Skip to end of metadata
Go to start of metadata

Immediately after installation, Jenkins will allow anyone to run anything as user jenkins, which is bad.  This page shows you how to set up basic security using the Configure Global Security page.

The Configure Global Security page has two sections in which you:

  • Set the security realm to determine who is allowed access
  • Set the authorization to determine what each user is allowed to do

Security Realm

First, establish the user authentication method.  For smaller, more informal installations, you can use Jenkins' own user database.  For enterprise installations, you will want to use your corporate service, which allows users to log in to Jenkins with their usual username and password.

Jenkins' Own User Database

This is the simplest authentication scheme--Jenkins maintains its own independent user database.  People can sign up for their own accounts, and you as the administrator decide who can do what in Jenkins.

  1. Go to the Jenkins dashboard, usually http://_server_:8080 or http://_server_/jenkins:8080, where server is the host on which Jenkins is running
  2. Select Manage Jenkins, then Configure Global Security
  3. Click Enable Security.  The page will expand to offer a choice of access control.
  4. Select Jenkins’ own user database
  5. Place a check mark next to Allow users to sign up
  6. Continue with Authorization, below.  In particular, do not forget to press the Save button at the bottom of the page.

Active Directory On Linux Server

If Jenkins is running on a Windows server then it is better to install the Active Directory plugin.

On a Linux host you have an option to either use the Active Directory plugin or an LDAP based authentication. To configure the LDAP to work with Active Directory, provide the following:

Server

mydomaincontroller.mycompnay.com:389

Root DN

dc=mycompnay,dc=com

User Search Filter

sAMAccountName={0}

Manager DN

cn=mymanageruser,ou=users,ou=na,ou=mycompany,dc=mycompany,dc=com

Manager Password

*****

Note that the correct Manager DN value can vary greatly depending on your Active Directory set up.

UNIX NIS

To set up Network Information System:

  1. Go to the Jenkins dashboard, usually http://_server_:8080 or http://_server_/jenkins:8080, where server is the host on which Jenkins is running
  2. Select Manage Jenkins, then Configure Global Security
  3. Click Enable Security.  The page will expand to offer a choice of access control
  4. Select Unix user/group database#* Push the Test button (on the extreme right)
    • If Success is displayed, everything is set up properly
    • If not, follow the instructions to fix the problem and repeat
    • If you still do not succeed, push the Advanced button and specify Service Name sshd and repeat
  5. Continue with Authorization, below.  In particular, do not forget to press the Save button at the bottom of the page.

LDAP

See LDAP Plugin.  Then continue with Authorization, below.  In particular, do not forget to press the Save button at the bottom of the page.

Authorization

The Authorization section of the Configure Global Security page allows you to configure what users are allowed to do once authenticated.

Matrix-based Security

Matrix-based security offers the most precise control over user privileges.

  1. Select Matrix-based security as the Authorization
  2. Give the Anonymous user only Overall Read access
  3. In the text box below the matrix, type your user name (or the user name you plan to use when you register as a new Jenkins user) and click Add
  4. Give yourself full access by checking the entire row for your user name
  5. Repeat for other users who deserve full access.  The configuration should look like the picture below:
  6. Click Save at the bottom of the page.  You will be taken back to the top page.  Now Jenkins is successfully secured.
  7. Restart Jenkins (service jenkins restart on Linux)

If you set up a service like NIS, Active Directory or LDAP, you can now log in to Jenkins using your network credentials.  If you are using Jenkins' own user database, create a user account for yourself: 

  1. Click the Login link at the top right portion of the page
  2. Choose Create an account
  3. Specify the user name you used in the above step, and fill in the rest

If everything works smoothly, you are now logged on as yourself with full permissions. If something goes wrong, follow this to reset the security setting.

TBD

More docs to come. Suggestions on what needs to be written are greatly appreciated.

  • No labels

30 Comments

  1. Anonymous

    More info on how to create and manage groups of users would be great. There also doesn't seem to be a way of telling what users have registered appart from looking at the filesystem.

