Google Git
Sign in
gerrit / gerrit-ci-scripts / 5bd5ac312a6d3e898896346fc0db3b0e66f72739
commit5bd5ac312a6d3e898896346fc0db3b0e66f72739[log] [tgz]
authorAntonio Barone <syntonyze@gmail.com>Mon Feb 26 10:48:53 2024 +0000
committerAntonio Barone <syntonyze@gmail.com>Fri Mar 01 11:02:30 2024 +0100
treed45e6c3a22155f219df7166e4f8b853a96821926
parentdf17c02829f171567bbaab263fd271548b8eb9c5 [diff]
Close Jenkins UI to anonymous users

Allowing anonymous access to the Jenkins UI is dangerous.

While it is true that Jenkins ACLs can be tuned to restrict what users
can or cannot do, there's nothing that prevents malicious users from
issuing HTTP POST/PUT requests, exploiting possible Jenkins or Plugins
vulnerabilities.

This already happened in the past and it calls for more restrictive ACLs
at HTTP level.

For this reason, we now front Jenkins with an haproxy instance which
still allows full access to authenticated users, but restricts
anonymous calls to only:

- Download artifacts
- logs browsing
- plugins listing (needed by plugin manager)

This is achieved by introducing a LUA authentication backend for
checking the user authentication status.

Specifically, this change relies on `haproxy-auth-request` [1] luca library
and its dependencies (json.lua [2], haproxy-lua-http [3]).

Note that as a consequence of this change, an anonymous user will no
longer be able to see the UI, including the login URL.

A follow up change will redirect unauthorized calls to a static page
that will provide just that.

[1] https://github.com/TimWolla/haproxy-auth-request
[2] https://github.com/rxi/json.lua
[3] https://github.com/haproxytech/haproxy-lua-http

Bug: Issue 324934084
Change-Id: I2c125ad0865ae643625153b92b655db83ad896f2
8 files changed
tree: d45e6c3a22155f219df7166e4f8b853a96821926
  1. jenkins/
  2. jenkins-docker/
  3. vars/
  4. worker/
  5. .gitignore
  6. Jenkinsfile
  7. README.md
  8. yamllint-config.yaml
README.md

Gerrit CI scripts

Providing jobs

This project uses Jenkins Jobs Builder [1] to generate jobs from yaml descriptor files.

To add new jobs reuse existing templates, defaults etc. as much as possible. E.g. adding a job to build an additional branch of a project may be as easy as adding the name of the branch to an existing project.

To ensure well readable yaml-files, use yamllint [2] to lint the yaml-files. Yamllint can be downloaded using Python Pip:

pip3 install --require-hashes yamllint

To run the linter, execute this command from the project's root directory:

yamllint -c yamllint-config.yaml jenkins/**/*.yaml

Yamllint will not fix detected issues itself.

[1] https://docs.openstack.org/infra/jenkins-job-builder/index.html [2] https://pypi.org/project/yamllint/