I have an application that monitors CI jobs, and I've added a jenkins installation to my account. Typically, this application is internal to the company I work at, but our jenkins servers aren't accessible outside the LAN.
To lookup the status of a build, I to a python urllib.urlopen on
http://hostname/job/job_name/lastBuild/api/json
then parse the json result
When trying to connect to https://webiken.ci.cloudbees.com, I get an HTTPError because the URL requires authentication. Is there anyway to configure my jenkins to be public?
Thanks,
Sam
you can use HTTP Basic authentication with your cloudbees credentials to access the API :
curl https://webiken.ci.cloudbees.com/job//api/json --user ndeloof#cloudbees.com:
Also see this wiki page on how to make your Jenkins instance public.
Related
We are running the Jenkins with the SAML authentication. Now, we are trying to extract build user info from Jenkins buildURL xmi path and need to authenticated with the jenkins server. I created api token using my user and this is used by every build to communicate with buildURL job.
Is there any way, we can create a common api credential to authenticate with Jenkins.
Thanks
I have a personal SonarQube (Latest LTS) and Gitlab (14.5.1) installation. I've set-up everything and login with Gitlab through the web interface is working. However, I'm looking for a way to login with gitlab credentials throught the SonarQube API. If I add this to my gitlab-ci.yml file: https://sonarqube.example.com/api/projects/create?name=testProject I get a 401 (which is expected since I haven't added an API key and such).
My question is: Is it possible to automatically create an API key, use it in the gitlab-ci.yml and authenticate with it? If there's no way of doing this, is there an possibility to generate a group API key so that users in a certain group have access to the API, both on SonarQube and Gitlab?
Have been stuck on this for a while now, thanks in advance.
On the official documentation there are a set of steps for Auth for GitLab
Authenticating with GitLab
You can delegate authentication to GitLab using a dedicated GitLab OAuth application.
Creating a GitLab OAuth app
You can find general instructions for creating a GitLab OAuth app here.
Specify the following settings in your OAuth app:
Name – your app's name, such as SonarQube.
Redirect URI – enter your SonarQube URL with the path /oauth2/callback/gitlab. For example, https://sonarqube.mycompany.com/oauth2/callback/gitlab.
Scopes – select api if you plan to enable group synchronization. Select read_user if you only plan to delegate authentication.
We would like users to use their username/password along with another form of Multifactor Authentication, such as Google Auth (or Authy), to log into Jenkins.
We did not find any plugins that support this.
We are using AWS, so one of the things we looked at was putting an ALB in front of Jenkins and then putting, but this may interfere with getting POST requests from github to trigger builds.
Any ideas/plugins/suggestions on how to enable MFA on Jenkins?
Thanks!
I believe it is recommended to use SSO (something like SAML: https://wiki.jenkins.io/display/JENKINS/SAML+Plugin) and then as part of the SSO you can implement MFA. The problem with doing MFA directly with Jenkins is that Jenkins has pretty rudimentary user management.
I'm trying to get my spinnaker interface authenticated using this tutorial:
https://www.spinnaker.io/setup/quickstart/halyard-gke-public/
Prior to the tutorial, spinnaker was confirmed up and running on http://localhost:9000. I have tried the following on 1.3.1, 1.4.1 and 1.4.2.
After editing/applying/enabling the google security, I try the login and successfully am challenged with a google login screen. Upon completing the two-factor auth and I am redirected as expected to http://localhost:8084/login, though I receive the following error:
{
"error": "Unauthorized",
"message": "Authentication Failed: User's info does not have all required fields.",
"status": 401,
"timestamp": 1506985726074
}
Here is a log of my setup steps:
kross#halyard:~$ hal config security authn oauth2 edit --provider google \
> --client-id $CLIENT_ID \
> --client-secret $CLIENT_SECRET \
> --user-info-requirements hd=$DOMAIN
+ Get current deployment
Success
+ Get authentication settings
Success
+ Edit oauth2 authentication settings
Success
Problems in default.security:
- WARNING Your UI or API domain does not have override base URLs
set even though your Spinnaker deployment is a Distributed deployment on a
remote cloud provider. As a result, you will need to open SSH tunnels against
that deployment to access Spinnaker.
? We recommend that you instead configure an authentication
mechanism (OAuth2, SAML2, or x509) to make it easier to access Spinnaker
securely, and then register the intended Domain and IP addresses that your
publicly facing services will be using.
+ Successfully edited oauth2 method.
kross#halyard:~$ hal config security authn oauth2 enable
+ Get current deployment
Success
+ Edit oauth2 authentication settings
Success
Problems in default.security:
- WARNING Your UI or API domain does not have override base URLs
set even though your Spinnaker deployment is a Distributed deployment on a
remote cloud provider. As a result, you will need to open SSH tunnels against
that deployment to access Spinnaker.
? We recommend that you instead configure an authentication
mechanism (OAuth2, SAML2, or x509) to make it easier to access Spinnaker
securely, and then register the intended Domain and IP addresses that your
publicly facing services will be using.
+ Successfully enabled oauth2
kross#halyard:~$ hal deploy apply
+ Get current deployment
Success
+ Apply deployment
Success
+ Deploy spin-clouddriver
Success
+ Deploy spin-front50
Success
+ Deploy spin-orca
Success
+ Deploy spin-deck
Success
+ Deploy spin-echo
Success
+ Deploy spin-gate
Success
+ Deploy spin-igor
Success
+ Deploy spin-rosco
Success
Problems in default.security:
- WARNING Your UI or API domain does not have override base URLs
set even though your Spinnaker deployment is a Distributed deployment on a
remote cloud provider. As a result, you will need to open SSH tunnels against
that deployment to access Spinnaker.