  2. Unknown User (alvin.chang)

    One has to add groups prefixing with "ROLE_" (without quotes). I'm using OpenLDAP as its backend.

    1. Just to be clear, the full format is "ROLE_" + (cn.toUpper()) .... right?

      How do you deal with spaces? I have a group with a CN of "Some Group".  I don't seem to be able to get "ROLE_SOME_GROUP" nor "ROLE_SOME GROUP" to work.

  3. Unknown User (jojopaderes)

    I just downloaded v1.252 and tried out this guide for setting up the admin account. Logging in using the newly created admin account will cause a NPE:

    java.lang.NullPointerException
    	at hudson.security.HudsonPrivateSecurityRealm.createAccount(HudsonPrivateSecurityRealm.java:125)
    	at hudson.security.HudsonPrivateSecurityRealm.doCreateAccount(HudsonPrivateSecurityRealm.java:86)
    	at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
    	at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
    	at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
    	at java.lang.reflect.Method.invoke(Method.java:597)
    	at org.kohsuke.stapler.Function$InstanceFunction.invoke(Function.java:103)
    	at org.kohsuke.stapler.Function.bindAndinvoke(Function.java:57)
    	at org.kohsuke.stapler.MetaClass$1.doDispatch(MetaClass.java:75)
    	at org.kohsuke.stapler.NameBasedDispatcher.dispatch(NameBasedDispatcher.java:30)
    	at org.kohsuke.stapler.Stapler.invoke(Stapler.java:440)
    	at org.kohsuke.stapler.MetaClass$7.doDispatch(MetaClass.java:230)
    	at org.kohsuke.stapler.NameBasedDispatcher.dispatch(NameBasedDispatcher.java:30)
    	at org.kohsuke.stapler.Stapler.invoke(Stapler.java:440)
    	at org.kohsuke.stapler.Stapler.invoke(Stapler.java:361)
    	at org.kohsuke.stapler.Stapler.service(Stapler.java:121)
    	at javax.servlet.http.HttpServlet.service(HttpServlet.java:45)
    	at winstone.ServletConfiguration.execute(ServletConfiguration.java:249)
    	at winstone.RequestDispatcher.forward(RequestDispatcher.java:335)
    	at winstone.RequestDispatcher.doFilter(RequestDispatcher.java:378)
    	at hudson.util.PluginServletFilter$1.doFilter(PluginServletFilter.java:61)
    	at hudson.util.PluginServletFilter.doFilter(PluginServletFilter.java:53)
    	at winstone.FilterConfiguration.execute(FilterConfiguration.java:195)
    	at winstone.RequestDispatcher.doFilter(RequestDispatcher.java:368)
    	at hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:52)
    	at hudson.security.UnwrapSecurityExceptionFilter.doFilter(UnwrapSecurityExceptionFilter.java:28)
    	at hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:55)
    	at org.acegisecurity.ui.ExceptionTranslationFilter.doFilter(ExceptionTranslationFilter.java:166)
    	at hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:55)
    	at org.acegisecurity.providers.anonymous.AnonymousProcessingFilter.doFilter(AnonymousProcessingFilter.java:125)
    	at hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:55)
    	at org.acegisecurity.ui.rememberme.RememberMeProcessingFilter.doFilter(RememberMeProcessingFilter.java:142)
    	at hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:55)
    	at org.acegisecurity.ui.AbstractProcessingFilter.doFilter(AbstractProcessingFilter.java:271)
    	at hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:55)
    	at org.acegisecurity.ui.basicauth.BasicProcessingFilter.doFilter(BasicProcessingFilter.java:173)
    	at hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:55)
    	at org.acegisecurity.context.HttpSessionContextIntegrationFilter.doFilter(HttpSessionContextIntegrationFilter.java:249)
    	at hudson.security.HttpSessionContextIntegrationFilter2.doFilter(HttpSessionContextIntegrationFilter2.java:42)
    	at hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:55)
    	at hudson.security.ChainedServletFilter.doFilter(ChainedServletFilter.java:44)
    	at hudson.security.HudsonFilter.doFilter(HudsonFilter.java:85)
    	at winstone.FilterConfiguration.execute(FilterConfiguration.java:195)
    	at winstone.RequestDispatcher.doFilter(RequestDispatcher.java:368)
    	at winstone.RequestDispatcher.forward(RequestDispatcher.java:333)
    	at winstone.RequestHandlerThread.processRequest(RequestHandlerThread.java:244)
    	at winstone.RequestHandlerThread.run(RequestHandlerThread.java:150)
    	at java.lang.Thread.run(Thread.java:619)
    

