Allow anonymous user to only view job list without browsing workspace in Jenkins

security configuration jenkins hudson

We are running a Jenkins CI. Generally we would like to provide

  1. full access to authenticated users from particular group
  2. full-read access to anonymous users
  3. block anonymous users to access certain projects (completely)

We use Unix user/group database and Project-based Matrix Authorization Strategy. Points (1) and (2) works well but we are having trouble achieving (3).

We have tried:

  • in Global Security removing all rights to anonymous and then granting it in project-based security but after that all anonymous requests (even to main Jenkins page) yields login page
  • in Global Security adding in steps following rights: View-Read (didn't work), Job-Discover (didn't work), Job-Read (didn't work), Overal-Read - this last one seemed to work however it gave the anonymous user too much rights and we weren't able to limit access to the particular project.

tl;dr

we want fully open (read-wise) Jenkins CI with a few projects completely hidden/blocked for anonymous.


Solution 1:

OK, so I've managed to do it:

  • you need Role-based Authorization Strategy Plugin
  • enable this authentication strategy in Configure Global Security
  • in Manage and Assign Roles / Manage Roles create new role anonymous and authenticated for both global and project roles
  • in Global roles grant anonymous role right only to Overall / Read (this will at the very least access anonymous user main jenkins screen with navigation and link to login page, not login prompt immediately)
  • in Project role add anonymous role with regexp pattern that will match projects you want anonymous users to access and after adding this role grant it right to Job / Read and Job / Discover
  • navigate to Manage and Assign Roles / Assign Roles and assign Anonymous user group to anonymous role (and authenticated users to specific groups). SAVE

Solution 2:

With above https://wiki.jenkins.io/display/JENKINS/Role+Strategy+Plugin plugin

then you DO NOT need add authenticated role in Manage Roles page.

Screenshots: Manage Roles & Assign Roles

Related

Cause of Current Pending Sector and Offline Uncorrectable increase and then decrease to zero
MSTSC: Black Areas on Remote Desktop
How do I avoid showing skipped Ansible tasks?
Count number of allowed CPUs in a Docker container
How to save iptables configuration on Redhat Enterprise Server 7
SSL not working with Apache on Windows
Intuitionistic logic plus $A → B \lor C \vdash ( A → B ) \lor ( A → C )$
$f \in K[X]$ of degree $n$ with Galois group $S_n$, why are there no non-trivial intermediate fields of $K \subset K(a)$ with $a$ a root of $f$?
$\subset$ vs $\subseteq$ when *not* referring to strict inclusion
Help with integrating $\int_0^{\infty} \frac{(\log x)^2}{x^2 + 1} \operatorname d\!x$ - contour integration?
Approximate spectral decomposition
Expected number of die rolls to get 6 given that all rolls are even.