? We recommend that you instead configure an authentication
mechanism (OAuth2, SAML2, or x509) to make it easier to access Spinnaker
securely, and then register the intended Domain and IP addresses that your
publicly facing services will be using.
I'm not quite sure what to do with this. It seems I am authentic, yet for some reason the required user fields are not allowed in the interaction.
I have reviewed spinnaker's authentication setup as well and repeatedly made a few changes and tested with a fresh incognito browser, yet no change.
Since the google provider is a packaged OAuth 2 provider with spinnaker, I'm confused as to what further configuration would be necessary, as I am not "bringing my own provider".
Where can I start looking next? Any references/pointers to documentation?
The problem is the --user-info-requirements hd=$DOMAIN argument. This is (generally) only needed if you're using a G Suite/Google Apps for Work account as your OAuth identity provider - it restricts login to only users in your domain. Otherwise, anyone with a valid #gmail account would be able login.
If you do use the --user-info-requirements hd=$DOMAIN and the $DOMAIN specified is invalid, you will receive this error. Be sure to use the fully qualified domain name as the value.
I had installed Jenkins in Ubuntu machine and making build successfully. I want to have authentication with help of Google apps. I feel it would be better, I searched the plugin respective to this, but i can't find it. whether this can be attained by means of plugin or otherways? Please do let me know the ways to do. Thanks in advance
Now that Google deprecated support for OpenID, you can use Google Login Plugin which works well with Google Apps.
In Jenkins by default user authentication is not enabled but we can establish the user authentication from the Global Security section. We have to create users for team members and it maintains all user in its own database. But we can also configure Jenkins with Google OAuth. So, if you are leveraging Google services and already have users on it. The users can login to Jenkins and perform their task.
To implement Google OAuth we'll recommend jenkinsci/google-login-plugin (https://github.com/jenkinsci/google-login-plugin) this is a Jenkins plugin which lets you login to Jenkins with your Google account. Also allows you to restrict access to accounts in a given Google Apps domain.
I am assuming that we have already installed Jenkins server and have admin right to make changes in it. The whole configuration is divided into three easy steps.
1. Get Google OAuth Credentials
To use this plugin, you must obtain OAuth 2.0 credentials from the Google Developers Console (https://console.developers.google.com). These don't need to belong to a special account, or even one associated with the domain you want to restrict logins to.
Instructions to create the Client ID and Secret:
Login to the Google Developers Console
Create a new project, in the pop-up window specify your project
name it can be any name which is more meaning full to you, eg:
Jenkins OAuth. In this project we will generate authantication
credentials to enable OAuth API.
On the left sidebar under APIs & Services (API Manager) ->
Credentials, Create credentials, OAuth client ID (It will genrate API
credentials and these credentails are required to configure in
Jenkins in last step).
As we are going to integrate this in Jenkins and it is a web
service, the application type should be "Web Application"
Register Jenkins URI from where we allowed to access the Google
APIs. We have to provide Jenkins server detail. You can replace your
JENKINS_ROOT_URL = http:jenkins.mydomain.com with your own Jenkins URI. This will be the landing page of your Jenkins server.
Once you hit this page it will be redirected to google for the
authentication.
The authorized redirect URIs is required to redirect you after
successful login. It is the combination of your Jenkins landing page
and a suffix string to validate you are a logged in user. As we want
to land user to Jenkins dashboard, so it has the same URI which we
mentioned in the previous step and don’t forget to include
securityRealm/finishLogin at the end. So the authorized redirect
URLs should result like this
${JENKINS_ROOT_URL}/securityRealm/finishLogin.
eg: http://jenkins.mydoamin.com/securityRealm/finishLogin
Copy and save Client ID and Client Secret, these credential
will be used to enable Google APIs in Jenkins (Security Realm
Configuration).
2. Install Google Login Plugin
In Jenkins there is no mechanism to configure OAuth but there are many plugins are available and we are using Google Login plugin. We can easily install this plugin from Manage Jenkins –> Manage Plugins –> Available and search for “Google Login”. Select the plugin. There is no need to restart to install this plugin. This plugin allows for the register Google OAuth and performs authentication.
3. Configure Jenkins
In this step, we will setup Google security credentials in installed plugin. Navigate to Manage Jenkins –> Configure Global Security and select Login with Google under Security Realm paste credentials (Client ID and secret) generated in the first step. In the last field do not forget to enter your domain name it allows you to restrict access to given domain name.
Immediately after saving changes Jenkins will allow access to all users in your domain. Now, try to login into your Jenkins it will redirect you to Google Authentication page. If everything is set up properly you will be logged in but just in case you’re still facing any problem go back and check each step. The logged in user can do anything and if you want to restrict users you can implement Role Strategy Plugin (https://wiki.jenkins.io/display/JENKINS/Role+Strategy+Plugin) security.
You can achieve Single Sign On with Google Apps using the OpenID Plugin. It's very easy to set up, you basically install the plugin, select "Google Apps SSO (with OpenID)" and enter your domain. Note that users will have to have a google apps account to login after that.
Tip: you might consider using it in combination with the Role Strategy Plugin
I used a command line browser called elinks to sign in to their html mail server http://m.gmail.com.
Use shift in Elinks to copy and paste.
http://minimallinux.blogspot.com/2012/07/centos-6rhel-install-elinks-text-browser.html
I switched a text message script from one jenkins box to another and had to do this to get Google to let me use that IP.