Permissions for Jenkins to allow post-receive hooks, yet block anonymous users

gitJenkins

I'm trying to disable Anonymous access to our Jenkins installation, but still allow Codebase Git to perform post-receive hooks to post to Jenkins, to allow it to trigger a build.

We're using Matrix-based security, and have allowed only the following permissions for Anonymous users:

Overall > Read
Job > Read
Job > Build

These are the minimum I have to activate in order to get Codebase posting the URL, otherwise I get access denied errors from Jenkins, the problem is, it allows anonymous users to browse our projects?

Is there a way to obscure this? I think it's really stupid that Jenkins needs Overall > Read access to allow the Job > Build permission to work.

Best Answer

This is how we do:

You can make a new user called github for an example and give it the same three permissions, then when you link to the build url you include the username and password in the url, like:

http://USER:PASS@jenkins_url/job/JOBNAME/build

This way you do not allow anonymous user access your Jenkins instance.

Related Solutions

Allow anonymous access to the job’s config.xml in Jenkins

You might be better just copying over all the job configs. These will be in $JENKINS_HOME/jobs - copy that whole directory to your new instance or, if you don't want the build history, just copy the job subdirectories and their config.XML files. Then restart Jenkins and you should be OK.

Setting up Github post-receive webhook with private Jenkins and private repo

Try using Apache as a proxy in front of Jenkins. I Use NameVirtualHost...

<VirtualHost>
  --Snip---    

<Proxy *>
      AddDefaultCharSet Off
      Order deny,allow
      Allow from all
     --snip-- #You can tighten this to only allow from GITHUB ips.
</Proxy>

    RequestHeader unset Authorization
    RequestHeader set Authorization "Basic [AUTHSTRING]"
    ProxyPass / [AJP|HTTP]://[JENKINS]:[PORT]/
    ProxyPassReverse / [AJP|HTTP]://[JENKINS]:[PORT]/

</VirtualHost>

I run Jenkins in a tomcat container and use AJP, so the var [AJP|HTTP] can be either for the proxy. The [JENKINS] and [PORT] variables should be intuitive.

Now the hard part, [AUTHSTRING]!

Take the USERNAME:PASSWORD part and run it through this command:

$ echo -n 'username:password' | base64
 dXNlcm5hbWU6cGFzc3dvcmQ=

(echo -n is important to remove the newline.) Take the result and put in [AUTHSTRING]

You should be able to remove the user:password from the line at github.

Best Answer

Related Solutions

Allow anonymous access to the job’s config.xml in Jenkins

Setting up Github post-receive webhook with private Jenkins and private repo

Related Topic