Figure 7.1. Enabling security in Jenkins
In the remainder of this chapter, we will look at how to configure Jenkins security for a number of
common scenarios.
7.3. Simple Security in Jenkins
The most simple usable security model in Jenkins involves allowing authenticated users to do anything,
whereas non-authenticated users will just have a read-only view of the build jobs. This is great for small
teams—developers can manage the build jobs, whereas other users (testers, BAs, project managers and
so on) can view the build jobs as required to view the status of the project. Indeed, certain build jobs
may be set up just for this purpose, displaying the results of automated acceptance tests or code quality
metrics, for example.
You can set up this sort of configuration to choose “Logged-in users can do anything” in the
Authorization section. There are several ways that Jenkins can authenticate users (see Section 7.4,
“Security Realms—Identifying Jenkins Users”), but for this example, we will be using the simplest
option, which is to use Jenkins’s own built in database (see Section 7.4.1, “Using Jenkins’s Built-in
User Database”). This is the configuration illustrated in Figure 7.1, “Enabling security in Jenkins”.
Make sure you tick the “Allow users to sign up” option. This option will display a Sign up link at the top
of the screen to let users create their own user account as required (see Figure 7.2, “The Jenkins Sign
up page”). It is a good idea for developers to use their SCM username here: in this case, Jenkins will be
able to work out what users contributed to the SCM changes that triggered a particular build.