Beta

Certified Jenkins Engineer

Automation and Security

Demo Jenkins Authentication

In this guide, we’ll dive into configuring authentication and authorization in Jenkins. By default, Jenkins creates a single admin user and doesn’t allow team members to self-register. You can integrate with external identity systems (LDAP or Active Directory) or use the built-in database. Follow these steps to secure your Jenkins instance.

1. Built-in User Database

  1. Log in as the initial admin user.
  2. Navigate to Manage Jenkins → Configure Global Security.
  3. Under Security Realm, you’ll see the default option:

The image shows a Jenkins security configuration page with options for authentication, security realm, and authorization settings. It includes checkboxes and dropdown menus for managing user access and permissions.

By default, Jenkins uses its own user database:

The image shows a webpage from the Jenkins documentation, specifically focusing on managing security realms. It highlights options like using Jenkins' own user database and LDAP for authentication.

To view or manage these users, go to Manage Jenkins → Manage Users:

The image shows a Jenkins user management interface with one user listed, identified as "admin." There is an option to create a new user.

Enabling Self-Registration

  1. Under Configure Global Security, disable Keep me signed in.
  2. Enable Allow users to sign up and click Apply.

The image shows the Jenkins security configuration page, where authentication and authorization settings are being managed. Options include disabling "Keep me signed in," allowing user sign-up, and setting user permissions.

Note

Allowing public sign-up can lead to unwanted accounts. Review registrations regularly or integrate with an external directory for tighter control.

Log out. On the login screen, you’ll now see Sign up. Create a new user (e.g., John). Jenkins may warn you about weak passwords:

The image shows a Jenkins dashboard with a notification about a password found in a data breach, recommending a password check.

Returning to Manage Users shows both admin and John:

The image shows a Jenkins user management interface displaying a list of users with their IDs and names, along with options to manage or delete them.

2. Authorization Strategies

Authorization controls who can view, build, or configure jobs. In Configure Global Security, scroll to Authorization. The default is Logged-in users can do anything—only authenticated users have full access. Another setting is Anyone can do anything:

Authorization StrategyDescription
Logged-in users can do anythingOnly authenticated users have full access.
Anyone can do anythingPublic access to all actions without login.

Select Anyone can do anything, click Save, then log out. Now you can view and trigger builds anonymously:

The image shows a Jenkins dashboard for a job named "ascii-deploy-job," displaying build history and options like "Build Now" and "Configure." It includes details about recent builds and their statuses.

Started by user unknown or anonymous
Running as SYSTEM
Building in workspace /var/lib/jenkins/workspace/ascii-deploy-job
Copied 1 artifact from "ascii-test-job" build number 5
[ascii-deploy-job] $ /bin/sh -xe /tmp/jenkins37422262028379197254.sh
+ exit 1
Build step 'Execute shell' marked build as failure
Finished: FAILURE

Warning

Allowing anonymous users to trigger builds is a serious security risk. Unauthenticated users should never run jobs on a production Jenkins master.

Log back in as admin, set Authorization to Logged-in users can do anything, and enable Anonymous users read access. Click Save and log out. Visitors can now view jobs but cannot create or manage them.

3. Mock Security Realm (Simulating LDAP)

To simulate external authentication without a real directory server, install the Mock Security Realm plugin:

  1. Go to Manage Jenkins → Manage Plugins → Available.
  2. Search for mock-security-realm and install.

The image shows a Jenkins interface displaying a list of available plugins, with a search bar filtering results for plugins related to "mod."

After installing, return to Configure Global Security. Under Security Realm, select Mock Security Realm:

The image shows a Jenkins security configuration page with options for authentication and a dropdown menu for selecting the security realm. It includes a list of users and groups, with buttons to save or apply changes.

In the User/Group Definitions box, enter one user or group per line (passwords default to the username):

ali manager
bob qa
emma developer
tina developer qa
alice admins
charlie qa
darlene qa admins

Disable Allow anonymous read access if desired, then click Save. The Manage Users page will disappear:

The image shows the "Manage Jenkins" dashboard, displaying various configuration options such as system settings, tools, plugins, security, and credentials. It is part of a Jenkins server interface used for managing build and deployment processes.

Logging In with Mock Users

Log out, then log in as one of the mock users:

  • siddharth (password: siddharth)

The image shows a Jenkins user interface displaying the profile of a user named "siddharth," who belongs to the "admin" group. The sidebar includes options like Builds, Configure, Favorites, My Views, and Credentials.

  • tina (password: tina)

The image shows a Jenkins user interface with a user profile for "tina," displaying her user ID and group memberships, which include "developer" and "qa." The sidebar includes options like Builds, Configure, and Credentials.

The Mock Security Realm handles authentication and group assignments only; it doesn’t enforce permissions. Next, explore role-based authorization to grant the admin group exclusive rights to delete or configure jobs.

Watch Video

Watch video content

Previous
Jenkins Security Overview
Next
Demo Authorization Matrix Authorization Strategy