    The workaround to this bug is to restart the server. This however will be a pain for every new user added to the application.

    1. Unknown User (jojopaderes)

      This issue was fixed already in v1.253. See issue 2376.

  4. Funny. I'm running 1.255 and get what looks to be the same error (albeit with a slightly different line number, as is to be expected):

    SEVERE: Servlet.service() for servlet Stapler threw exception
    java.lang.NullPointerException
    	at hudson.security.HudsonPrivateSecurityRealm.createAccount(HudsonPrivateSecurityRealm.java:131)
    	at hudson.security.HudsonPrivateSecurityRealm.doCreateAccount(HudsonPrivateSecurityRealm.java:86)
    	at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
    ... 
    

     I will poke around some more and submit a bug report if warranted...

      - rob

     

  5. I got the same NPE at logging in with a new created user. I am running version 1.258.  I had this in the logs

    2-nov-2008 19:09:19 hudson.security.SecurityRealm validateCaptcha
    INFO: Captcha validation had a problem
    com.octo.captcha.service.CaptchaServiceException: Invalid ID, could not validate unexisting or already validated captcha
    	at com.octo.captcha.service.AbstractCaptchaService.validateResponseForID(AbstractCaptchaService.java:138)
    	at com.octo.captcha.service.AbstractManageableCaptchaService.validateResponseForID(AbstractManageableCaptchaService.java:365)
    	at hudson.security.SecurityRealm.validateCaptcha(SecurityRealm.java:141)
    	at hudson.security.HudsonPrivateSecurityRealm.createAccount(HudsonPrivateSecurityRealm.java:122)
    	at hudson.security.HudsonPrivateSecurityRealm.doCreateAccount(HudsonPrivateSecurityRealm.java:86)
    	at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
    	at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
    	at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
    	at java.lang.reflect.Method.invoke(Method.java:597)
    	at org.kohsuke.stapler.Function$InstanceFunction.invoke(Function.java:146)
    	at org.kohsuke.stapler.Function.bindAndinvoke(Function.java:71)
    	at org.kohsuke.stapler.MetaClass$1.doDispatch(MetaClass.java:75)
    	at org.kohsuke.stapler.NameBasedDispatcher.dispatch(NameBasedDispatcher.java:30)
    	at org.kohsuke.stapler.Stapler.invoke(Stapler.java:409)
    	at org.kohsuke.stapler.MetaClass$4.doDispatch(MetaClass.java:140)
    	at org.kohsuke.stapler.NameBasedDispatcher.dispatch(NameBasedDispatcher.java:30)
    	at org.kohsuke.stapler.Stapler.invoke(Stapler.java:409)
    	at org.kohsuke.stapler.Stapler.invoke(Stapler.java:352)
    	at org.kohsuke.stapler.Stapler.service(Stapler.java:112)
    	at javax.servlet.http.HttpServlet.service(HttpServlet.java:717)
    	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:290)
    	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
    	at hudson.util.PluginServletFilter$1.doFilter(PluginServletFilter.java:61)
    	at hudson.util.PluginServletFilter.doFilter(PluginServletFilter.java:53)
    	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
    	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
    	at hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:52)
    	at hudson.security.UnwrapSecurityExceptionFilter.doFilter(UnwrapSecurityExceptionFilter.java:28)
    	at hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:55)
    	at org.acegisecurity.ui.ExceptionTranslationFilter.doFilter(ExceptionTranslationFilter.java:166)
    	at hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:55)
    	at org.acegisecurity.providers.anonymous.AnonymousProcessingFilter.doFilter(AnonymousProcessingFilter.java:125)
    	at hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:55)
    	at org.acegisecurity.ui.rememberme.RememberMeProcessingFilter.doFilter(RememberMeProcessingFilter.java:135)
    	at hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:55)
    	at org.acegisecurity.ui.AbstractProcessingFilter.doFilter(AbstractProcessingFilter.java:271)
    	at hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:55)
    	at org.acegisecurity.ui.basicauth.BasicProcessingFilter.doFilter(BasicProcessingFilter.java:173)
    	at hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:55)
    	at org.acegisecurity.context.HttpSessionContextIntegrationFilter.doFilter(HttpSessionContextIntegrationFilter.java:249)
    	at hudson.security.HttpSessionContextIntegrationFilter2.doFilter(HttpSessionContextIntegrationFilter2.java:42)
    	at hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:55)
    	at hudson.security.ChainedServletFilter.doFilter(ChainedServletFilter.java:44)
    	at hudson.security.HudsonFilter.doFilter(HudsonFilter.java:85)
    	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
    	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
    	at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:233)
    	at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:191)
    	at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:433)
    	at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:128)
    	at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102)
    	at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109)
    	at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:286)
    	at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:845)
    	at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:583)
    	at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:447)
    	at java.lang.Thread.run(Thread.java:619)
    
