)
at org.apache.commons.jelly.TagSupport.invokeBody(TagSupport.java:186)
at org.apache.commons.jelly.impl.StaticTag.doTag(StaticTag.java:65)
at org.apache.commons.jelly.impl.StaticTagScript.run(StaticTagScript.java:112)
at org.apache.commons.jelly.impl.ScriptBlock.run(ScriptBlock.java:95)
at org.apache.commons.jelly.TagSupport.invokeBody(TagSupport.java:186)
at org.apache.commons.jelly.impl.StaticTag.doTag(StaticTag.java:65)
at org.apache.commons.jelly.impl.StaticTagScript.run(StaticTagScript.java:112)
at org.apache.commons.jelly.impl.ScriptBlock.run(ScriptBlock.java:95)
at org.apache.commons.jelly.TagSupport.invokeBody(TagSupport.java:186)
at org.apache.commons.jelly.impl.StaticTag.doTag(StaticTag.java:65)
at org.apache.commons.jelly.impl.StaticTagScript.run(StaticTagScript.java:112)
at org.apache.commons.jelly.impl.ScriptBlock.run(ScriptBlock.java:95)
at org.apache.commons.jelly.TagSupport.invokeBody(TagSupport.java:186)
at org.apache.commons.jelly.tags.core.JellyTag.doTag(JellyTag.java:45)
at org.apache.commons.jelly.impl.TagScript.run(TagScript.java:262)
at org.apache.commons.jelly.impl.DynamicTag.doTag(DynamicTag.java:81)
at org.apache.commons.jelly.impl.TagScript.run(TagScript.java:262)
at org.apache.commons.jelly.impl.ScriptBlock.run(ScriptBlock.java:95)
at org.kohsuke.stapler.jelly.CompressTag.doTag(CompressTag.java:21)
at org.apache.commons.jelly.impl.TagScript.run(TagScript.java:262)
at org.kohsuke.stapler.jelly.DefaultScriptInvoker.invokeScript(DefaultScriptInvoker.java:29)
at org.kohsuke.stapler.jelly.JellyClassTearOff.serveIndexJelly(JellyClassTearOff.java:43)
at org.kohsuke.stapler.jelly.JellyFacet.handleIndexRequest(JellyFacet.java:83)
at org.kohsuke.stapler.Stapler.invoke(Stapler.java:476)
at org.kohsuke.stapler.MetaClass$12.dispatch(MetaClass.java:309)
at org.kohsuke.stapler.Stapler.invoke(Stapler.java:487)
at org.kohsuke.stapler.Stapler.invoke(Stapler.java:403)
at org.kohsuke.stapler.Stapler.service(Stapler.java:116)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:45)
at winstone.ServletConfiguration.execute(ServletConfiguration.java:249)
at winstone.RequestDispatcher.forward(RequestDispatcher.java:335)
at winstone.RequestDispatcher.doFilter(RequestDispatcher.java:378)
at hudson.util.PluginServletFilter$1.doFilter(PluginServletFilter.java:94)
at hudson.util.PluginServletFilter.doFilter(PluginServletFilter.java:86)
at winstone.FilterConfiguration.execute(FilterConfiguration.java:195)
at winstone.RequestDispatcher.doFilter(RequestDispatcher.java:368)
at hudson.security.csrf.CrumbFilter.doFilter(CrumbFilter.java:47)
at winstone.FilterConfiguration.execute(FilterConfiguration.java:195)
at winstone.RequestDispatcher.doFilter(RequestDispatcher.java:368)
at hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:84)
at hudson.security.UnwrapSecurityExceptionFilter.doFilter(UnwrapSecurityExceptionFilter.java:51)
at hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:87)
at org.acegisecurity.ui.ExceptionTranslationFilter.doFilter(ExceptionTranslationFilter.java:166)
at hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:87)
at org.acegisecurity.providers.anonymous.AnonymousProcessingFilter.doFilter(AnonymousProcessingFilter.java:125)
at hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:87)
at org.acegisecurity.ui.rememberme.RememberMeProcessingFilter.doFilter(RememberMeProcessingFilter.java:142)
at hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:87)
at org.acegisecurity.ui.AbstractProcessingFilter.doFilter(AbstractProcessingFilter.java:271)
at hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:87)
at org.acegisecurity.ui.basicauth.BasicProcessingFilter.doFilter(BasicProcessingFilter.java:173)
at hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:87)
at org.acegisecurity.context.HttpSessionContextIntegrationFilter.doFilter(HttpSessionContextIntegrationFilter.java:249)
at hudson.security.HttpSessionContextIntegrationFilter2.doFilter(HttpSessionContextIntegrationFilter2.java:66)
at hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:87)
at hudson.security.ChainedServletFilter.doFilter(ChainedServletFilter.java:76)
at hudson.security.HudsonFilter.doFilter(HudsonFilter.java:155)
at winstone.FilterConfiguration.execute(FilterConfiguration.java:195)
at winstone.RequestDispatcher.doFilter(RequestDispatcher.java:368)
at winstone.RequestDispatcher.forward(RequestDispatcher.java:333)
at winstone.RequestHandlerThread.processRequest(RequestHandlerThread.java:244)
at winstone.RequestHandlerThread.run(RequestHandlerThread.java:150)
at java.lang.Thread.run(Thread.java:619)
Jan 19, 2010
ujjawal says:
Any inputs on running a shell script as root. My script needs root priviliges. H...Any inputs on running a shell script as root. My script needs root priviliges. How can I configure Hudson for unix root user?
