当前位置:theitroad>Linux 如何从命令行重置 Jenkins 安全设置?

Linux 如何从命令行重置 Jenkins 安全设置?

声明:本页面是StackOverFlow热门问题的中英对照翻译,遵循CC BY-SA 4.0协议,如果您需要使用它,必须同样遵循CC BY-SA许可,注明原文地址和作者信息,同时你必须将它归于原作者(不是我):StackOverFlow 原文地址: http://stackoverflow.com/questions/6988849/
Warning: these are provided under cc-by-sa 4.0 license. You are free to use/share it, But you must attribute it to the original authors (not me): StackOverFlow

提示:将鼠标放在中文语句上可以显示对应的英文。显示中英文
时间:2020-08-05 05:35:19  来源:igfitidea点击:

How to reset Jenkins security settings from the command line?

linuxsecurityjenkinscommand-line

提问by ryanzec

Is there a way to reset all (or just disable the security settings) from the command line without a user/password as I have managed to completely lock myself out of Jenkins?

有没有办法在没有用户/密码的情况下从命令行重置所有(或只是禁用安全设置),因为我已经设法将自己完全锁定在外面Jenkins

采纳答案by Nowaker

The simplest solution is to completely disable security - change trueto falsein /var/lib/jenkins/config.xmlfile.

最简单的解决方案是完全禁用安全-变化truefalse/var/lib/jenkins/config.xml文件中。

<useSecurity>true</useSecurity>

Then just restart Jenkins, by

然后只需重新启动詹金斯,通过

sudo service jenkins restart

And then go to admin panel and set everything once again.

然后转到管理面板并再次设置所有内容。

If you in case are running your Jenkins inside k8s pod from a docker, which is my case and can not run servicecommand, then you can just restart Jenkins by deleting the pod:

如果您在 docker 的 k8s pod 中运行 Jenkins,这是我的情况并且无法运行service命令,那么您可以通过删除 pod 来重新启动 Jenkins:

kubectl delete pod <jenkins-pod-name>

Once the command was issued, the k8s will terminate the old pod and start a new one.

命令发出后,k8s 将终止旧的 pod 并启动一个新的 pod。

回答by ryanzec

I found the file in question located in /var/lib/jenkins called config.xml, modifying that fixed the issue.

我发现有问题的文件位于 /var/lib/jenkins 中,名为 config.xml,修改后解决了问题。

回答by user637338

The answer on modifying was correct. Yet, I think it should be mentioned that /var/lib/jenkins/config.xmllooks something like this if you have activated "Project-based Matrix Authorization Strategy". Deleting /var/lib/jenkins/config.xmland restarting jenkins also does the trick. I also deleted the users in /var/lib/jenkins/usersto start from scratch.

修改的答案是正确的。但是,我认为应该提到的是,/var/lib/jenkins/config.xml如果您已激活“基于项目的矩阵授权策略” ,则看起来像这样。删除/var/lib/jenkins/config.xml并重新启动 jenkins 也可以解决问题。我还删除了用户/var/lib/jenkins/users从头开始。

<authorizationStrategy class="hudson.security.ProjectMatrixAuthorizationStrategy">
    <permission>hudson.model.Computer.Configure:jenkins-admin</permission>
    <permission>hudson.model.Computer.Connect:jenkins-admin</permission>
    <permission>hudson.model.Computer.Create:jenkins-admin</permission>
    <permission>hudson.model.Computer.Delete:jenkins-admin</permission>
    <permission>hudson.model.Computer.Disconnect:jenkins-admin</permission>
    <!-- if this is missing for your user and it is the only one, bad luck -->
    <permission>hudson.model.Hudson.Administer:jenkins-admin</permission>
    <permission>hudson.model.Hudson.Read:jenkins-admin</permission>
    <permission>hudson.model.Hudson.RunScripts:jenkins-admin</permission>
    <permission>hudson.model.Item.Build:jenkins-admin</permission>
    <permission>hudson.model.Item.Cancel:jenkins-admin</permission>
    <permission>hudson.model.Item.Configure:jenkins-admin</permission>
    <permission>hudson.model.Item.Create:jenkins-admin</permission>
    <permission>hudson.model.Item.Delete:jenkins-admin</permission>
    <permission>hudson.model.Item.Discover:jenkins-admin</permission>
    <permission>hudson.model.Item.Read:jenkins-admin</permission>
    <permission>hudson.model.Item.Workspace:jenkins-admin</permission>
    <permission>hudson.model.View.Configure:jenkins-admin</permission>
    <permission>hudson.model.View.Create:jenkins-admin</permission>
    <permission>hudson.model.View.Delete:jenkins-admin</permission>
    <permission>hudson.model.View.Read:jenkins-admin</permission>
  </authorizationStrategy>

回答by drordk

I had a similar issue, and following reply from ArtB,

我有一个类似的问题,按照 ArtB 的回复,

I found that my user didn't have the proper configurations. so what I did:

我发现我的用户没有正确的配置。所以我做了什么:

Note: manually modifying such XML files is risky. Do it at your own risk. Since I was already locked out, I didn't have much to lose. AFAIK Worst case I would have deleted the ~/.jenkins/config.xml file as prev post mentioned.

