1. Enter the security configuration interface
After the home page, click to enter the system management ( Manage Jenkins )
- Pull down to see the security configuration ( Configure Global Security)
- Enter the security configuration interface
Second, explain in detail the role of security configuration options
1. Enable security:
To start this, you must log in with a "username/password" to configure and execute the build. If Jenkins is on the internal network (or a "trusted" environment), this is usually disabled so that project developers can configure their own projects without bothering administrators; if Jenkins is exposed on the public network, you It is best to enable this, Jenkins may be hacked if it is in an insecure environment.
2. TCP port for JNLP agents:
Jenkins uses a TCP port to communicate with the JNLP node agent. Usually this port number is chosen randomly to avoid conflicts, but this is not fixed for the system. If the JNLP node agent is not used, it is recommended to disable the TCP port. The choice is to specify a constant port number so that the firewall can make the corresponding settings. If there is no problem here, it is recommended not to change it, just select it randomly by default.
3. Disable remember me:
Browser remembers account password
4. Access Control:
Setting can set permissions for Jenkins users, so that some users cannot use certain functions, or directly cannot log in to the system.
Access Control has two sub-options:
(1) Security Realm: Determine the user name and password, and specify the group to which the user belongs.
Delegate to servlet container
#servlet Container Agent: If your Jenkins is running on a server like Tomcat or GlassFish, these servers have installation controls themselves, choosing this security strategy allows the server to take over Jenkins' security lack of control in a very manageable way.
Jenkins' own user database
# Jenkins dedicated user database: Jenkins itself has a database to manage users, but the capacity of this database is relatively small. When there are a large number of users, this strategy is not suitable. Under this strategy, if anyone is allowed to register through Jenkins, you can check "Allow user registration". In this way, after entering the Jenkins interface, non-users can register by clicking the "Register" button in the upper right corner, and then log in to use Jenkins. If you do not allow others to register and use the Jenkins, you should cancel the "Allow user registration" check box. At this time, if you want to add a new user, only the registered user (or administrator) can enter the "Jenkins exclusive user database" interface through "System Management" -> Manage Users -> New User, and click "Create New User" to register a new user
LDAP plugin authentication
#LDAP can realize unified management of users without creating users again. If users need operation permissions, they can add permissions in Configure Global Security. After adding, just enter the ldap account password to log in
Unix user/group database
2. Authorization: Assign the user the authority to perform certain operations.
Any user can do anything (without any restrictions)
The logged in user can do anything
Legacy mode: Applicable to versions prior to Jenkins 1.164. That is, if you are in the "admin" role, then you will have all control over Jenkins, and other roles (including anonymous users) have only view permissions.
Markup Formatter
Select whether to display the html code written by the job description or display the html source code. When selecting raw HTML, the source code written by yourself is displayed. When you select escaped HTML, the source code of html is displayed.
Prevent Cross-Site Request Forgery
Cross-site request forgery (or CSRF/XSRF), which is a way to use your identity to perform actions on a website through unauthorized third-party means. For Jenkins to delete tasks, builds, or change configuration. When enabled, Jenkins Temporarily generated values are checked, as well as any requests that cause the Jenkins server to change. This includes commits of any kind and remote API calls.
Enable Slave → Master Access Control
Allows the child node to control the parent node, and what permissions can be controlled by the child node. It can be set in one by clicking here in the sentence rules can be tweaked here.