Jenkins restrict access to only Google Apps Domain users using OpenID Authentication

5
votes

Using the Jenkins OpenID plugin I'm able to configure Jenkins to use my Google Apps OpenID as a provider. Anonymous users are still able to access that application (they have read access only), but I want to have it so that users are forced to login using the Google App domain or they are denied access.

I'm currently using the Jenkins Authorization setting of "Logged in users can do anything", I've tried using the "Matrix based authentication" and denying anonymous users, assuming logged in users would still have permissions, is there a special group value I can use for "logged in users" in matrix based authentication?

It seems like "Matrix-based security" will only work for specific users when using Google Apps OpenID (I don't believe Google apps for domains has support for OpenIDTeam extension

enter image description here

1
authenticationjenkinsopenidgoogle-appsjenkins-plugins

1 Answers

5
votes

Yes there is a special group you can use to do this but finding the information about how to do it isn't obvious. If you hover over the 'Overall - Read' column on the Matrix-based security table you'll get the solution.

It states

The read permission is necessary for viewing almost all pages of Jenkins. This permission is useful when you don't want unauthenticated users to see Jenkins pages - revoke this permission from the anonymous user, then add "authenticated" pseudo-user and grant the read access.

I use the following technique in combination with the OpenID plugin which allows me to specify a Google Apps for Business domain to secure Jenkins with

Warning: Make sure you've got a backup of your installation before you start because if you get something wrong you may lock yourself out of your Jenkins. Unpicking the plugins and settings would take longer than just restoring from a backup.

  1. Ensure your choice of OpenID provider is still working ok with your current 'Logged in users can do anything' setting
  2. Select the 'Matrix based-security' mode for Authorization
  3. Add a new 'authenticated' group (lower case 'a') to the Matrix-based security table.
  4. Use the 'check all' icon at the right hand end of the new 'authenticated' row to tick all the permission boxes.
  5. Use the 'check all' icon at the right hand end of the 'Anonymous' row to untick all the permission boxes.
  6. Save the settings
  7. Reload Jenkins

Matrix-based security table with Overall-Read help text expanded as quoted earlier

Now each time a user wants to see Jenkins they have to be already signed into their Google Account and no-one can get to see any Job names or views without login.

Hope this helps.