SlideShare une entreprise Scribd logo

Securing jenkins

CloudBees
CloudBees

Kohsuke Kawaguchi, the creator of Jenkins outlines how to secure Jenkins. The webinar is available at: https://www3.gotomeeting.com/register/250978006

Technologie
1  sur  32
Télécharger pour lire hors ligne
Securing Jenkins Kohsuke Kawaguchi Creator of the Hudson/Jenkins project ©2010 CloudBees, Inc. All Rights ©2011  Cloud  Bees,  Inc.  All   Reserved
About CloudBees Our  Mission   Become  the  leading  Java™  Pla@orm  as  a  Service  (PaaS)   Why    We’re   CloudBees  services  the  complete  lifecycle  of  Cloud   Different   applica>on  development  and  deployment.   No  Servers.  No  Virtual  Machines.  No  IT.   Strategy   §  DEV@cloud  –  Cloud  Services  for  Developers   §  RUN@cloud  –  FricIonless  runIme  PaaS  for  Java  apps   ©2010 CloudBees, Inc. All Rights ©2011  Cloud  Bees,  Inc.  All   Reserved 2
Continuous Integration - Jenkins Nectar  –  On-­‐Premise  Enterprise  Jenkins   •  Support  from  the  experts.   Jenkins Adoption •  VMware  scale  your  Jenkins  environment.   25,000   •  Enterprise  Features  extend  Jenkins  for  large   environments.   20,000   •  Integrate  with  the  Cloud  integraIon  with   DEV@Cloud  and  RUN@Cloud  coming   15,000     Benefits  of  DEV@cloud  Jenkins  Service:   10,000   •  Scale  your  Jenkins  environment  with  the   power  of  the  Cloud   5,000   •  Ease  your  Jenkins  management  overhead   •  Speed  your  builds   0   •  Save  money  with  on-­‐demand  Jenkins   Service.  Starts  from  $0/month   Source: jenkins-ci.org   ©2010 CloudBees, Inc. All Rights ©2011  Cloud  Bees,  Inc.  All   Reserved 3
Idea Behind This Webinar •  Architecture & modeling of access control in Jenkins •  Walk-through of security related plugins/ core •  Practical tips in configuring security •  Security beyond access control ©2010 CloudBees, Inc. All Rights ©2011  CloudBees,  Inc.  All   Reserved 4
Access Control Architecture •  Three extension points –  Authentication: figuring out who you are –  Permission: activity that may need protection –  Authorization: are you allowed to do XYZ? ©2010 CloudBees, Inc. All Rights 5 Reserved
Authentication •  Figures out user ID and groups –  For example, via username/password field •  But not always. E.g., OpenID, SSO –  Often additional information as well •  e-mail address, full name, … •  HTTP handling carries this around •  Plugins can control this completely ©2010 CloudBees, Inc. All Rights 6 Reserved
System-defined Identities •  “anonymous” user –  Automatically given to unauthenticated requests •  “SYSTEM” user –  All background threads run under this identity. Supposed to have full access •  “authenticated” group –  Every non-anonymous user automatically gets it ©2010 CloudBees, Inc. All Rights 7 Reserved
Permission •  Unit of activity to control access –  “Build a job”, “Create a view”, “Read Jenkins”, etc. •  Organized in shallow tree structure –  A permission can imply others •  “Read job configuration” implies “Read job” •  “Administer” implies everything else •  Plugins often define their permissions –  “Promote a build”, “Make a Maven release”, etc. ©2010 CloudBees, Inc. All Rights 8 Reserved
Authorization •  Given three parameters, decide OK/NG –  Object •  A job, view, root Jenkins object, etc. –  Permission –  Subject (Identity) •  Plugin can completely control the logic ©2010 CloudBees, Inc. All Rights 9 Reserved
Architecture Key Points •  Authentication and authorization are orthogonal –  Authentication establishes the identity (including membership) –  Authorization uses that to decide OK/NG •  So you get to mix and match ©2010 CloudBees, Inc. All Rights 10 Reserved
PAM Authentication •  Fancy way of saying Unix user authentication •  It Just Works –  Virtually zero configuration –  Your ITops have already done the hard work •  Picks up Unix group memberships •  Gets local user/group support for free ©2010 CloudBees, Inc. All Rights 11 Reserved
Active Directory (plugin) •  Windows equivalent of PAM –  Richer •  It Just Works, especially since 1.17 –  Zero conf on Windows, very little on Unix –  AD forest, sites, DC fail over, … •  Picks up membership –  Including indirect ones •  No WIA support yet ©2010 CloudBees, Inc. All Rights 12 Reserved
LDAP •  Supported well –  Both binding modes, configurable group search, e-mail address retrieval –  Default configuration and inference that goes beyond typical LDAP impl •  Caution: group name –  Earlier version turned “group” into “ROLE_GROUP”. Fixed in 1.404 •  But do you really need it? ©2010 CloudBees, Inc. All Rights 13 Reserved
OpenID (plugin) •  Login aid mode –  Use OpenID instead of typing password –  You’ve seen those on websites •  SSO mode –  Clicking “login” auto-initiates OpenID session –  With proper OpenID server configuration, it becomes password-less SSO –  Better way of integrating with directory servers •  Extensibility to support group memberships ©2010 CloudBees, Inc. All Rights 14 Reserved
Script Realm (plugin) •  Gist of authentication is: f:  (username,password)    (group*)  or  “invalid”   •  Let people write a shell script to do that –  Handy duct-tape solution for custom identity systems ©2010 CloudBees, Inc. All Rights 15 Reserved
Delegates to servlet container •  Useful if… –  You run Jenkins on an existing servlet container –  Your admin has already set it up for authentication –  You use directory servers that don’t support OpenID •  Group membership support is clumsy ©2010 CloudBees, Inc. All Rights 16 Reserved
Delegate to reverse proxy (plugin) •  Let Apache does the authentication –  For some people, this is easier and/or more powerful •  Jenkins get it via HTTP header X-­‐Forwarded-­‐User   Apache   Jenkins   ©2010 CloudBees, Inc. All Rights 17 Reserved
Jenkins’ own user database •  Retain user/password info in Jenkins –  No external identity system needed –  Optionally let people sign up via UI •  No group support yet •  Very limited use case (or am I wrong?) ©2010 CloudBees, Inc. All Rights 18 Reserved
Other Authentication Implementations •  CAS •  Atlassian Crowd •  SourceForge Enterprise Edition •  CollabNet TeamForge •  ... ©2010 CloudBees, Inc. All Rights 19 Reserved
Authorization •  Several trivial implementations •  Really only two implementations –  (Global) matrix security –  Project-based matrix security •  Calling for more plugins! ©2010 CloudBees, Inc. All Rights 20 Reserved
Matrix security basics •  Recap of the concept –  (subject,object,permission) OK/NG •  Matrix Implementation –  Define (subject,permission) as a checkbox matrix (aka ACL) –  Honors all implied permissions –  Honors all group memberships ©2010 CloudBees, Inc. All Rights 21 Reserved
Global matrix security •  Just one matrix for the entire Jenkins –  Object doesn’t matter •  Adequate so long as you don’t have black projects ©2010 CloudBees, Inc. All Rights 22 Reserved
Per-project security •  Global + separate matrix at each project –  Optional –  Individual matrix inherits global matrix •  “OR” semantics. No “deny” entry •  Also note: –  No mechanism to reuse matrix –  Config job permission lets you edit project matrix ©2010 CloudBees, Inc. All Rights 23 Reserved
“Create job advanced” plugin •  Works well with per-project matrix •  Grant the creator full access when a new job is created –  Can also grant anonymous read-access –  From there, he can add others ©2010 CloudBees, Inc. All Rights 24 Reserved
Tip: what groups am I in? •  Visit http://yourserver/jenkins/whoAmI –  Useful for checking what the server is seeing ©2010 CloudBees, Inc. All Rights 25 Reserved
Tip: If you lock yourself out •  Stop Jenkins •  vi $JENKINS_HOME/config.xml  <useSecurity>false</useSecurity>   •  Start Jenkins ©2010 CloudBees, Inc. All Rights 26 Reserved
Cross-Site Request Forgery •  Malicious pages on the internet can forge requests to Jenkins –  Even if your Jenkins is access controlled –  Attacked needs to know your intranet host name and job name •  Not on by default for compatibility ©2010 CloudBees, Inc. All Rights 27 Reserved
Security implications of letting people build •  Build can be anything –  Not only those who configure jobs, but those who write code •  … which isn’t any worse than “mvn install” •  Mitigation –  Audit trail ©2010 CloudBees, Inc. All Rights 28 Reserved
Are your black projects really black? •  All builds run as the same user –  They can interfere/interact with each other –  Command line arguments, environment variables are all readable –  Builds can see/modify the whole $JENKINS_HOME if run on master •  Mitigation –  Isolate to different machines ©2010 CloudBees, Inc. All Rights 29 Reserved
Conclusions •  Securing Jenkins Web UI –  Two orthogonal axes: authentication & authorization –  CSRF •  Securing Jenkins from untrusted builds –  Several mitigation techniques –  Ultimately, you may have to split instances ©2010 CloudBees, Inc. All Rights 30 Reserved
Coming soon to Nectar •  Folder support –  organize jobs into a hierarchical structure –  Set ACL at folder •  No need to individually set ACL at jobs •  Role-based access control support –  Define roles, local groups –  Control inheritance from ancestor ACLs ©2010 CloudBees, Inc. All Rights 31 Reserved
Resources CloudBees http://www.cloudbees.com/ Q&A Nectar http://nectar.cloudbees.com/ Try Dev@Cloud https://grandcentral.cloudbees.com/ account/signup Register for news from CloudBees http://www.cloudbees.com/company.cb Upcoming training in London http://cloudbees.com/training.cb ©2010 CloudBees, Inc. All Rights ©2011  CloudBees,  Inc.  All   Reserved