  6. is there a way, with the per-project matrix-based security, to "hide" certain jobs from the anonymous ? It seems the "read" permission is global and can't be refined per-job ?

  7. Unknown User (sowens01@gmail.com)

    I'm not sure if this is the right place for this, but I'm trying to set up matrix-based security in Hudson 1.261 running on Java 1.6, with the ability for the users to create their own accounts. When I reboot the server, I can get to the page that allows me to create an account, but the captcha image just displays the missing image icon. Is there anything simple I should be looking for to debug this?

    I'm also trying to work this by adding the accounts in myself, but I can't seem to find instructions on how to add a user manually. Am I missing a page on this wiki?

    Other than that I'm very impressed with the level of functionality Hudson provides. Hopefully I can get to the point of contributing to the project sometime in the future.

  8. Unknown User (koziolek)

    I use Hudson 1.299 with per-project matrix-based. I have some questions:

    1. How to add user to group?

    2. How to add owner to project?

    3. Is any posibility to create configuration that only owner (and admin) can see job?

  9. Unknown User (chrishines)

    Looking at the Hudson source code circa 1.306, user groups are only supported by the LDAP and Unix Security Realms.

  10. Unknown User (hangglider)

    Since version 1.323 we can't login from an Internet Explorer Version 6 (unfortunitely our company default yet).

    Using Firefox or Iceweasel (3.0.14) the login works.

    On IE 6 we don't get the username, always the "Login" text appears in upper right corner.

    We get no "start build" or administration rights after an login attempt that don't report errors to the browser.

    our security settings: 

    Any ideas ? 

    on stdout (debian lenny) we got this:

