Reputation: 3205
Jenkins - need JENKINS_HOME but missing the Overall/Administer permission for systemInfo
I'm automating a Jenkins tool using the Jenkins API that needs to know the value of $JENKINS_HOME. This tool is running outside of Jenkins.
I'm using http:///systemInfo to see the environment variables.
Unfortunately the API for this doesn't have the env vars:
http:///api/xml/systemInfo
The problem is, the systemInfo page requires admin, it gives the error that the user is missing the Overall/Administer permission.
So - why does systemInfo need admin (but the XML doesn't) - or more importantly, how can I get the JENKINS_HOME for a given Jenkins server using regular user credentials?
Upvotes: 4
Views: 374
Answers (2)
Reputation: 8164
how can I get the JENKINS_HOME for a given Jenkins server using regular user credentials
I think there is no place where this is directly exposed to non-admin users.
A clean way to exhibit the path in a controlled manner is to extract the information once during Jenkins startup, and putting it to a place where all others can access it.
E.g., you could provide the path via $JENKINS_URL/userContent/jenkins_home.txt by adding the the following init script in $JENKINS_HOME/init.groovy.d/create-jenkins-home.groovy
import jenkins.model.Jenkins
Jenkins.get().getRootDir().toPath().resolve("userContent").resolve("jenkins_home.txt").setText(Jenkins.get().getRootDir().getPath())
Upvotes: 1
Reputation: 2342
Why does systeminfo need admin
why does systeminfo need admin (but the XML doesn't)
Imagine the following hypothetical situation:
There is one administrator who manages the software projects and jenkins instance, he can set secret information into environment-variables (like some specific SECRET_KEY that can be used by the jenkins pipeline).
If now every ordinary user or service in the project could read all the environment variables, he could also get direct access to the SECRET_KEY, without being in the controlled environment of jenkins-configurations that are only accessible on the server.
How to access environment variables outside the server
how can I get the JENKINS_HOME for a given Jenkins server using regular user credentials?
I guess you need to make some kind of token / private-key available to the service/user that can be used to make elevated-privilege requests to the server. For example explained in this stackoverflow question:
- stackoverflow: How to get the API Token for Jenkins
With this token you can then have elevated privileges for clients. E.g. extracted from jenkins.io an example for authenticating scripted clients:
curl -X POST -L --user jenkins:apiToken \
https://jenkins.yourcompany.com/job/your_job/build
I hope this is also covering your desired api-access-point for xml.
Some more resources on jenkins authentication
api-tokens (for versions
2.129+)
Upvotes: 1
Related Questions
- Jenkins Ambiguous Permission
- Does Jenkins windows service need admin rights?
- Jenkins - Execute shell - /bin/systemctl: cannot execute: Permission denied
- Jenkins - Permission denied on folder
- Jenkins user permissions wiped on restart?
- Jenkins installation - Unable to create the home directory despite its existence and writeability
- Jenkins ver. 2.121.3 + MacOS + logged in admin user not see "Jenkins Manage"
- How to install jenkins under current user (not 'jenkins') on MAC OS X
- Jenkins CLI exception: missing Job/ExtendedRead permission
- Fixing Jenkins privileges on build