'Jenkins security - hide all screens unless user is logged in

I don't know why "logged in users can do anything" means Jenkins will happily allow non-authenticated users to view project details and access artifacts... Regardless, I need to know how to get Jenkins to allow logged in users to to anything AND hide EVERYTHING for users who AREN'T logged in. Help please?

jenkinscontinuous-integration


Solution 1:[1]

You can use https://wiki.jenkins-ci.org/display/JENKINS/Role+Strategy+Plugin

it allows to specify to define roles and assign roles to users, users with no roles won't even see the jenkins ui.

Solution 2:[2]

Answer to an old question but I came searching here as I am trying to auto spin up a Jenkins instance on Docker and found the same issue.

Good chance this option wasn't available when the question was asked. As of this moment (v2.222.3 but not sure how far back), it turns out you can do this without installing any additional plugins.

Manually

  • Navigate to Global Security (Jenkins > Manage Jenkins > Global Security)

  • Update the Authorization section to "Logged-in users can do anything".

    UNCHECK Allow anonymous read access

enter image description here

Any unauthenticated access will redirect to login now.

I would note that if you setup Jenkins through the setup wizard then anonymous read access is disabled by default. If you want this behaviour AND want to configure jenkins automatically, read on.

Automated with Docker

My situation is that I wanted to check out my repo, run my compose file and have all my config/users/plugins etc ready to go. Great post here with more detail if interested.

In a nutshell:

Dockerfile

FROM jenkins/jenkins:lts-alpine

# Disable setup wizard since security.groovy creates our user
ENV JAVA_OPTS="-Djenkins.install.runSetupWizard=false"

COPY security.groovy /usr/share/jenkins/ref/init.groovy.d/security.groovy

security.groovy

#!groovy

import jenkins.model.*
import hudson.security.*

def instance = Jenkins.getInstance()

// Create Admin User
def hudsonRealm = new HudsonPrivateSecurityRealm(false)
hudsonRealm.createAccount("admin", "admin") // Dont do this. This is bad
instance.setSecurityRealm(hudsonRealm)

// Set Auth to Full Control Once Logged In and prevent read-only access
def strategy = new FullControlOnceLoggedInAuthorizationStrategy()
strategy.setAllowAnonymousRead(false)
instance.setAuthorizationStrategy(strategy)

instance.save()

In particular, strategy.setAllowAnonymousRead(false) is what's needed

Solution 3:[3]

Additionally, if you use GitHub as your version control system -- you can use the GitHub OAuth plugin. Once the "Anonymous" reach your page, they will be redirected to GitHub automatically.

Sources

This article follows the attribution requirements of Stack Overflow and is licensed under CC BY-SA 3.0.

Source: Stack Overflow

Solution Source
Solution 1 rcomblen
Solution 2 Matt R
Solution 3 Jesse

Related Questions

Jenkins Content Security Policy

setUp method: Failed to connect to binary FirefoxBinary(/usr/bin/firefox) on port 7055; process output follows:

SonarQube 3.7 with maven and Jenkins - Maven session does not declare a top level project

How can I pass variables to post-build actions in Jenkins?

How to add a timeout step to Jenkins Pipeline

Jenkins not building docker image, can't find the docker command

compare 2 variables in jelly script

Jenkins Ambiguous Permission

Error - Jenkins detected running multiple instances

How to get child job logs in parent job on child job failure?

create jenkins ssh username with private key credential via rest xml api

How to stop build from executing from the pipeline script?

How to prevent Jenkins SCM polling from triggering a build on branch creation

jenkins builds filtering based on build description

Jenkins shell script returned exit code 1 when the searched string isn't exsist