Recommandé

Build CICD Pipeline for Container Presentation Slides
Build CICD Pipeline for Container Presentation SlidesBuild CICD Pipeline for Container Presentation Slides
Build CICD Pipeline for Container Presentation Slides
Amazon Web Services
 
DevOps 101
DevOps 101DevOps 101
DevOps 101
satya sudheer
 
DevOps Overview
DevOps OverviewDevOps Overview
DevOps Overview
Omri Spector
 
DevOps intro
DevOps introDevOps intro
DevOps intro
Abdelrhman Shawky
 
DevOps Tutorial For Beginners | DevOps Tutorial | DevOps Tools | DevOps Train...
DevOps Tutorial For Beginners | DevOps Tutorial | DevOps Tools | DevOps Train...DevOps Tutorial For Beginners | DevOps Tutorial | DevOps Tools | DevOps Train...
DevOps Tutorial For Beginners | DevOps Tutorial | DevOps Tools | DevOps Train...
Simplilearn
 
DevSecOps: Key Controls to Modern Security Success
DevSecOps: Key Controls to Modern Security SuccessDevSecOps: Key Controls to Modern Security Success
DevSecOps: Key Controls to Modern Security Success
Puma Security, LLC
 
Introduction to qualitia software
Introduction to qualitia softwareIntroduction to qualitia software
Introduction to qualitia software
ProductNation/iSPIRT
 
Dev ops != Dev+Ops
Dev ops != Dev+OpsDev ops != Dev+Ops
Dev ops != Dev+Ops
Shalu Ahuja
 

Recommandé

Build CICD Pipeline for Container Presentation Slides
Build CICD Pipeline for Container Presentation SlidesBuild CICD Pipeline for Container Presentation Slides
Build CICD Pipeline for Container Presentation Slides
Amazon Web Services
 
DevOps 101
DevOps 101DevOps 101
DevOps 101
satya sudheer
 
DevOps Overview
DevOps OverviewDevOps Overview
DevOps Overview
Omri Spector
 
DevOps intro
DevOps introDevOps intro
DevOps intro
Abdelrhman Shawky
 
DevOps Tutorial For Beginners | DevOps Tutorial | DevOps Tools | DevOps Train...
DevOps Tutorial For Beginners | DevOps Tutorial | DevOps Tools | DevOps Train...DevOps Tutorial For Beginners | DevOps Tutorial | DevOps Tools | DevOps Train...
DevOps Tutorial For Beginners | DevOps Tutorial | DevOps Tools | DevOps Train...
Simplilearn
 
