Menu
This seems like an obvious question, but I've looked high and low and can't find an answer. Here's the situation:
The trouble is, I can find exactly zero information on how security works with JNLP. If any anonymous read permissions are granted, then anyone in the world can download slave.jar and access the jnlp file at the (easy to guess) URLS on my server, and connect as a slave.
I discovered that if I revoke all anonymous access, the jnlp file is blocked but slave.jar is still accessible.
There doesn't seem to be anything particularly secure in the jnlp file, except one long hex number. Is this setup safe or is there something else I have to do?
It would be nice if visitors could see the recent builds without logging in, but again if I grant read permissions to anonymous, anyone can access the jnlp file.
346
Make sure that you've enabled a JNLP port in Manager Jenkins -> Configure Global Security. If no JNLP port is specified, then the JNLP slave option will not appear. Save this answer.
JNLP Port. Jenkins slaves running in OpenShift communicate with the Jenkins master using a separate TCP connection. The TCP port to make use of is specified in the Configure Global Security within Jenkins management page.
Jenkins can expose a TCP port that allows inbound agents to connect to it. It can be enabled, disabled, and configured in Manage Jenkins » Configure Global Security. The two supported modes (while enabled) are: Random: The TCP port is chosen at random to avoid collisions on the Jenkins controller.
Jenkins uses a Master-Slave architecture to manage distributed builds. In this architecture, Master and Slave nodes communicate through TCP/IP protocol. The main Jenkins server acts as the Master node that manages slaves. A slave is a Java executable that runs on a remote machine.
If any anonymous read permissions are granted, then anyone in the world can download slave.jar and access the jnlp file at the (easy to guess) URLS on my server, and connect as a slave.
It turns out that this was actually a critical security vulnerability in Jenkins:
https://wiki.jenkins-ci.org/display/SECURITY/Jenkins+Security+Advisory+2013-01-04
In answer to my question, it seems the best approach is to disable all anonymous read access.
124
From the comments on this jenkins bug it seems that this behaviour (allowing anyone with read permissions to see the jnlp file) was changed in the course of fixing the security vulnerability, and you can now limit access to the jnlp file to particular users.
I couldn't find any documentation on the current behaviour either, but it's possible to get some clues by
Step 2. will give a "403 forbidden" response which contains a something like
Authentication required
<!--
You are authenticated as: anonymous
Groups that you are in:
Permission you need to have (but didn't): hudson.model.Computer.Connect
... which is implied by: hudson.model.Computer.Disconnect
... which is implied by: hudson.model.Hudson.Administer
-->
The response also contains a javascript redirect, so you need to use wget or some other non-javascript-enabled method to be able to see it.
By trial and error, I found that "hudson.model.Computer.Connect" seems to map to the "Slave Connect" permission in the Jenkins UI.
27
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