Feb 08, 2010
Gaurav Tiwari says:
I have to manage authentication for Hudson using multiple LDAP domains. Although...I have to manage authentication for Hudson using multiple LDAP domains. Although I can mention them all in the server field seperating them with commas, the problem I have is that the functional user account (bind DN or manager DN)we would need to access those servers would be different for each domain.
Is there a way to ensure LDAP authentication of this kind?
Apr 28, 2010
Jean-Luc Pinardon says:
Please, it would be very interesting to list the LDAP attributes Hudson needs. I...Please, it would be very interesting to list the LDAP attributes Hudson needs. In the case of a corporate LDAP directory, with a centralized IS/IT team, there is often a web interface for asking rights and information to connect an application with the LDAP server. And the list of attributes can be required.
May 18, 2010
Akiko Takano says:
I hope to use multi authentication source, for example, both Hudson Native Datab...I hope to use multi authentication source, for example, both Hudson Native Database and LDAP.
Because I'm afraid that I can't log in when my LDAP may be down, so that I hope to have an emargency account or dedicated account for some tasks.
How about?
May 19
Stephanie Campbell says:
We are trying to do this too. Did you come up with a solution?We are trying to do this too. Did you come up with a solution?
Sep 07, 2010
gissur - says:
We had some problems with SVN and the post-commit hook to trigger builds. It for...We had some problems with SVN and the post-commit hook to trigger builds. It forced us to allow 'Job-read', 'Job-build' and 'Overall-read' permissions to Anonoymous for registering SCM Polling to projects.
I would love to have a single check-box for allowing anonymous to poll for builds alone OR some way to add authentication into polling from the subversion server (I suspect it's possible by wget, but I haven't experimented with it and I didn't find any documentation describing this scenario).
Nov 11, 2010
rodrigolopes - says:
I'm running hudson v.1384 on a Windows Server 2003 machine. If I enable security...I'm running hudson v.1384 on a Windows Server 2003 machine. If I enable security, with any strategy (I've tried "Hudson's own user database", "Delegate to servlet container" and the Active Directory plugin), the login works fine, but it's immediately timed out and I have to login again. The steps are:
Any help?
Jan 18, 2011
Jeff Heckel says:
With matrix or project based security, is there an environment variable that I c...With matrix or project based security, is there an environment variable that I can access to get the user logged in?
Jul 20, 2011
p ath says:
Hello. What I want is to have some accounts that have all rights in jenkins and ...Hello. What I want is to have some accounts that have all rights in jenkins and I have seted that up ok. But I also want the anonymoys user to be able to VIEW the configuration of jobs but to NOT be able to edit them. How can I do that? thank you.
Jul 06, 2012
jaron Sampson says:
I am running Jenkins 1.472 on a 2.6.32-220.13.1.el6.centos.plus.x86_64...I am running Jenkins 1.472 on a 2.6.32-220.13.1.el6.centos.plus.x86_64 host. When I enabled jenkins-own-db-based, per-job, matrix based security, the global security matrix includes a "workspace" option, as well as several other columns not documented here. As this guide advised, I gave the anonymous user only job:read permissions, but I am getting errors because... javax.servlet.ServletException: hudson.security.AccessDeniedException2: anonymous is missing the Workspace permission.
While I am betting that I can make this error go away by checking the workspace checkbox for the anonymous user, I would like to know what I am enabling :)
Is there a more up-to-date source of information on what the current columns in the matrix mean? My security matrix has the following columns:
Thank you, Jaron
Feb 27, 2013
David Walend says:
Some information about when to check "Prevent Cross Site Request Forgery exploit...Some information about when to check "Prevent Cross Site Request Forgery exploits" would help.
Feb 27, 2013
Christian Höltje says:
... and when not to!... and when not to!
Mar 21, 2013
Gavin Swanson says:
For the user and group search base, only enter the 'cn=users' part not the fully...For the user and group search base, only enter the 'cn=users' part not the fully qualified 'cd=usres,dc=example,dc=com'. Jenkins adds the dc parts to it on it's own.
Apr 05, 2013
Alexander Artemov says:
When I add an existing group, it isn't recognized as a group - I can see a pictu...When I add an existing group, it isn't recognized as a group - I can see a picture with a user.
Can anybody help with solving this problem?
Apr 05, 2013
Alexander Artemov says:
And you don't need to use "ROLE_" prefix to specify a group.And you don't need to use "ROLE_" prefix to specify a group.
Oct 23, 2013
System Administrator says:
deleteddeleted
Jun 08, 2014
Yuanjie Li says:
Good Day Everyone I just set my Jenkins up on my CentOS server. and i followed...Good Day Everyone
I just set my Jenkins up on my CentOS server.
and i followed the "Standard Security Setup",
but when i added a new user it met a problem show in the pic below.
and when i saved the configuration, it asked my username and admin, but no where to sign up.
and the user i created cannot be used...
i have changed the config.xml several times and tried again and again, but didn't make a sence.
Is there anyone can help?
Looking forward to hearing from you.
Best Regards
Dec 10
Bryan Dixon says:
I can't get a group added to matrix security. I've tried entering the exac...I can't get a group added to matrix security. I've tried entering the exact group name, prefixing the group name with ROLE_ and having it all uppercase but it is always displaying on the matrix area with an icon that is a red circle with a white minus sign. I've used the whoami page to see the groups that Jenkins has found for me using LDAP and entered groups on that page but still no luck.
Add Comment