Skip to content
New issue

Have a question about this project? # for a free GitHub account to open an issue and contact its maintainers and the community.

#

By clicking “#”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? # to your account

Jump to bottom

disable anonymous read when jenkins_authorization_strategy { 'hudson.security.FullControlOnceLoggedInAuthorizationStrategy': #867

Closed
ABrehm264 opened this issue Apr 30, 2018 · 4 comments
Closed

disable anonymous read when jenkins_authorization_strategy { 'hudson.security.FullControlOnceLoggedInAuthorizationStrategy': #867

ABrehm264 opened this issue Apr 30, 2018 · 4 comments

Comments

@ABrehm264
Copy link

I've been trying to scour the documentation, but I'm not seeing where I could set anonymous read to off in Jenkins after setting the auth strategy to fullcontrolonceloggedin.

Any help would be appreciated.

Thanks
@jhoblitt
Copy link
Member

You need to have auth configured. See: https://github.com/voxpupuli/puppet-jenkins/blob/master/NATIVE_TYPES_AND_PROVIDERS.md#configuration

@ABrehm264
Copy link
Author

Yeah, I've reread that file several times, but I still think I'm missing something.

My code looks like:

  jenkins_authorization_strategy { 'hudson.security.FullControlOnceLoggedInAuthorizationStrategy':
    ensure => 'present',
  }

  jenkins_security_realm { 'hudson.security.HudsonPrivateSecurityRealm':
    ensure    => 'present',
    arguments => [false, false, undef], # Allow#, enableCaptcha, {blank}
  }

and after running puppet, my auth strategy still has the "allow anonymous read access" flag enabled like this:
image

From your documentation, and what little I could read from your code (I'm a puppet and groovy newbie), the only thing that I can see where you actually disable anonymous read is via the github auth strategy.
image
but I'm not using that strategy, so I don't think it's applicable.

Am I missing something? or is there maybe a cli command that I should be running after that fact?

Thanks

@jhoblitt
Copy link
Member

OK - I thought you were reporting an error message from the CLI. The value of arguments has to match the parameters of [one of the] constructor(s) of the class that provides the strategy.

In this case, you are configuring http://javadoc.jenkins-ci.org/hudson/security/FullControlOnceLoggedInAuthorizationStrategy.html#FullControlOnceLoggedInAuthorizationStrategy

Which appears to not accept any arguments via its constructor. So either the puppet provider and the puppet_helper.groovy script need special handling for this class to call methods on it or new constructor needs to be added to https://github.com/kohsuke/jenkins/blob/master/core/src/main/java/hudson/security/FullControlOnceLoggedInAuthorizationStrategy.java

@ABrehm264
Copy link
Author

I did this to make it work:
augeas { 'jenkins_config.xml - deny anonymous read access' :
incl => '/var/lib/jenkins/config.xml',
lens => 'Xml.lns',
context => '/files/var/lib/jenkins/config.xml/hudson',
changes => "set authorizationStrategy/denyAnonymousReadAccess/#text true",
onlyif => "get authorizationStrategy/denyAnonymousReadAccess/#text != true",
subscribe => Jenkins_user[$jenkins_admin_username],
notify => Service['jenkins.service'],
}

# for free to join this conversation on GitHub. Already have an account? # to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@jhoblitt @ABrehm264