CODEWITHSUNDEEP
jenkinscontinuous-integrationtwo-factor-authentication
Karuna Pathak
Karuna Pathak

Reputation: 1

Jenkins User's authorization to deploy

I wanted to have 2-factor authentication in Jenkins for all the users (even super admin) and wanted to know, if it's possible and if it is, what is the possible way or do we need a plugin for it.

Plus can we have authorization for scheduling the deployment in Jenkins and if it's possible, how can we do it.

Upvotes: 0

Views: 2799

Answers (1)

Slav
Slav

Reputation: 27485

Jenkins authorization is explained in detail here:
https://wiki.jenkins-ci.org/display/JENKINS/Standard+Security+Setup

The "Authorize Project plugin" is not for what you are asking.

You will not be prompted for password everytime you start a job. Instead, you should configure individual jobs to give access to individual people. Jenkins allows that granularity.

If you really want to prompt for password at every job execution, you will have to configure job to create a new password parameter, and then as one of your first build steps, validate the entered password against... against whatever it is that you want. But that means your validation script will probably reside on Jenkins itself.

Edit:

  • Configure Job
  • Select "This build is parameterized"
  • Add "String" parameter
  • Call it "password"
  • If on *nix environment, select "Execute Shell" for the first build step:

set +x if ! [[ "$password" == "mysecret" ]]; then echo "Bad password" exit 1 fi exit 0

  • If on Windows environment, select "Execute Windows batch command" for the first build step:

@echo off if not "%password%" == "mysecret" ( echo "Bad password" exit /b 1 ) exit /b 0

  • Add other build steps as normal.

Now, every time the job runs, it will prompt for "password", and if it doesn't match string "mysecret", the job will fail.

Important Notes:

  • This will run after SCM checkout. If you want to run it before SCM checkout, you'd need Pre-SCM build step plugin.
  • Anyone with "Configuration" access to the job permission or above will be able to see the "mysecret" in plain text. You can use EnvInject plugin to configure global (or job local) password and validate against that variable, instead of "mysecret"
  • Anyone with direct/remote login to the Jenkins machine will be able see the configuration file with "mysecret" in plain text (unless using EnvInject from above).
  • People with enough permissions could modify or copy the job, and remove this validation.

Once again, I implore you that the correct approach is to provide granular per-user permissions through default Jenkins security/authorization. Use "matrix" authorization to give permissions per user per job.

Upvotes: 1

Related Questions