15

We are running a Jenkins CI. Generally we would like to provide

  1. full access to authenticated users from particular group
  2. full-read access to anonymous users
  3. block anonymous users to access certain projects (completely)

We use Unix user/group database and Project-based Matrix Authorization Strategy. Points (1) and (2) works well but we are having trouble achieving (3).

We have tried:

  • in Global Security removing all rights to anonymous and then granting it in project-based security but after that all anonymous requests (even to main Jenkins page) yields login page
  • in Global Security adding in steps following rights: View-Read (didn't work), Job-Discover (didn't work), Job-Read (didn't work), Overal-Read - this last one seemed to work however it gave the anonymous user too much rights and we weren't able to limit access to the particular project.

tl;dr

we want fully open (read-wise) Jenkins CI with a few projects completely hidden/blocked for anonymous.

Wojtek
  • 524
  • 1
  • 4
  • 10

2 Answers2

21

OK, so I've managed to do it:

  • you need Role-based Authorization Strategy Plugin
  • enable this authentication strategy in Configure Global Security
  • in Manage and Assign Roles / Manage Roles create new role anonymous and authenticated for both global and project roles
  • in Global roles grant anonymous role right only to Overall / Read (this will at the very least access anonymous user main jenkins screen with navigation and link to login page, not login prompt immediately)
  • in Project role add anonymous role with regexp pattern that will match projects you want anonymous users to access and after adding this role grant it right to Job / Read and Job / Discover
  • navigate to Manage and Assign Roles / Assign Roles and assign Anonymous user group to anonymous role (and authenticated users to specific groups). SAVE
Jack Miller
  • 155
  • 1
  • 7
Wojtek
  • 524
  • 1
  • 4
  • 10
  • A related gotcha is that the role strategy is case sensitive in matching user names. I had entered uppercase user names on the "Assign Roles" page. I logged in with lower case username and even though my username is displayed in uppercase, no roles matched my user. My allowable permissions fell back to that of anonymous user. If I log in with uppercase username, it works. – s_t_e_v_e May 23 '13 at 20:31
  • While this answer works, you ever explained the purpose or configuration of the "authenticated" role. – Brad Wood May 30 '14 at 16:16
  • that's just a shortcut - it can be "anonymous" and "priviliged"; I used "authenticated" because the subset of folks available to view and edit those particular hidden tasks would be equal to those that actually have the account. – Wojtek May 30 '14 at 19:56
  • This video helped me.. https://www.savjee.be/videos/get-started-with-jenkins/embeddable-build-status-badges/ – Anand Varkey Philips Nov 16 '18 at 08:05
2

With above https://wiki.jenkins.io/display/JENKINS/Role+Strategy+Plugin plugin

then you DO NOT need add authenticated role in Manage Roles page.

Screenshots: Manage Roles & Assign Roles

Yanjiong Wang
  • 121
  • 1