Anonymous Access to DEV@cloud Jenkins

Anonymous Access to DEV@cloud Jenkins

Last modified by Jesse Glick on 2013/03/20 16:25

Unless you have a FOSS account, Jenkins instances on DEV@cloud are only accessible to users you have added to your CloudBees account. However, you may have jobs (or folders) which you want to make public. This page will show you how you can enable this.

Setting up Roles

You need to set up role-based access control to control who can see what in Jenkins.

First you will go to Roles » Manage (https://youraccount.ci.cloudbees.com/plugin/nectar-rbac/manage/) in your Jenkins instance. By default anonymous has no permissions whatsoever. Click the box under Overall/Read so that anonymous users can at least see the Jenkins instance without being taken to the login form.

(You can also give anonymous the Group/View and Role/View permissions while you are setting this up—it will make debugging issues easier. Generally you will want to turn these off later, though.)

Now you should decide whether you want everything public by default, possibly with some explicit exceptions you will manage; or everything private by default, with certain jobs (or folders) explicitly public.

Everything Public by Default

For this mode, also grant Job/Read to anonymous, and click Save. Then everything will be public by default.

If you want to hide a certain job (or folder), it is easy. Just select that job, go to Roles » Filter (/job/private%20stuff/roles/filter), and click Require explicit assignment next to anonymous. Now that job will be hidden to anonymous users. Authenticated users can still see it.

Everything Private by Default

For this mode, leave anonymous with just Overall/Read. Then anonymous users can open the Jenkins home page but it will appear to be devoid of jobs.

You do however need to define a role for people who can look at jobs. Next to Role to add type view and click Add. In the new role’s row, grant Overall/Read and Job/Read. Click Save.

Now to expose a particular job (or folder), select that job and go to Groups » New Group (/job/public%20stuff/groups/newGroup). Enter a name such as viewers and click OK. Click the checkbox under Granted for your new view role (leave Propagates checked) and click Save. Now click Add user/group, enter anonymous, and click OK.

Flipping the Switch

So far we have configured role-based access control, but DEV@cloud Jenkins instances are by default set to bar anonymous users regardless of RBAC configuration. This is to prevent you from accidentally exposing proprietary files due to a casual mistake in RBAC configuration. To proceed, you must opt in. Go to Manage Jenkins » Configure System, click the checkbox next to Enable read-only access for anonymous users, and click Save.

Now your changes should be live. To check the anonymous experience, start a new private/incognito browser window (e.g. Ctrl-Shift-N in Chrome; equivalents exist for Firefox and Internet Explorer), and open your Jenkins instance. You should see Log In in the CloudBees toolbar at the top of the screen, but the Jenkins home page should appear, and your public jobs should be listed.

Workspaces

People with Job/Read permission can look at your jobs, builds, changelogs, etc., and download published artifacts. They cannot automatically browse your job’s workspace, since this might have sensitive files. To let them, grant Job/Workspace.

Classes of Authenticated Users

By default all authenticated users have full control over the Jenkins instance. You can set up finer-grained rights if you like; just create new roles with certain permissions but not others, denying the authenticated role all permissions; and create groups (at top level or inside folders) granting certain roles and adding particular people (email addresses) to them.

Tags:
Created by Ryan Campbell on 2013/03/20 15:01