DevSecOps: Key Controls to Modern Security Success
DevSecOps: Key Controls to Modern Security SuccessDevSecOps: Key Controls to Modern Security Success
DevSecOps: Key Controls to Modern Security Success
Puma Security, LLC
 
Introduction to qualitia software
Introduction to qualitia softwareIntroduction to qualitia software
Introduction to qualitia software
ProductNation/iSPIRT
 
Dev ops != Dev+Ops
Dev ops != Dev+OpsDev ops != Dev+Ops
Dev ops != Dev+Ops
Shalu Ahuja
 
Best practices for implementing CI/CD on Salesforce
Best practices for implementing CI/CD on SalesforceBest practices for implementing CI/CD on Salesforce
Best practices for implementing CI/CD on Salesforce
AIMDek Technologies
 
Terraform GitOps on Codefresh
Terraform GitOps on CodefreshTerraform GitOps on Codefresh
Terraform GitOps on Codefresh
Codefresh
 
Jenkins for java world
Jenkins for java worldJenkins for java world
Jenkins for java world
Ashok Kumar
 
DevSecOps
DevSecOpsDevSecOps
DevSecOps
Cheah Eng Soon
 
Fundamentals of DevOps and CI/CD
Fundamentals of DevOps and CI/CDFundamentals of DevOps and CI/CD
Fundamentals of DevOps and CI/CD
Batyr Nuryyev
 
Install Redis on Oracle Linux
Install Redis on Oracle LinuxInstall Redis on Oracle Linux
Install Redis on Oracle Linux
Johan Louwers
 
DevOps vs Agile | DevOps Tutorial For Beginners | DevOps Training | Edureka
DevOps vs Agile | DevOps Tutorial For Beginners | DevOps Training | EdurekaDevOps vs Agile | DevOps Tutorial For Beginners | DevOps Training | Edureka
DevOps vs Agile | DevOps Tutorial For Beginners | DevOps Training | Edureka
Edureka!
 
"DevOps > CI+CD "
"DevOps > CI+CD ""DevOps > CI+CD "
"DevOps > CI+CD "
Innovation Roots
 
Spring Boot—Production Boost
Spring Boot—Production BoostSpring Boot—Production Boost
Spring Boot—Production Boost
VMware Tanzu
 
DevOps Introduction
DevOps IntroductionDevOps Introduction
DevOps Introduction
Robert Sell
 
Introduction To DevOps | Devops Tutorial For Beginners | DevOps Training For ...
Introduction To DevOps | Devops Tutorial For Beginners | DevOps Training For ...Introduction To DevOps | Devops Tutorial For Beginners | DevOps Training For ...
Introduction To DevOps | Devops Tutorial For Beginners | DevOps Training For ...
Simplilearn
 
CAPS: What's best for deploying and managing OpenStack? Chef vs. Ansible vs. ...
CAPS: What's best for deploying and managing OpenStack? Chef vs. Ansible vs. ...CAPS: What's best for deploying and managing OpenStack? Chef vs. Ansible vs. ...
CAPS: What's best for deploying and managing OpenStack? Chef vs. Ansible vs. ...
Animesh Singh
 
Jenkins Overview
Jenkins OverviewJenkins Overview
Jenkins Overview
Ahmed M. Gomaa
 
C. Sotiriou, Vodafone Greece: Adopting Quarkus for the digital experience layer
C. Sotiriou, Vodafone Greece: Adopting Quarkus for the digital experience layerC. Sotiriou, Vodafone Greece: Adopting Quarkus for the digital experience layer
C. Sotiriou, Vodafone Greece: Adopting Quarkus for the digital experience layer
Uni Systems S.M.S.A.
 
Introduction to DevOps
Introduction to DevOpsIntroduction to DevOps
Introduction to DevOps
Ravindu Fernando
 
Container Patching: Cloud Native Security Con 2023
Container Patching: Cloud Native Security Con 2023Container Patching: Cloud Native Security Con 2023
Container Patching: Cloud Native Security Con 2023
Greg Castle
 
Gitlab CI : Integration et Déploiement Continue
Gitlab CI : Integration et Déploiement ContinueGitlab CI : Integration et Déploiement Continue
Gitlab CI : Integration et Déploiement Continue
Vincent Composieux
 
Jenkins
JenkinsJenkins
Jenkins
penetration Tester
 
Selenium ppt
Selenium pptSelenium ppt
Selenium ppt
Naga Dinesh
 
Basic Jenkins Guide.pptx
Basic Jenkins Guide.pptxBasic Jenkins Guide.pptx
Basic Jenkins Guide.pptx
Jayanga V. Liyanage
 
Jenkins Enterprise by CloudBees Webinar
Jenkins Enterprise by CloudBees WebinarJenkins Enterprise by CloudBees Webinar
Jenkins Enterprise by CloudBees Webinar
CloudBees
 
7 Ways to Optimize Hudson in Production
7 Ways to Optimize Hudson in Production7 Ways to Optimize Hudson in Production
7 Ways to Optimize Hudson in Production
CloudBees
 

Contenu connexe

Tendances

Introduction To DevOps | Devops Tutorial For Beginners | DevOps Training For ...
Introduction To DevOps | Devops Tutorial For Beginners | DevOps Training For ...Introduction To DevOps | Devops Tutorial For Beginners | DevOps Training For ...
Introduction To DevOps | Devops Tutorial For Beginners | DevOps Training For ...
Simplilearn
 
Container Patching: Cloud Native Security Con 2023
Container Patching: Cloud Native Security Con 2023Container Patching: Cloud Native Security Con 2023
Container Patching: Cloud Native Security Con 2023
Greg Castle
 

Tendances (20)

Best practices for implementing CI/CD on Salesforce
Best practices for implementing CI/CD on SalesforceBest practices for implementing CI/CD on Salesforce
Best practices for implementing CI/CD on Salesforce
 
Terraform GitOps on Codefresh
Terraform GitOps on CodefreshTerraform GitOps on Codefresh
Terraform GitOps on Codefresh
 
Jenkins for java world
Jenkins for java worldJenkins for java world
Jenkins for java world
 
DevSecOps
DevSecOpsDevSecOps
DevSecOps
 
Fundamentals of DevOps and CI/CD
Fundamentals of DevOps and CI/CDFundamentals of DevOps and CI/CD
Fundamentals of DevOps and CI/CD
 
