Using the Jenkins OpenID plugin I'm able to configure Jenkins to use my Google Apps OpenID as a provider. Anonymous users are still able to access that application (they have read access only), but I want to have it so that users are forced to login using the Google App domain or they are denied access.
I'm currently using the Jenkins Authorization setting of "Logged in users can do anything", I've tried using the "Matrix based authentication" and denying anonymous users, assuming logged in users would still have permissions, is there a special group value I can use for "logged in users" in matrix based authentication?
It seems like "Matrix-based security" will only work for specific users when using Google Apps OpenID (I don't believe Google apps for domains has support for OpenIDTeam extension
Yes there is a special group you can use to do this but finding the information about how to do it isn't obvious.
If you hover over the 'Overall - Read' column on the Matrix-based security table you'll get the solution.
It states
The read permission is necessary for viewing almost all pages of Jenkins. This permission is useful when you don't want unauthenticated users to see Jenkins pages - revoke this permission from the anonymous user, then add "authenticated" pseudo-user and grant the read access.
I use the following technique in combination with the OpenID plugin which allows me to specify a Google Apps for Business domain to secure Jenkins with
Warning: Make sure you've got a backup of your installation before you start because if you get something wrong you may lock yourself out of your Jenkins. Unpicking the plugins and settings would take longer than just restoring from a backup.
Ensure your choice of OpenID provider is still working ok with your current 'Logged in users can do anything' setting
Select the 'Matrix based-security' mode for Authorization
Add a new 'authenticated' group (lower case 'a') to the Matrix-based security table.
Use the 'check all' icon at the right hand end of the new 'authenticated' row to tick all the permission boxes.
Use the 'check all' icon at the right hand end of the 'Anonymous' row to untick all the permission boxes.
Save the settings
Reload Jenkins
Now each time a user wants to see Jenkins they have to be already signed into their Google Account and no-one can get to see any Job names or views without login.
Hope this helps.
Related
I have an ASP.NET Core 3.0 application that works with local Intranet Windows Authentication to identify logged in users. Using the standard Windows Authentication behaviors I'm able to capture the user's WindowsIdentity without an issue.
However, depending on how the user is logged into the browser using either automatic Intranet Browser login (ie. no password dialog) or explicitly logging in using the browser Password dialog box, I get different results for the user's groups.
The following is an API request that echos back user information including a filtered group membership list (that excludes built-in accounts). The one on the left is a manual login, the one on the right an auto-login.
For the explicit login I correctly see all the custom groups the user is part of. However, for the auto-login, those same groups do not show up:
I also took a close look at the User and Identity instances on the server, and it's referencing the exact same SIDs for the user, so it seems strange that different results are being returned for the Group Membership.
Any ideas why the group list is different when I am getting the same account returned? Note the groups are local so it shouldn't be an issue due to domain access.
Note: I'm testing locally on localhost even, and to test this I set the Windows Proxy Settings here:
With the checkboxes off I'm forced to login. With them on (in Chromium browsers anyway) I have to explicitly enter my credentials into the browser's login dialog.
Has the user logged out of their computer since being added to those groups?
The groups listed are held in the user's login token. I think what might be happening is that auto-login sends the user's existing login token (created when they logged into Windows), so it would not contain any groups that they've been added to since they last logged in.
Manually entering the username and password performs a new login, and thus gets a brand new token with all the groups at the time of the login. So new groups will show up there.
In our SonarQube instance we have recently enabled LDAP authentication. Prior to LDAP integration the users were manually created. It so happened some of the users were created using the same LDAP user ID and custom password.
Now when LDAP is integrated we want all users use the LDAP ID/pass instead of previously manually created ID/password. SonarQube login works with manually created password rather than LDAP password. So how do remove the manually created users and only activate the LDAP users?
PS: I dont see the option to delete but only to de-activate
As replied by Jeroen Heier in comments, removing users from Administration > Security > Users will allow you to reuse the login of the removed user with an LDAP account.
If it's not the case, please describe what you're doing.
While I'm concerned with the deletion of an account... why can't you re-activate a user if you de-activated them through the UI. This is incredibly painful if a user was accidentally deactivated.
