Scenario / Questions

We are running a Jenkins CI. Generally we would like to provide

  1. full access to authenticated users from particular group
  2. full-read access to anonymous users
  3. block anonymous users to access certain projects (completely)

We use Unix user/group database and Project-based Matrix Authorization Strategy. Points (1) and (2) works well but we are having trouble achieving (3).

We have tried:

  • in Global Security removing all rights to anonymous and then granting it in project-based security but after that all anonymous requests (even to main Jenkins page) yields login page
  • in Global Security adding in steps following rights: View-Read (didn’t work), Job-Discover (didn’t work), Job-Read (didn’t work), Overal-Read – this last one seemed to work however it gave the anonymous user too much rights and we weren’t able to limit access to the particular project.

tl;dr

we want fully open (read-wise) Jenkins CI with a few projects completely hidden/blocked for anonymous.

Find below all possible solutions or suggestions for the above questions..

Suggestion: 1

OK, so I’ve managed to do it:

  • you need Role-based Authorization Strategy Plugin
  • enable this authentication strategy in Configure Global Security
  • in Manage and Assign Roles / Manage Roles create new role anonymous and authenticated for both global and project roles
  • in Global roles grant anonymous role right only to Overall / Read (this will at the very least access anonymous user main jenkins screen with navigation and link to login page, not login prompt immediately)
  • in Project role add anonymous role with regexp pattern that will match projects you want anonymous users to access and after adding this role grant it right to Job / Read and Job / Discover
  • navigate to Manage and Assign Roles / Assign Roles and assign Anonymous user group to anonymous role (and authenticated users to specific groups). SAVE

Suggestion: 2

With above https://wiki.jenkins.io/display/JENKINS/Role+Strategy+Plugin plugin

then you DO NOT need add authenticated role in Manage Roles page.

Screenshots: Manage Roles &
Assign Roles