Install Redis on Oracle Linux
Install Redis on Oracle LinuxInstall Redis on Oracle Linux
Install Redis on Oracle Linux
 
DevOps vs Agile | DevOps Tutorial For Beginners | DevOps Training | Edureka
DevOps vs Agile | DevOps Tutorial For Beginners | DevOps Training | EdurekaDevOps vs Agile | DevOps Tutorial For Beginners | DevOps Training | Edureka
DevOps vs Agile | DevOps Tutorial For Beginners | DevOps Training | Edureka
 
"DevOps > CI+CD "
"DevOps > CI+CD ""DevOps > CI+CD "
"DevOps > CI+CD "
 
Spring Boot—Production Boost
Spring Boot—Production BoostSpring Boot—Production Boost
Spring Boot—Production Boost
 
DevOps Introduction
DevOps IntroductionDevOps Introduction
DevOps Introduction
 
Introduction To DevOps | Devops Tutorial For Beginners | DevOps Training For ...
Introduction To DevOps | Devops Tutorial For Beginners | DevOps Training For ...Introduction To DevOps | Devops Tutorial For Beginners | DevOps Training For ...
Introduction To DevOps | Devops Tutorial For Beginners | DevOps Training For ...
 
CAPS: What's best for deploying and managing OpenStack? Chef vs. Ansible vs. ...
CAPS: What's best for deploying and managing OpenStack? Chef vs. Ansible vs. ...CAPS: What's best for deploying and managing OpenStack? Chef vs. Ansible vs. ...
CAPS: What's best for deploying and managing OpenStack? Chef vs. Ansible vs. ...
 
Jenkins Overview
Jenkins OverviewJenkins Overview
Jenkins Overview
 
C. Sotiriou, Vodafone Greece: Adopting Quarkus for the digital experience layer
C. Sotiriou, Vodafone Greece: Adopting Quarkus for the digital experience layerC. Sotiriou, Vodafone Greece: Adopting Quarkus for the digital experience layer
C. Sotiriou, Vodafone Greece: Adopting Quarkus for the digital experience layer
 
Introduction to DevOps
Introduction to DevOpsIntroduction to DevOps
Introduction to DevOps
 
Container Patching: Cloud Native Security Con 2023
Container Patching: Cloud Native Security Con 2023Container Patching: Cloud Native Security Con 2023
Container Patching: Cloud Native Security Con 2023
 
Gitlab CI : Integration et Déploiement Continue
Gitlab CI : Integration et Déploiement ContinueGitlab CI : Integration et Déploiement Continue
Gitlab CI : Integration et Déploiement Continue
 
Jenkins
JenkinsJenkins
Jenkins
 
Selenium ppt
Selenium pptSelenium ppt
Selenium ppt
 
Basic Jenkins Guide.pptx
Basic Jenkins Guide.pptxBasic Jenkins Guide.pptx
Basic Jenkins Guide.pptx
 

Similaire à Securing jenkins

OSDC 2012 | Introduction to Eucalyptus by Olivier Renault
OSDC 2012 | Introduction to Eucalyptus by Olivier RenaultOSDC 2012 | Introduction to Eucalyptus by Olivier Renault
OSDC 2012 | Introduction to Eucalyptus by Olivier Renault
NETWAYS
 
Presentation desktops for the cloud the view rollout
Presentation desktops for the cloud the view rolloutPresentation desktops for the cloud the view rollout
Presentation desktops for the cloud the view rollout
solarisyourep
 
Running productioninstance 1-localcopy
Running productioninstance 1-localcopyRunning productioninstance 1-localcopy
Running productioninstance 1-localcopy
CloudBees
 
Java / Opening Open Source the Jenkins Way - Nicolas de Loof, CloudBees
Java / Opening Open Source the Jenkins Way - Nicolas de Loof, CloudBeesJava / Opening Open Source the Jenkins Way - Nicolas de Loof, CloudBees
Java / Opening Open Source the Jenkins Way - Nicolas de Loof, CloudBees
Paris Open Source Summit
 

Similaire à Securing jenkins (20)

Jenkins Enterprise by CloudBees Webinar
Jenkins Enterprise by CloudBees WebinarJenkins Enterprise by CloudBees Webinar
Jenkins Enterprise by CloudBees Webinar
 
7 Ways to Optimize Hudson in Production
7 Ways to Optimize Hudson in Production7 Ways to Optimize Hudson in Production
7 Ways to Optimize Hudson in Production
 
OSDC 2012 | Introduction to Eucalyptus by Olivier Renault
OSDC 2012 | Introduction to Eucalyptus by Olivier RenaultOSDC 2012 | Introduction to Eucalyptus by Olivier Renault
OSDC 2012 | Introduction to Eucalyptus by Olivier Renault
 
CloudBees Toronto Presentation
CloudBees Toronto PresentationCloudBees Toronto Presentation
CloudBees Toronto Presentation
 
20191201 kubernetes managed weblogic revival - part 1
20191201 kubernetes managed weblogic revival - part 120191201 kubernetes managed weblogic revival - part 1
20191201 kubernetes managed weblogic revival - part 1
 
The Kubernetes WebLogic revival (part 1)
The Kubernetes WebLogic revival (part 1)The Kubernetes WebLogic revival (part 1)
The Kubernetes WebLogic revival (part 1)
 
Presentation desktops for the cloud the view rollout
Presentation desktops for the cloud the view rolloutPresentation desktops for the cloud the view rollout
Presentation desktops for the cloud the view rollout
 
Presentation desktops for the cloud the view rollout
Presentation desktops for the cloud the view rolloutPresentation desktops for the cloud the view rollout
Presentation desktops for the cloud the view rollout
 
How we made jenkins community
How we made jenkins communityHow we made jenkins community
How we made jenkins community
 
Running productioninstance 1-localcopy
Running productioninstance 1-localcopyRunning productioninstance 1-localcopy
Running productioninstance 1-localcopy
 
Kubernetes solutions
Kubernetes solutionsKubernetes solutions
Kubernetes solutions
 
Xen: Hypervisor for the Cloud - CCC13
Xen: Hypervisor for the Cloud - CCC13Xen: Hypervisor for the Cloud - CCC13
Xen: Hypervisor for the Cloud - CCC13
 
Jumping from Continuous Integration to Continuous Delivery with Jenkins Enter...
Jumping from Continuous Integration to Continuous Delivery with Jenkins Enter...Jumping from Continuous Integration to Continuous Delivery with Jenkins Enter...
Jumping from Continuous Integration to Continuous Delivery with Jenkins Enter...
 
