commit | 5bd5ac312a6d3e898896346fc0db3b0e66f72739 | [log] [tgz] |
---|---|---|
author | Antonio Barone <syntonyze@gmail.com> | Mon Feb 26 10:48:53 2024 +0000 |
committer | Antonio Barone <syntonyze@gmail.com> | Fri Mar 01 11:02:30 2024 +0100 |
tree | d45e6c3a22155f219df7166e4f8b853a96821926 | |
parent | df17c02829f171567bbaab263fd271548b8eb9c5 [diff] |
Close Jenkins UI to anonymous users Allowing anonymous access to the Jenkins UI is dangerous. While it is true that Jenkins ACLs can be tuned to restrict what users can or cannot do, there's nothing that prevents malicious users from issuing HTTP POST/PUT requests, exploiting possible Jenkins or Plugins vulnerabilities. This already happened in the past and it calls for more restrictive ACLs at HTTP level. For this reason, we now front Jenkins with an haproxy instance which still allows full access to authenticated users, but restricts anonymous calls to only: - Download artifacts - logs browsing - plugins listing (needed by plugin manager) This is achieved by introducing a LUA authentication backend for checking the user authentication status. Specifically, this change relies on `haproxy-auth-request` [1] luca library and its dependencies (json.lua [2], haproxy-lua-http [3]). Note that as a consequence of this change, an anonymous user will no longer be able to see the UI, including the login URL. A follow up change will redirect unauthorized calls to a static page that will provide just that. [1] https://github.com/TimWolla/haproxy-auth-request [2] https://github.com/rxi/json.lua [3] https://github.com/haproxytech/haproxy-lua-http Bug: Issue 324934084 Change-Id: I2c125ad0865ae643625153b92b655db83ad896f2
This project uses Jenkins Jobs Builder [1] to generate jobs from yaml descriptor files.
To add new jobs reuse existing templates, defaults etc. as much as possible. E.g. adding a job to build an additional branch of a project may be as easy as adding the name of the branch to an existing project.
To ensure well readable yaml-files, use yamllint [2] to lint the yaml-files. Yamllint can be downloaded using Python Pip:
pip3 install --require-hashes yamllint
To run the linter, execute this command from the project's root directory:
yamllint -c yamllint-config.yaml jenkins/**/*.yaml
Yamllint will not fix detected issues itself.
[1] https://docs.openstack.org/infra/jenkins-job-builder/index.html [2] https://pypi.org/project/yamllint/