系统管理
This chapter for system administrators of Jenkins servers and nodes. It will cover system maintenance topics including security, monitoring, and backup/restore.
Users not involved with system-level tasks will find this chapter of limited use. Individual sections may assume knowledge of information from previous sections, but such assumptions will be explicitly called out and cross-referenced.
If you are not yet familiar with basic Jenkins terminology and features, start with Getting Started with Jenkins.
If you are already familiar with Jenkins basics and would like to delve deeper into how to use specific features, see Using Jenkins.
If you are a Jenkins administrator and want to know more about managing Jenkins nodes and instances, see Managing Jenkins.
Jenkins安全
In the default configuration of Jenkins 1.x, Jenkins does not perform any security checks. This means the ability of Jenkins to launch processes and access local files are available to anyone who can access Jenkins web UI and some more.
Securing Jenkins has two aspects to it.
Access control, which ensures users are authenticated when accessing Jenkins and their activities are authorized.
Protecting Jenkins against external threats
Access Control
You should lock down the access to Jenkins UI so that users are authenticated and appropriate set of permissions are given to them. This setting is controlled mainly by two axes:
Security Realm, which determines users and their passwords, as well as what groups the users belong to.
Authorization Strategy, which determines who has access to what.
These two axes are orthogonal, and need to be individually configured. For example, you might choose to use external LDAP or Active Directory as the security realm, and you might choose "everyone full access once logged in" mode for authorization strategy. Or you might choose to let Jenkins run its own user database, and perform access control based on the permission/user matrix.
Quick and Simple Security --- if you are running Jenkins like
java -jar jenkins.warand only need a very simple set upStandard Security Setup --- discusses the most common set up of letting Jenkins run its own user database and do finer-grained access control
Apache frontend for security --- run Jenkins behind Apache and perform access control in Apache instead of Jenkins
Authenticating scripted clients --- if you need to programatically access security-enabled Jenkins web UI, use BASIC auth
Matrix-based security|Matrix-based security --- Granting and denying finer-grained permissions
Protect users of Jenkins from other threats
There are additional security subsystems in Jenkins that protect Jenkins and users of Jenkins from indirect attacks.
The following topics discuss features that are off by default. We recommend you read them first and act on them.
CSRF Protection --- prevent a remote attack against Jenkins running inside your firewall
Security implication of building on master --- protect Jenkins master from malicious builds
Slave To Master Access Control --- protect Jenkins master from malicious build agents
The following topics discuss other security features that are on by default. You’ll only need to look at them when they are causing problems.
Configuring Content Security Policy --- protect users of Jenkins from malicious builds
Markup formatting --- protect users of Jenkins from malicious users of Jenkins
Disabling Security
One may accidentally set up security realm / authorization in such a way that you may no longer able to reconfigure Jenkins.
When this happens, you can fix this by the following steps:
Stop Jenkins (the easiest way to do this is to stopthe servlet container.)
Go to
$JENKINS_HOMEin the file system and findconfig.xmlfile.Open this file in the editor.
Look for the
<useSecurity>true</useSecurity>element in this file.Replace
truewithfalseRemove the elements
authorizationStrategyandsecurityRealmStart Jenkins
When Jenkins comes back, it will be in an unsecured mode where everyone gets full access to the system.
If this is still not working, trying renaming or deleting config.xml.