Java / Opening Open Source the Jenkins Way - Nicolas de Loof, CloudBees
Java / Opening Open Source the Jenkins Way - Nicolas de Loof, CloudBeesJava / Opening Open Source the Jenkins Way - Nicolas de Loof, CloudBees
Java / Opening Open Source the Jenkins Way - Nicolas de Loof, CloudBees
 
Understanding Docker and IBM Bluemix Container Service
Understanding Docker and IBM Bluemix Container ServiceUnderstanding Docker and IBM Bluemix Container Service
Understanding Docker and IBM Bluemix Container Service
 
Xen Project Hypervisor for the Cloud
Xen Project Hypervisor for the CloudXen Project Hypervisor for the Cloud
Xen Project Hypervisor for the Cloud
 
Easy Docker Deployments with Mesosphere DCOS on Azure
Easy Docker Deployments with Mesosphere DCOS on AzureEasy Docker Deployments with Mesosphere DCOS on Azure
Easy Docker Deployments with Mesosphere DCOS on Azure
 
Kernel Recipes 2014 - Xen as a foundation for cloud infrastructure
Kernel Recipes 2014 - Xen as a foundation for cloud infrastructureKernel Recipes 2014 - Xen as a foundation for cloud infrastructure
Kernel Recipes 2014 - Xen as a foundation for cloud infrastructure
 
Best Practices for Novell GroupWise on Linux
Best Practices for Novell GroupWise on LinuxBest Practices for Novell GroupWise on Linux
Best Practices for Novell GroupWise on Linux
 
DCSF19 Container Security: Theory & Practice at Netflix
DCSF19 Container Security: Theory & Practice at NetflixDCSF19 Container Security: Theory & Practice at Netflix
DCSF19 Container Security: Theory & Practice at Netflix
 

Plus de CloudBees

JUC Europe 2015: Scaling Your Jenkins Master with Docker
JUC Europe 2015: Scaling Your Jenkins Master with DockerJUC Europe 2015: Scaling Your Jenkins Master with Docker
JUC Europe 2015: Scaling Your Jenkins Master with Docker
CloudBees
 
JUC Europe 2015: The Famous Cows of Cambridge: A Non-Standard Use Case for Je...
JUC Europe 2015: The Famous Cows of Cambridge: A Non-Standard Use Case for Je...JUC Europe 2015: The Famous Cows of Cambridge: A Non-Standard Use Case for Je...
JUC Europe 2015: The Famous Cows of Cambridge: A Non-Standard Use Case for Je...
CloudBees
 
JUC Europe 2015: Scaling of Jenkins Pipeline Creation and Maintenance
JUC Europe 2015: Scaling of Jenkins Pipeline Creation and MaintenanceJUC Europe 2015: Scaling of Jenkins Pipeline Creation and Maintenance
JUC Europe 2015: Scaling of Jenkins Pipeline Creation and Maintenance
CloudBees
 
JUC Europe 2015: From Virtual Machines to Containers: Achieving Continuous In...
JUC Europe 2015: From Virtual Machines to Containers: Achieving Continuous In...JUC Europe 2015: From Virtual Machines to Containers: Achieving Continuous In...
JUC Europe 2015: From Virtual Machines to Containers: Achieving Continuous In...
CloudBees
 
JUC Europe 2015: Orchestrating Your Pipelines with Jenkins, Python and the Je...
JUC Europe 2015: Orchestrating Your Pipelines with Jenkins, Python and the Je...JUC Europe 2015: Orchestrating Your Pipelines with Jenkins, Python and the Je...
JUC Europe 2015: Orchestrating Your Pipelines with Jenkins, Python and the Je...
CloudBees
 
JUC Europe 2015: Jenkins Pipeline for Continuous Delivery of Big Data Projects
JUC Europe 2015: Jenkins Pipeline for Continuous Delivery of Big Data ProjectsJUC Europe 2015: Jenkins Pipeline for Continuous Delivery of Big Data Projects
JUC Europe 2015: Jenkins Pipeline for Continuous Delivery of Big Data Projects
CloudBees
 
JUC Europe 2015: Optimizing Your CI: Lessons Learned from a Successful Jenkin...
JUC Europe 2015: Optimizing Your CI: Lessons Learned from a Successful Jenkin...JUC Europe 2015: Optimizing Your CI: Lessons Learned from a Successful Jenkin...
JUC Europe 2015: Optimizing Your CI: Lessons Learned from a Successful Jenkin...
CloudBees
 
JUC Europe 2015: Making Strides towards Enterprise-Scale DevOps...with Jenkin...
JUC Europe 2015: Making Strides towards Enterprise-Scale DevOps...with Jenkin...JUC Europe 2015: Making Strides towards Enterprise-Scale DevOps...with Jenkin...
JUC Europe 2015: Making Strides towards Enterprise-Scale DevOps...with Jenkin...
CloudBees
 
JUC Europe 2015: Evolving the Jenkins UI
JUC Europe 2015: Evolving the Jenkins UIJUC Europe 2015: Evolving the Jenkins UI
JUC Europe 2015: Evolving the Jenkins UI
CloudBees
 
JUC Europe 2015: Using Infrastructure Nodes Wisely With Jenkins and Apache Mesos
JUC Europe 2015: Using Infrastructure Nodes Wisely With Jenkins and Apache MesosJUC Europe 2015: Using Infrastructure Nodes Wisely With Jenkins and Apache Mesos
JUC Europe 2015: Using Infrastructure Nodes Wisely With Jenkins and Apache Mesos
CloudBees
 
JUC Europe 2015: How to Optimize Automated Testing with Everyone's Favorite B...
JUC Europe 2015: How to Optimize Automated Testing with Everyone's Favorite B...JUC Europe 2015: How to Optimize Automated Testing with Everyone's Favorite B...
JUC Europe 2015: How to Optimize Automated Testing with Everyone's Favorite B...
CloudBees
 

Plus de CloudBees (20)

JUC Europe 2015: Scaling Your Jenkins Master with Docker
JUC Europe 2015: Scaling Your Jenkins Master with DockerJUC Europe 2015: Scaling Your Jenkins Master with Docker
JUC Europe 2015: Scaling Your Jenkins Master with Docker
 