    Sep 21, 2009 2:54:02 PM hudson.ExpressionFactory2$JexlExpression evaluate
    WARNING: Caught exception evaluating: h.hasPermission(it, permission). Reason: java.lang.NullPointerException
    java.lang.NullPointerException
            at hudson.security.AuthorizationStrategy.getACL(AuthorizationStrategy.java:102)
            at hudson.model.View.getACL(View.java:269)
            at hudson.model.View.hasPermission(View.java:277)
            at hudson.Functions.hasPermission(Functions.java:581)
            at sun.reflect.GeneratedMethodAccessor60.invoke(Unknown Source)
            at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
            at java.lang.reflect.Method.invoke(Method.java:597)
            at org.apache.commons.jexl.util.introspection.UberspectImpl$VelMethodImpl.invoke(UberspectImpl.java:258)
            at org.apache.commons.jexl.parser.ASTMethod.execute(ASTMethod.java:104)
            at org.apache.commons.jexl.parser.ASTReference.execute(ASTReference.java:83)
            at org.apache.commons.jexl.parser.ASTReference.value(ASTReference.java:57)
            at org.apache.commons.jexl.parser.ASTReferenceExpression.value(ASTReferenceExpression.java:51)
            at org.apache.commons.jexl.ExpressionImpl.evaluate(ExpressionImpl.java:80)
            at hudson.ExpressionFactory2$JexlExpression.evaluate(ExpressionFactory2.java:72)
            at org.apache.commons.jelly.expression.ExpressionSupport.evaluateRecurse(ExpressionSupport.java:61)
            at org.apache.commons.jelly.expression.ExpressionSupport.evaluateAsBoolean(ExpressionSupport.java:71)
            at org.apache.commons.jelly.tags.core.IfTag.doTag(IfTag.java:41)
            at org.apache.commons.jelly.impl.TagScript.run(TagScript.java:262)
            at org.apache.commons.jelly.impl.ScriptBlock.run(ScriptBlock.java:95)
            at org.apache.commons.jelly.TagSupport.invokeBody(TagSupport.java:186)
            at org.apache.commons.jelly.tags.core.JellyTag.doTag(JellyTag.java:45)
            at org.apache.commons.jelly.impl.TagScript.run(TagScript.java:262)
            at org.apache.commons.jelly.impl.DynamicTag.doTag(DynamicTag.java:81)
            at org.apache.commons.jelly.impl.TagScript.run(TagScript.java:262)
            at org.apache.commons.jelly.impl.ScriptBlock.run(ScriptBlock.java:95)
            at org.apache.commons.jelly.TagSupport.invokeBody(TagSupport.java:186)
            at org.apache.commons.jelly.impl.StaticTag.doTag(StaticTag.java:65)
            at org.apache.commons.jelly.impl.StaticTagScript.run(StaticTagScript.java:112)
            at org.apache.commons.jelly.impl.ScriptBlock.run(ScriptBlock.java:95)
            at org.apache.commons.jelly.TagSupport.invokeBody(TagSupport.java:186)
            at org.apache.commons.jelly.tags.core.JellyTag.doTag(JellyTag.java:45)
            at org.apache.commons.jelly.impl.TagScript.run(TagScript.java:262)
            at org.apache.commons.jelly.impl.DynamicTag.doTag(DynamicTag.java:81)
            at org.apache.commons.jelly.impl.TagScript.run(TagScript.java:262)
            at org.apache.commons.jelly.impl.ScriptBlock.run(ScriptBlock.java:95)
            at org.apache.commons.jelly.TagSupport.invokeBody(TagSupport.java:186)
            at org.apache.commons.jelly.impl.StaticTag.doTag(StaticTag.java:65)
            at org.apache.commons.jelly.impl.StaticTagScript.run(StaticTagScript.java:112)
            at org.apache.commons.jelly.impl.ScriptBlock.run(ScriptBlock.java:95)
            at org.kohsuke.stapler.jelly.CustomTagLibrary$StaplerDynamicTag$1.run(CustomTagLibrary.java:147)
            at org.apache.commons.jelly.tags.define.InvokeBodyTag.doTag(InvokeBodyTag.java:91)