My Jenkins instance is currently open for every user, there is no authentication. I want to protect Jenkins against access by unauthorized users. I'm looking for a very simple/basic solution -- one user. If this "admin" user hasn't authenticated himself, he should not be able to do anything. If he has, he should get the full access the Jenkins instance (including all projects). How to configure this?
Follow these steps:
Go to Configure Global Security --> Security Realm : Jenkin's own user database and authorization Logged-in users can do anything. After saving, Jenkins should prompt you to create a new user. Please create the required user by filling in details like username and password.
Then, log in with that user and change the authorization to Matrix-based security. The matrix configuration should be as shown below i.e., it should have all privileges for the required user and none for anonymous users.
First you need to create an admin user or whatever you want.
To do that, go to your jenkins dashboard page and find "Credentials" option.
In credentials, you can create your user.
With your admin user created, just go back to your jenkins dashboard page and find "Manage Jenkins" option, in there, click on "Configure Global Security".
In Global Security Page, check the box "Enable Security", scroll down to "Access Control" and chose "Jenkins’ own user database" and select what users can do after login.
I am trying to configure Grafana for my organization. I was able to configure LDAP and MySQL database pretty easily but when I try to invite a new user to an org in Grafana, it always asks the user to join Grafana.
This would be an OK behavior if at that point Grafana would authenticate against LDAP. Instead, it creates a new user in its own database. This would lead to conflict with LDAP in case the user's AD passwords changes.
This works perfectly when a user had previously logged in to Grafana. An invite sent after would directly take the user to login page.
Is it possible to do the same in case the user is not already registered in Grafana? I really want to avoid saving user credentials in Grafana database.
Any help would be appreciated. Thanks.
I am not a Grafana expert, but looking through the source code on GitHub it certainly seems that new user registration will not go through LDAP. This is obvious in the LDAP related configuration file where you see the read-only credentials needed to look up users in the LDAP directory. A read-only administrator in LDAP will not be able to create new users as this would be necessary during a registration step. The code also indicates that registration creates temporary users in the internal store.
I want to get started with the Office365 Unified API , so I decided to register a new web app to our azure directory.
In the section: "permissions to other applications" , I select Office365 unified API(preview)
I only get set delegated permission (I don't have all admin powers in our tenant), so I choose the ones I need (user profiles, sign-in , the exact number does not matter).
When I save the configuration I get the message
Could not update the configuration for app ""
Information tells me:
Unauthorized. You do not have sufficient permissions to access this resource.
The strange is , that when I log out and return to the application in the Azure Portal, I do see those modification in the configuration ?!
Finally when I try to call the REST endpoint (with valid Accesstoken etc..) I get this message:
{"error":"invalid_grant","error_description":"AADSTS65001: No permission to access user information is configured for 'f1299649-ea20-4cf6-9cd6-afb69d9b5760' application, or it is expired or revoked.\r\nTrace ID: 69ab1a6c-eeda-4351-8e1e-2b774c19a5a0\r\nCorrelation ID: 968a962e-d851-48bb-ad6f-3f05ea7b8efe\r\nTimestamp: 2015-06-18 20:12:15Z","error_codes":[65001],"timestamp":"2015-06-18 20:12:15Z","trace_id":"69ab1a6c-eeda-4351-8e1e-2b774c19a5a0","correlation_id":"968a962e-d851-48bb-ad6f-3f05ea7b8efe","submit_url":null,"context":null}
So maybe the Azure Portal UI is right the first time and those permissions where never stored with the app ?
the application details in https://portal.office.com/myapps tell me this:
Permissions
This app works with data in your documents. It will be able to:
Read directory data
Sign you in and read your profile
Read all users'basic profiles
Access the directory as you
Read directory data
Sign-in as you and read your profile
What would be the next step to take to get this to work ?
What is your app trying to do (in terms of access to users, groups etc)?
Access the directory as you is a permission that requires admin consent. The portal unfortunately has a bug that it appears as though you have the permission, but that's not true. That's because there are 2 elements here - configuring the permissions your app needs which drives the consent experience AND the consent grant. The portal (under the covers) tries to consent the app for the permissions it requires within the developer tenant. A non-admin in this case has permissions to update the app configuration, but not to consent for those permissions in their tenant.
Hope this helps,
It is impossible to set permissions to Office 365 Unified API for your application even if you are tenant administrator due to error. I have tried it. Remember that whole Unified API is in Preview mode so there will definitely be other errors.