Jenkins Security Concepts
Internal
Jenkins Security Model
Jenkins uses a permission-based security model. Different operations have different permissions. Plugins can define their own permissions. To decide whether an operation can be performed, Jenkins asks the currently configured authorization strategy whether a specific authentication has the required permission in a specific context.
Authorization Strategy
The authorization strategy is an extension point and there are multiple plugins providing their own implementations. In most cases, these strategies are mostly hierarchical, so if an authentication has a permission in a parent context it will typically have the same permission in the children of that context.
Each authorization strategy is provided with the authentication that is requesting permission, permissions requested, and the context of the request. It returns a "yes/no" answer.
Authentication
Each execution thread has an associated authentication. There are three classes of authentications:
- ACL.SYSTEM (also known as SYSTEM) - the super-user authentication of the Jenkins master process itself. Any actions performed by Jenkins itself will start in a thread using this authentication.
- User authentication - assigned to any web/CLI request by a logged user.
- Jenkins.ANONYMOUS (known as ANONYMOUS) - assigned to any web/CLI request that has not been authenticated.
User
Permission
Hidden Permissions
Hidden permissions that interact with credentials scopes: "Credentials/UseOwn", "Credentials/UseItem".
Contexts
Jenkins implements a hierarchical context model. Every context has a chain of parent context leading ultimately to the root context. Plugins can define additions child contexts, but by default, Jenkins provides the child contexts described below.
Root Context
The root context is Jenkins itself.
Job Context
Each job has its own context.
User Context
Each user has its own context.
Build Agent Context
Each build agent has its own context.
View Context
Each view has its own context.
Credentials Management
A summary of credentials managed by a Jenkins instance is available from Jenkins -> Credentials. The view lists credential types, providers, stores, domains as well as details such as ID and name.
Credentials Plugin
Credential
Credential ID
Credential Name
Credential Scope
The scope defines how the credentials can be exposed:
System Scope
This scope is only available in credential stores associated with the root context. System scope credentials are exposed to Jenkins system/background tasks. For example, a system-scoped credential can be used to connect a builder agent.
Global Scope
This is the default scope. Global scope credentials are exposed to their associated context and all child contexts. For example, to make a credential generally available to jobs, use the Global scope.
User Scope
This scope is the only scope available in the per-user credentials store. User scope credentials are only available to threads using that specific user's Authentication.
Credential Type
Username with Password
Docker Certificates Directory
Docker Host Certificate Authentication
SSH Username with Private Key
Secret File
Secret Text
Certificate
Credential Provider
A credential provider connects Jenkins to an external credential vault.
Jenkins Credentials Provider
Managed by the Credentials Plugin. Provides credentials from the root of Jenkins. Credentials will be available to:
- Authentication: SYSTEM
- Users with permission: Job/Configure
Credentials will be available in:
- Global scoped credentials be available to all items within Jenkins.
- System scoped credentials restricted to system level operations such as connecting build agents.
User Credentials Provider
Managed by the Credentials Plugin. Provides each user with a personal credential store. Credentials will be available to:
- Immediate operations performed by the user who defined the credentials.
- Jobs with credentials parameters when directly triggered by a user with the permission: Job/Build.
- Jobs running as the user and the user has the permission: Job/Build.