            at org.apache.commons.jelly.impl.TagScript.run(TagScript.java:262)
            at org.apache.commons.jelly.impl.ScriptBlock.run(ScriptBlock.java:95)
            at org.apache.commons.jelly.TagSupport.invokeBody(TagSupport.java:186)
            at org.apache.commons.jelly.tags.core.IfTag.doTag(IfTag.java:42)
            at org.apache.commons.jelly.impl.TagScript.run(TagScript.java:262)
            at org.apache.commons.jelly.impl.ScriptBlock.run(ScriptBlock.java:95)
            at org.apache.commons.jelly.TagSupport.invokeBody(TagSupport.java:186)
            at org.apache.commons.jelly.tags.core.JellyTag.doTag(JellyTag.java:45)
            at org.apache.commons.jelly.impl.TagScript.run(TagScript.java:262)
            at org.apache.commons.jelly.impl.DynamicTag.doTag(DynamicTag.java:81)
            at org.apache.commons.jelly.impl.TagScript.run(TagScript.java:262)
            at org.apache.commons.jelly.impl.ScriptBlock.run(ScriptBlock.java:95)
            at org.kohsuke.stapler.jelly.CustomTagLibrary$StaplerDynamicTag$1.run(CustomTagLibrary.java:147)
            at org.apache.commons.jelly.tags.define.InvokeBodyTag.doTag(InvokeBodyTag.java:91)
            at org.apache.commons.jelly.impl.TagScript.run(TagScript.java:262)
            at org.apache.commons.jelly.impl.ScriptBlock.run(ScriptBlock.java:95)
            at org.apache.commons.jelly.TagSupport.invokeBody(TagSupport.java:186)
            at org.apache.commons.jelly.impl.StaticTag.doTag(StaticTag.java:65)
            at org.apache.commons.jelly.impl.StaticTagScript.run(StaticTagScript.java:112)
            at org.apache.commons.jelly.impl.ScriptBlock.run(ScriptBlock.java:95)
            at org.apache.commons.jelly.TagSupport.invokeBody(TagSupport.java:186)
            at org.apache.commons.jelly.impl.StaticTag.doTag(StaticTag.java:65)
            at org.apache.commons.jelly.impl.StaticTagScript.run(StaticTagScript.java:112)
            at org.apache.commons.jelly.impl.ScriptBlock.run(ScriptBlock.java:95)
            at org.apache.commons.jelly.TagSupport.invokeBody(TagSupport.java:186)
            at org.apache.commons.jelly.impl.StaticTag.doTag(StaticTag.java:65)
            at org.apache.commons.jelly.impl.StaticTagScript.run(StaticTagScript.java:112)
            at org.apache.commons.jelly.impl.ScriptBlock.run(ScriptBlock.java:95)
            at org.apache.commons.jelly.TagSupport.invokeBody(TagSupport.java:186)
            at org.apache.commons.jelly.impl.StaticTag.doTag(StaticTag.java:65)
            at org.apache.commons.jelly.impl.StaticTagScript.run(StaticTagScript.java:112)
            at org.apache.commons.jelly.impl.ScriptBlock.run(ScriptBlock.java:95)
            at org.apache.commons.jelly.TagSupport.invokeBody(TagSupport.java:186)
            at org.apache.commons.jelly.impl.StaticTag.doTag(StaticTag.java:65)
            at org.apache.commons.jelly.impl.StaticTagScript.run(StaticTagScript.java:112)
            at org.apache.commons.jelly.impl.ScriptBlock.run(ScriptBlock.java:95)
            at org.apache.commons.jelly.TagSupport.invokeBody(TagSupport.java:186)
            at org.apache.commons.jelly.tags.core.JellyTag.doTag(JellyTag.java:45)
            at org.apache.commons.jelly.impl.TagScript.run(TagScript.java:262)
            at org.apache.commons.jelly.impl.DynamicTag.doTag(DynamicTag.java:81)
            at org.apache.commons.jelly.impl.TagScript.run(TagScript.java:262)
            at org.apache.commons.jelly.impl.ScriptBlock.run(ScriptBlock.java:95)
            at org.kohsuke.stapler.jelly.CompressTag.doTag(CompressTag.java:21)
            at org.apache.commons.jelly.impl.TagScript.run(TagScript.java:262)