注意:手动修改此类 XML 文件是有风险的。风险自负。因为我已经被锁定了,我没有什么可失去的。AFAIK 最坏的情况我会删除 ~/.jenkins/config.xml 文件作为上一篇文章提到的。

**> 1. ssh to the jenkins machine

**> 1. ssh 到 jenkins 机器

  1. cd ~/.jenkins (I guess that some installations put it under /var/lib/jenkins/config.xml, but not in my case )
  2. vi config.xml, and under authorizationStrategy xml tag, add the below section (just used my username instead of "put-your-username")
  3. restart jenkins. in my case as root service tomcat7 stop; ; service tomcat7 start
  4. Try to login again. (worked for me)**
  1. cd ~/.jenkins (我猜有些安装将它放在 /var/lib/jenkins/config.xml 下,但在我的情况下不是)
  2. vi config.xml,在authorizationStrategy xml 标签下,添加以下部分(只使用我的用户名而不是“put-your-username”)
  3. 重启詹金斯。在我的情况下,作为 root 服务 tomcat7 停止;; 服务tomcat7启动
  4. 再次尝试登录。(为我工作)**

under

在下面

add:

添加:

<permission>hudson.model.Computer.Build:put-your-username</permission>
<permission>hudson.model.Computer.Configure:put-your-username</permission>
<permission>hudson.model.Computer.Connect:put-your-username</permission>
<permission>hudson.model.Computer.Create:put-your-username</permission>
<permission>hudson.model.Computer.Delete:put-your-username</permission>
<permission>hudson.model.Computer.Disconnect:put-your-username</permission>
<permission>hudson.model.Hudson.Administer:put-your-username</permission>
<permission>hudson.model.Hudson.ConfigureUpdateCenter:put-your-username</permission>
<permission>hudson.model.Hudson.Read:put-your-username</permission>
<permission>hudson.model.Hudson.RunScripts:put-your-username</permission>
<permission>hudson.model.Hudson.UploadPlugins:put-your-username</permission>
<permission>hudson.model.Item.Build:put-your-username</permission>
<permission>hudson.model.Item.Cancel:put-your-username</permission>
<permission>hudson.model.Item.Configure:put-your-username</permission>
<permission>hudson.model.Item.Create:put-your-username</permission>
<permission>hudson.model.Item.Delete:put-your-username</permission>
<permission>hudson.model.Item.Discover:put-your-username</permission>
<permission>hudson.model.Item.Read:put-your-username</permission>
<permission>hudson.model.Item.Workspace:put-your-username</permission>
<permission>hudson.model.Run.Delete:put-your-username</permission>
<permission>hudson.model.Run.Update:put-your-username</permission>
<permission>hudson.model.View.Configure:put-your-username</permission>
<permission>hudson.model.View.Create:put-your-username</permission>
<permission>hudson.model.View.Delete:put-your-username</permission>
<permission>hudson.model.View.Read:put-your-username</permission>
<permission>hudson.scm.SCM.Tag:put-your-username</permission>

Now, you can go to different directions. For example I had github oauth integration, so I could have tried to replace the authorizationStrategy with something like below:

现在,你可以去不同的方向。例如,我有 github oauth 集成,所以我可以尝试用以下内容替换 authorizationStrategy:

Note:, It worked in my case because I had a specific github oauth plugin that was already configured. So it is more risky than the previous solution.

注意:,它在我的情况下有效,因为我有一个已经配置的特定 github oauth 插件。所以它比以前的解决方案风险更大。

  <authorizationStrategy class="org.jenkinsci.plugins.GithubAuthorizationStrategy" plugin="[email protected]">
    <rootACL>
      <organizationNameList class="linked-list">
        <string></string>
      </organizationNameList>
      <adminUserNameList class="linked-list">
        <string>put-your-username</string>
        <string>username2</string>
        <string>username3</string>
        <string>username_4_etc_put_username_that_will_become_administrator</string>
      </adminUserNameList>
      <authenticatedUserReadPermission>true</authenticatedUserReadPermission>
      <allowGithubWebHookPermission>false</allowGithubWebHookPermission>
      <allowCcTrayPermission>false</allowCcTrayPermission>
      <allowAnonymousReadPermission>false</allowAnonymousReadPermission>
    </rootACL>
  </authorizationStrategy>

回答by richarbernal

Edit the file $JENKINS_HOME/config.xml and change de security configuration with this:

编辑文件 $JENKINS_HOME/config.xml 并使用以下内容更改 de security 配置:

<authorizationStrategy class="hudson.security.AuthorizationStrategy$Unsecured"/>

After that restart Jenkins.

