Jenkins : Securing Jenkins

This page has been superseded by the "Securing Jenkins" section of the Jenkins User Handbook.

In the default configuration of Jenkins 1.x, Jenkins does not perform any security checks. This means the ability of Jenkins 1.x to launch processes and access local files is available to anyone with access to Jenkins.

Securing Jenkins has several aspects to it.

Access Control

You should lock down the access to Jenkins UI so that users are authenticated and appropriate set of permissions are given to them. This setting is controlled mainly by two axes:

  • Security Realm, which determines users and their passwords, as well as what groups the users belong to.
  • Authorization Strategy, which determines who has access to what.

These two axes are orthogonal, and need to be individually configured. For example, you might choose to use external LDAP or Active Directory as the security realm, and you might choose "everyone full access once logged in" mode for authorization strategy. Or you might choose to let Jenkins run its own user database, and perform access control based on the permission/user matrix.

The following pages discuss various aspects of this feature in details

Protect users of Jenkins from other threats

There are additional security subsystems in Jenkins that protect Jenkins and users of Jenkins from indirect attacks.

The following topics discuss features that are off by default. We recommend you read them first and act on them.

The following topics discuss other security features that are on by default. You'll only need to look at them when they are causing problems.

Attachments:

BuildToken.jpg (image/pjpeg)