            at org.kohsuke.stapler.jelly.DefaultScriptInvoker.invokeScript(DefaultScriptInvoker.java:29)
            at org.kohsuke.stapler.jelly.JellyClassTearOff.serveIndexJelly(JellyClassTearOff.java:43)
            at org.kohsuke.stapler.jelly.JellyFacet.handleIndexRequest(JellyFacet.java:83)
            at org.kohsuke.stapler.Stapler.invoke(Stapler.java:476)
            at org.kohsuke.stapler.MetaClass$12.dispatch(MetaClass.java:309)
            at org.kohsuke.stapler.Stapler.invoke(Stapler.java:487)
            at org.kohsuke.stapler.Stapler.invoke(Stapler.java:403)
            at org.kohsuke.stapler.Stapler.service(Stapler.java:116)
            at javax.servlet.http.HttpServlet.service(HttpServlet.java:45)
            at winstone.ServletConfiguration.execute(ServletConfiguration.java:249)
            at winstone.RequestDispatcher.forward(RequestDispatcher.java:335)
            at winstone.RequestDispatcher.doFilter(RequestDispatcher.java:378)
            at hudson.util.PluginServletFilter$1.doFilter(PluginServletFilter.java:94)
            at hudson.util.PluginServletFilter.doFilter(PluginServletFilter.java:86)
            at winstone.FilterConfiguration.execute(FilterConfiguration.java:195)
            at winstone.RequestDispatcher.doFilter(RequestDispatcher.java:368)
            at hudson.security.csrf.CrumbFilter.doFilter(CrumbFilter.java:47)
            at winstone.FilterConfiguration.execute(FilterConfiguration.java:195)
            at winstone.RequestDispatcher.doFilter(RequestDispatcher.java:368)
            at hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:84)
            at hudson.security.UnwrapSecurityExceptionFilter.doFilter(UnwrapSecurityExceptionFilter.java:51)
            at hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:87)
            at org.acegisecurity.ui.ExceptionTranslationFilter.doFilter(ExceptionTranslationFilter.java:166)
            at hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:87)
            at org.acegisecurity.providers.anonymous.AnonymousProcessingFilter.doFilter(AnonymousProcessingFilter.java:125)
            at hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:87)
            at org.acegisecurity.ui.rememberme.RememberMeProcessingFilter.doFilter(RememberMeProcessingFilter.java:142)
            at hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:87)
            at org.acegisecurity.ui.AbstractProcessingFilter.doFilter(AbstractProcessingFilter.java:271)
            at hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:87)
            at org.acegisecurity.ui.basicauth.BasicProcessingFilter.doFilter(BasicProcessingFilter.java:173)
            at hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:87)
            at org.acegisecurity.context.HttpSessionContextIntegrationFilter.doFilter(HttpSessionContextIntegrationFilter.java:249)
            at hudson.security.HttpSessionContextIntegrationFilter2.doFilter(HttpSessionContextIntegrationFilter2.java:66)
            at hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:87)
            at hudson.security.ChainedServletFilter.doFilter(ChainedServletFilter.java:76)
            at hudson.security.HudsonFilter.doFilter(HudsonFilter.java:155)
            at winstone.FilterConfiguration.execute(FilterConfiguration.java:195)
            at winstone.RequestDispatcher.doFilter(RequestDispatcher.java:368)
            at winstone.RequestDispatcher.forward(RequestDispatcher.java:333)
            at winstone.RequestHandlerThread.processRequest(RequestHandlerThread.java:244)
            at winstone.RequestHandlerThread.run(RequestHandlerThread.java:150)
            at java.lang.Thread.run(Thread.java:619)