JUC Europe 2015: Plugin Development with Gradle and Groovy
JUC Europe 2015: Plugin Development with Gradle and GroovyJUC Europe 2015: Plugin Development with Gradle and Groovy
JUC Europe 2015: Plugin Development with Gradle and Groovy
 
JUC Europe 2015: Multi-Node Environment as a Jenkins Slave (Compound-Slave)
JUC Europe 2015: Multi-Node Environment as a Jenkins Slave (Compound-Slave)JUC Europe 2015: Multi-Node Environment as a Jenkins Slave (Compound-Slave)
JUC Europe 2015: Multi-Node Environment as a Jenkins Slave (Compound-Slave)
 
JUC Europe 2015: The Famous Cows of Cambridge: A Non-Standard Use Case for Je...
JUC Europe 2015: The Famous Cows of Cambridge: A Non-Standard Use Case for Je...JUC Europe 2015: The Famous Cows of Cambridge: A Non-Standard Use Case for Je...
JUC Europe 2015: The Famous Cows of Cambridge: A Non-Standard Use Case for Je...
 
JUC Europe 2015: Jenkins Made Easy
JUC Europe 2015: Jenkins Made EasyJUC Europe 2015: Jenkins Made Easy
JUC Europe 2015: Jenkins Made Easy
 
JUC Europe 2015: Scaling of Jenkins Pipeline Creation and Maintenance
JUC Europe 2015: Scaling of Jenkins Pipeline Creation and MaintenanceJUC Europe 2015: Scaling of Jenkins Pipeline Creation and Maintenance
JUC Europe 2015: Scaling of Jenkins Pipeline Creation and Maintenance
 
JUC Europe 2015: From Virtual Machines to Containers: Achieving Continuous In...
JUC Europe 2015: From Virtual Machines to Containers: Achieving Continuous In...JUC Europe 2015: From Virtual Machines to Containers: Achieving Continuous In...
JUC Europe 2015: From Virtual Machines to Containers: Achieving Continuous In...
 
JUC Europe 2015: Hey! What Did We Just Release?
JUC Europe 2015: Hey! What Did We Just Release?JUC Europe 2015: Hey! What Did We Just Release?
JUC Europe 2015: Hey! What Did We Just Release?
 
JUC Europe 2015: Orchestrating Your Pipelines with Jenkins, Python and the Je...
JUC Europe 2015: Orchestrating Your Pipelines with Jenkins, Python and the Je...JUC Europe 2015: Orchestrating Your Pipelines with Jenkins, Python and the Je...
JUC Europe 2015: Orchestrating Your Pipelines with Jenkins, Python and the Je...
 
JUC Europe 2015: Jenkins Pipeline for Continuous Delivery of Big Data Projects
JUC Europe 2015: Jenkins Pipeline for Continuous Delivery of Big Data ProjectsJUC Europe 2015: Jenkins Pipeline for Continuous Delivery of Big Data Projects
JUC Europe 2015: Jenkins Pipeline for Continuous Delivery of Big Data Projects
 
JUC Europe 2015: Jenkins-Based Continuous Integration for Heterogeneous Hardw...
JUC Europe 2015: Jenkins-Based Continuous Integration for Heterogeneous Hardw...JUC Europe 2015: Jenkins-Based Continuous Integration for Heterogeneous Hardw...
JUC Europe 2015: Jenkins-Based Continuous Integration for Heterogeneous Hardw...
 
JUC Europe 2015: Optimizing Your CI: Lessons Learned from a Successful Jenkin...
JUC Europe 2015: Optimizing Your CI: Lessons Learned from a Successful Jenkin...JUC Europe 2015: Optimizing Your CI: Lessons Learned from a Successful Jenkin...
JUC Europe 2015: Optimizing Your CI: Lessons Learned from a Successful Jenkin...
 
JUC Europe 2015: Enabling Continuous Delivery for Major Retailers
JUC Europe 2015: Enabling Continuous Delivery for Major RetailersJUC Europe 2015: Enabling Continuous Delivery for Major Retailers
JUC Europe 2015: Enabling Continuous Delivery for Major Retailers
 
JUC Europe 2015: Bringing CD at Cloud-Scale with Jenkins, Docker and "Tiger"
JUC Europe 2015: Bringing CD at Cloud-Scale with Jenkins, Docker and "Tiger"JUC Europe 2015: Bringing CD at Cloud-Scale with Jenkins, Docker and "Tiger"
JUC Europe 2015: Bringing CD at Cloud-Scale with Jenkins, Docker and "Tiger"
 
JUC Europe 2015: Making Strides towards Enterprise-Scale DevOps...with Jenkin...
JUC Europe 2015: Making Strides towards Enterprise-Scale DevOps...with Jenkin...JUC Europe 2015: Making Strides towards Enterprise-Scale DevOps...with Jenkin...
JUC Europe 2015: Making Strides towards Enterprise-Scale DevOps...with Jenkin...
 
JUC Europe 2015: Evolving the Jenkins UI
JUC Europe 2015: Evolving the Jenkins UIJUC Europe 2015: Evolving the Jenkins UI
JUC Europe 2015: Evolving the Jenkins UI
 
JUC Europe 2015: Using Infrastructure Nodes Wisely With Jenkins and Apache Mesos
JUC Europe 2015: Using Infrastructure Nodes Wisely With Jenkins and Apache MesosJUC Europe 2015: Using Infrastructure Nodes Wisely With Jenkins and Apache Mesos
JUC Europe 2015: Using Infrastructure Nodes Wisely With Jenkins and Apache Mesos
 
JUC Europe 2015: How to Optimize Automated Testing with Everyone's Favorite B...
JUC Europe 2015: How to Optimize Automated Testing with Everyone's Favorite B...JUC Europe 2015: How to Optimize Automated Testing with Everyone's Favorite B...
JUC Europe 2015: How to Optimize Automated Testing with Everyone's Favorite B...
 
JUC 2015 - Keynote Address and Opening Remarks by Kohsuke Kawaguchi, Founder,...
JUC 2015 - Keynote Address and Opening Remarks by Kohsuke Kawaguchi, Founder,...JUC 2015 - Keynote Address and Opening Remarks by Kohsuke Kawaguchi, Founder,...
JUC 2015 - Keynote Address and Opening Remarks by Kohsuke Kawaguchi, Founder,...
 
JUC Europe 2015: Continuous Integration and Distribution in the Cloud with DE...
JUC Europe 2015: Continuous Integration and Distribution in the Cloud with DE...JUC Europe 2015: Continuous Integration and Distribution in the Cloud with DE...
JUC Europe 2015: Continuous Integration and Distribution in the Cloud with DE...
 

Dernier

Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Jeffrey Haguewood
 
Ransomware_Q4_2023. The report. [EN].pdf
Ransomware_Q4_2023. The report. [EN].pdfRansomware_Q4_2023. The report. [EN].pdf
Ransomware_Q4_2023. The report. [EN].pdf
Overkill Security
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Drew Madelung
 

Dernier (20)

Navi Mumbai Call Girls 🥰 8617370543 Service Offer VIP Hot Model
Navi Mumbai Call Girls 🥰 8617370543 Service Offer VIP Hot ModelNavi Mumbai Call Girls 🥰 8617370543 Service Offer VIP Hot Model
Navi Mumbai Call Girls 🥰 8617370543 Service Offer VIP Hot Model
 
Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)
 
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a Fresher
 
Apidays Singapore 2024 - Scalable LLM APIs for AI and Generative AI Applicati...
Apidays Singapore 2024 - Scalable LLM APIs for AI and Generative AI Applicati...Apidays Singapore 2024 - Scalable LLM APIs for AI and Generative AI Applicati...
Apidays Singapore 2024 - Scalable LLM APIs for AI and Generative AI Applicati...
 
A Beginners Guide to Building a RAG App Using Open Source Milvus
A Beginners Guide to Building a RAG App Using Open Source MilvusA Beginners Guide to Building a RAG App Using Open Source Milvus
A Beginners Guide to Building a RAG App Using Open Source Milvus
 
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost SavingRepurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Script
 
Artificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyArtificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : Uncertainty
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
 
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
 
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
 
Manulife - Insurer Transformation Award 2024
Manulife - Insurer Transformation Award 2024Manulife - Insurer Transformation Award 2024
Manulife - Insurer Transformation Award 2024
 
Ransomware_Q4_2023. The report. [EN].pdf
Ransomware_Q4_2023. The report. [EN].pdfRansomware_Q4_2023. The report. [EN].pdf
Ransomware_Q4_2023. The report. [EN].pdf
 
Corporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptxCorporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptx
 
FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024
 
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin WoodPolkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
 