  11. Unknown User (uast23)

    Any inputs on running a shell script as root. My script needs root priviliges. How can I configure Hudson for unix root user?

  12. Unknown User (gaurav.tiwari@sunlife.com)

    I have to manage authentication for Hudson using multiple LDAP domains. Although I can mention them all in the server field seperating them with commas, the problem I have is that the functional user account (bind DN or manager DN)we would need to access those servers would be different for each domain.

    Is there a way to ensure LDAP authentication of this kind?

  13. Unknown User (jl.pinardon)

    Please, it would be very interesting to list the LDAP attributes Hudson needs. In the case of a corporate LDAP directory, with a centralized IS/IT team, there is often a web interface for asking rights and information to connect an application with the LDAP server. And the list of attributes can be required.

  14. Unknown User (suama)

    I hope to use multi authentication source, for example, both Hudson Native Database and LDAP.
    Because I'm afraid that I can't log in when my LDAP may be down, so that I hope to have an emargency account or dedicated account for some tasks.
    How about?

    1. We are trying to do this too. Did you come up with a solution?

  15. We had some problems with SVN and the post-commit hook to trigger builds. It forced us to allow 'Job-read', 'Job-build' and 'Overall-read' permissions to Anonoymous for registering SCM Polling to projects.

    I would love to have a single check-box for allowing anonymous to poll for builds alone OR some way to add authentication into polling from the subversion server (I suspect it's possible by wget, but I haven't experimented with it and I didn't find any documentation describing this scenario).

  16. I'm running hudson v.1384 on a Windows Server 2003 machine. If I enable security, with any strategy (I've tried "Hudson's own user database", "Delegate to servlet container" and the Active Directory plugin), the login works fine, but it's immediately timed out and I have to login again. The steps are:

    • click login
    • fill in the user and passwd and click login
    • the Manage Hudson link appears on the left and user name on the top-right.
    • If a click on it, it redirects to the login page, as if I was not logged in yet.

    Any help?

  17. Unknown User (jheckel@uillinois.edu)

    With matrix or project based security, is there an environment variable that I can access to get the user logged in?

  18. Hello. What I want is to have some accounts that have all rights in jenkins and I have seted that up ok. But I also want the anonymoys user to be able to VIEW the configuration of jobs but to NOT be able to edit them. How can I do that? thank you.

  19. I am running Jenkins 1.472 on a 2.6.32-220.13.1.el6.centos.plus.x86_64 host. When I enabled jenkins-own-db-based, per-job, matrix based security, the global security matrix includes a "workspace" option, as well as several other columns not documented here. As this guide advised, I gave the anonymous user only job:read permissions, but I am getting errors because... javax.servlet.ServletException: hudson.security.AccessDeniedException2: anonymous is missing the Workspace permission. 

    While I am betting that I can make this error go away by checking the workspace checkbox for the anonymous user, I would like to know what I am enabling :)

    Is there a more up-to-date source of information on what the current columns in the matrix mean? My security matrix has the following columns:

    User/group

    Overall

    Slave

    Job

    Run

    View

    SCM

    Artifactory

     

    Administer

    Read

    RunScripts

    UploadPlugins

    ConfigureUpdateCenter

    Configure

    Delete

    Create

    Disconnect

    Connect

    Create

    Delete

    Configure

    Read

    Discover

    Build

    Workspace

    Cancel

    Delete

    Update

    Create

    Delete

    Configure

    Read

    Tag

    Release

    Promote

    Thank you, Jaron

  20. Some information about when to check "Prevent Cross Site Request Forgery exploits" would help.

  21. For the user and group search base, only enter the 'cn=users' part not the fully qualified 'cd=usres,dc=example,dc=com'. Jenkins adds the dc parts to it on it's own.

  22. When I add an existing group, it isn't recognized as a group - I can see a picture with a user.

    Can anybody help with solving this problem?

    1. And you don't need to use "ROLE_" prefix to specify a group.

  23. Good Day Everyone

    I just set my Jenkins up on my CentOS server.

    and i followed the "Standard Security Setup",

    but when i added a new user it met a problem show in the pic below.

    and when i saved the configuration, it asked my username and admin, but no where to sign up.

    and the user i created cannot be used...

    i have changed the config.xml several times and tried again and again, but didn't make a sence.

    Is there anyone can help?

    Looking forward to hearing from you.

    Best Regards

  24. I can't get a group added to matrix security.  I've tried entering the exact group name, prefixing the group name with ROLE_ and having it all uppercase but it is always displaying on the matrix area with an icon that is a red circle with a white minus sign.  I've used the whoami page to see the groups that Jenkins has found for me using LDAP and entered groups on that page but still no luck.