Securing jenkins

  • 1. Securing Jenkins Kohsuke Kawaguchi Creator of the Hudson/Jenkins project ©2010 CloudBees, Inc. All Rights ©2011  Cloud  Bees,  Inc.  All   Reserved
  • 2. About CloudBees Our  Mission   Become  the  leading  Java™  Pla@orm  as  a  Service  (PaaS)   Why    We’re   CloudBees  services  the  complete  lifecycle  of  Cloud   Different   applica>on  development  and  deployment.   No  Servers.  No  Virtual  Machines.  No  IT.   Strategy   §  DEV@cloud  –  Cloud  Services  for  Developers   §  RUN@cloud  –  FricIonless  runIme  PaaS  for  Java  apps   ©2010 CloudBees, Inc. All Rights ©2011  Cloud  Bees,  Inc.  All   Reserved 2
  • 3. Continuous Integration - Jenkins Nectar  –  On-­‐Premise  Enterprise  Jenkins   •  Support  from  the  experts.   Jenkins Adoption •  VMware  scale  your  Jenkins  environment.   25,000   •  Enterprise  Features  extend  Jenkins  for  large   environments.   20,000   •  Integrate  with  the  Cloud  integraIon  with   DEV@Cloud  and  RUN@Cloud  coming   15,000     Benefits  of  DEV@cloud  Jenkins  Service:   10,000   •  Scale  your  Jenkins  environment  with  the   power  of  the  Cloud   5,000   •  Ease  your  Jenkins  management  overhead   •  Speed  your  builds   0   •  Save  money  with  on-­‐demand  Jenkins   Service.  Starts  from  $0/month   Source: jenkins-ci.org   ©2010 CloudBees, Inc. All Rights ©2011  Cloud  Bees,  Inc.  All   Reserved 3
  • 4. Idea Behind This Webinar •  Architecture & modeling of access control in Jenkins •  Walk-through of security related plugins/ core •  Practical tips in configuring security •  Security beyond access control ©2010 CloudBees, Inc. All Rights ©2011  CloudBees,  Inc.  All   Reserved 4
  • 5. Access Control Architecture •  Three extension points –  Authentication: figuring out who you are –  Permission: activity that may need protection –  Authorization: are you allowed to do XYZ? ©2010 CloudBees, Inc. All Rights 5 Reserved
  • 6. Authentication •  Figures out user ID and groups –  For example, via username/password field •  But not always. E.g., OpenID, SSO –  Often additional information as well •  e-mail address, full name, … •  HTTP handling carries this around •  Plugins can control this completely ©2010 CloudBees, Inc. All Rights 6 Reserved
  • 7. System-defined Identities •  “anonymous” user –  Automatically given to unauthenticated requests •  “SYSTEM” user –  All background threads run under this identity. Supposed to have full access •  “authenticated” group –  Every non-anonymous user automatically gets it ©2010 CloudBees, Inc. All Rights 7 Reserved
  • 8. Permission •  Unit of activity to control access –  “Build a job”, “Create a view”, “Read Jenkins”, etc. •  Organized in shallow tree structure –  A permission can imply others •  “Read job configuration” implies “Read job” •  “Administer” implies everything else •  Plugins often define their permissions –  “Promote a build”, “Make a Maven release”, etc. ©2010 CloudBees, Inc. All Rights 8 Reserved
  • 9. Authorization •  Given three parameters, decide OK/NG –  Object •  A job, view, root Jenkins object, etc. –  Permission –  Subject (Identity) •  Plugin can completely control the logic ©2010 CloudBees, Inc. All Rights 9 Reserved
  • 10. Architecture Key Points •  Authentication and authorization are orthogonal –  Authentication establishes the identity (including membership) –  Authorization uses that to decide OK/NG •  So you get to mix and match ©2010 CloudBees, Inc. All Rights 10 Reserved
  • 11. PAM Authentication •  Fancy way of saying Unix user authentication •  It Just Works –  Virtually zero configuration –  Your ITops have already done the hard work •  Picks up Unix group memberships •  Gets local user/group support for free ©2010 CloudBees, Inc. All Rights 11 Reserved
  • 12. Active Directory (plugin) •  Windows equivalent of PAM –  Richer •  It Just Works, especially since 1.17 –  Zero conf on Windows, very little on Unix –  AD forest, sites, DC fail over, … •  Picks up membership –  Including indirect ones •  No WIA support yet ©2010 CloudBees, Inc. All Rights 12 Reserved
  • 13. LDAP •  Supported well –  Both binding modes, configurable group search, e-mail address retrieval –  Default configuration and inference that goes beyond typical LDAP impl •  Caution: group name –  Earlier version turned “group” into “ROLE_GROUP”. Fixed in 1.404 •  But do you really need it? ©2010 CloudBees, Inc. All Rights 13 Reserved
  • 14. OpenID (plugin) •  Login aid mode –  Use OpenID instead of typing password –  You’ve seen those on websites •  SSO mode –  Clicking “login” auto-initiates OpenID session –  With proper OpenID server configuration, it becomes password-less SSO –  Better way of integrating with directory servers •  Extensibility to support group memberships ©2010 CloudBees, Inc. All Rights 14 Reserved
  • 15. Script Realm (plugin) •  Gist of authentication is: f:  (username,password)    (group*)  or  “invalid”   •  Let people write a shell script to do that –  Handy duct-tape solution for custom identity systems ©2010 CloudBees, Inc. All Rights 15 Reserved
  • 16. Delegates to servlet container •  Useful if… –  You run Jenkins on an existing servlet container –  Your admin has already set it up for authentication –  You use directory servers that don’t support OpenID •  Group membership support is clumsy ©2010 CloudBees, Inc. All Rights 16 Reserved
  • 17. Delegate to reverse proxy (plugin) •  Let Apache does the authentication –  For some people, this is easier and/or more powerful •  Jenkins get it via HTTP header X-­‐Forwarded-­‐User   Apache   Jenkins   ©2010 CloudBees, Inc. All Rights 17 Reserved
  • 18. Jenkins’ own user database •  Retain user/password info in Jenkins –  No external identity system needed –  Optionally let people sign up via UI •  No group support yet •  Very limited use case (or am I wrong?) ©2010 CloudBees, Inc. All Rights 18 Reserved
  • 19. Other Authentication Implementations •  CAS •  Atlassian Crowd •  SourceForge Enterprise Edition •  CollabNet TeamForge •  ... ©2010 CloudBees, Inc. All Rights 19 Reserved
  • 20. Authorization •  Several trivial implementations •  Really only two implementations –  (Global) matrix security –  Project-based matrix security •  Calling for more plugins! ©2010 CloudBees, Inc. All Rights 20 Reserved
  • 21. Matrix security basics •  Recap of the concept –  (subject,object,permission) OK/NG •  Matrix Implementation –  Define (subject,permission) as a checkbox matrix (aka ACL) –  Honors all implied permissions –  Honors all group memberships ©2010 CloudBees, Inc. All Rights 21 Reserved
  • 22. Global matrix security •  Just one matrix for the entire Jenkins –  Object doesn’t matter •  Adequate so long as you don’t have black projects ©2010 CloudBees, Inc. All Rights 22 Reserved
  • 23. Per-project security •  Global + separate matrix at each project –  Optional –  Individual matrix inherits global matrix •  “OR” semantics. No “deny” entry •  Also note: –  No mechanism to reuse matrix –  Config job permission lets you edit project matrix ©2010 CloudBees, Inc. All Rights 23 Reserved
  • 24. “Create job advanced” plugin •  Works well with per-project matrix •  Grant the creator full access when a new job is created –  Can also grant anonymous read-access –  From there, he can add others ©2010 CloudBees, Inc. All Rights 24 Reserved
  • 25. Tip: what groups am I in? •  Visit http://yourserver/jenkins/whoAmI –  Useful for checking what the server is seeing ©2010 CloudBees, Inc. All Rights 25 Reserved
  • 26. Tip: If you lock yourself out •  Stop Jenkins •  vi $JENKINS_HOME/config.xml  <useSecurity>false</useSecurity>   •  Start Jenkins ©2010 CloudBees, Inc. All Rights 26 Reserved
  • 27. Cross-Site Request Forgery •  Malicious pages on the internet can forge requests to Jenkins –  Even if your Jenkins is access controlled –  Attacked needs to know your intranet host name and job name •  Not on by default for compatibility ©2010 CloudBees, Inc. All Rights 27 Reserved
  • 28. Security implications of letting people build •  Build can be anything –  Not only those who configure jobs, but those who write code •  … which isn’t any worse than “mvn install” •  Mitigation –  Audit trail ©2010 CloudBees, Inc. All Rights 28 Reserved
  • 29. Are your black projects really black? •  All builds run as the same user –  They can interfere/interact with each other –  Command line arguments, environment variables are all readable –  Builds can see/modify the whole $JENKINS_HOME if run on master •  Mitigation –  Isolate to different machines ©2010 CloudBees, Inc. All Rights 29 Reserved
  • 30. Conclusions •  Securing Jenkins Web UI –  Two orthogonal axes: authentication & authorization –  CSRF •  Securing Jenkins from untrusted builds –  Several mitigation techniques –  Ultimately, you may have to split instances ©2010 CloudBees, Inc. All Rights 30 Reserved
  • 31. Coming soon to Nectar •  Folder support –  organize jobs into a hierarchical structure –  Set ACL at folder •  No need to individually set ACL at jobs •  Role-based access control support –  Define roles, local groups –  Control inheritance from ancestor ACLs ©2010 CloudBees, Inc. All Rights 31 Reserved
  • 32. Resources CloudBees http://www.cloudbees.com/ Q&A Nectar http://nectar.cloudbees.com/ Try Dev@Cloud https://grandcentral.cloudbees.com/ account/signup Register for news from CloudBees http://www.cloudbees.com/company.cb Upcoming training in London http://cloudbees.com/training.cb ©2010 CloudBees, Inc. All Rights ©2011  CloudBees,  Inc.  All   Reserved