之后重新启动詹金斯。

回答by l0b0

To reset it without disabling securityif you're using matrix permissions (probably easily adaptable to other login methods):

如果您使用矩阵权限(可能很容易适应其他登录方法),则在不禁用安全性的情况下重置它:

  1. In config.xml, set disableSignupto false.
  2. RestartJenkins.
  3. Go to the Jenkins web page and sign up with a new user.
  4. In config.xml, duplicate one of the <permission>hudson.model.Hudson.Administer:username</permission>lines and replace usernamewith the new user.
  5. If it's a private server, set disableSignupback to truein config.xml.
  6. RestartJenkins.
  7. Go to the Jenkins web page and log in as the new user.
  8. Reset the passwordof the original user.
  9. Log inas the original user.
  1. 在 中config.xml,设置disableSignupfalse
  2. 重启詹金斯。
  3. 转到 Jenkins 网页并注册一个新用户
  4. 在 中config.xml,复制其中<permission>hudson.model.Hudson.Administer:username</permission>一行并替换username为新用户。
  5. 如果是私人服务器,请设置disableSignuptruein config.xml
  6. 重启詹金斯。
  7. 转到 Jenkins 网页并以新用户身份登录
  8. 重置原用户的密码
  9. 以原始用户身份登录

Optional cleanup:

可选清理:

  1. Delete the new user.
  2. Delete the temporary <permission>line in config.xml.
  1. 删除新用户。
  2. 删除 中的临时<permission>config.xml

No securities were harmed during this answer.

在这个回答过程中没有证券受到损害。

回答by Arseny

One other way would be to manually edit the configuration file for your user (e.g. /var/lib/jenkins/users/username/config.xml) and update the contents of passwordHash:

另一种方法是手动编辑用户的配置文件(例如 /var/lib/jenkins/users/username/config.xml)并更新passwordHash的内容:

<passwordHash>#jbcrypt:a$razd3L1aXndFfBNHO95aj.IVrFydsxkcQCcLmujmFQzll3hcUrY7S</passwordHash>

Once you have done this, just restart Jenkins and log in using this password:

完成此操作后,只需重新启动 Jenkins 并使用此密码登录:

test

回答by uckelman

The <passwordHash>element in users/<username>/config.xmlwill accept data of the format

中的<passwordHash>元素users/<username>/config.xml将接受格式的数据

salt:sha256("password{salt}")

So, if your salt is barand your password is foothen you can produce the SHA256 like this:

所以,如果你的盐是bar,你的密码是,foo那么你可以像这样生成 SHA256:

echo -n 'foo{bar}' | sha256sum

You should get 7f128793bc057556756f4195fb72cdc5bd8c5a74dee655a6bfb59b4a4c4f4349as the result. Take the hash and put it with the salt into <passwordHash>:

你应该得到7f128793bc057556756f4195fb72cdc5bd8c5a74dee655a6bfb59b4a4c4f4349结果。取出哈希并将其与盐一起放入<passwordHash>

<passwordHash>bar:7f128793bc057556756f4195fb72cdc5bd8c5a74dee655a6bfb59b4a4c4f4349</passwordHash>

Restart Jenkins, then try logging in with password foo. Then reset your password to something else. (Jenkins uses bcrypt by default, and one round of SHA256 is not a secure way to store passwords. You'll get a bcrypt hash stored when you reset your password.)

重启 Jenkins,然后尝试使用 password 登录foo。然后将您的密码重置为其他内容。(Jenkins 默认使用 bcrypt,一轮 SHA256 不是存储密码的安全方式。重置密码时,您将获得存储的 bcrypt 哈希值。)

回答by Musharraf Al-tamimi

changing the <useSecurity>true</useSecurity>to <useSecurity>false</useSecurity>will not be enough, you should remove <authorizationStrategy>and <securityRealm>elements too and restart your jenkins server by doing sudo service jenkins restart.

更改<useSecurity>true</useSecurity><useSecurity>false</useSecurity>还不够,您还应该删除<authorizationStrategy><securityRealm>元素并通过执行sudo service jenkins restart.

remember this, set <usesecurity>to falseonly may cause a problem for you, since these instructions are mentioned in thier official documentation here.

请记住这一点,设置<usesecurity>falseonly 可能会给您带来问题,因为此处的官方文档中提到了这些说明。

回答by Nick

On the offchance you accidentally lock yourself out of Jenkins due to a permission mistake, and you dont have server-side access to switch to the jenkins user or root... You can make a job in Jenkins and add this to the Shell Script:

在偶然的情况下,由于权限错误,您不小心将自己锁定在 Jenkins 之外,并且您没有服务器端访问权限来切换到 jenkins 用户或 root ……您可以在 Jenkins 中工作并将其添加到 Shell 脚本中:

sed -i 's/<useSecurity>true/<useSecurity>false/' ~/config.xml

Then click Build Now and restart Jenkins (or the server if you need to!)

然后单击“立即构建”并重新启动 Jenkins(如果需要,也可以重新启动服务器!)

相关推荐

Linux 如何让 GNU 屏幕读取 .bash_profile/.bash_rc 更改?

Linux 如何让 GNU 屏幕读取 .bash_profile/.bash_rc 更改?

Linux 使用 sed 删除文本块

Linux 使用 sed 删除文本块

Linux 如何在C中从串口打开,读取和写入?

Linux 如何在C中从串口打开,读取和写入?

异步信号处理程序如何在 Linux 上执行?

异步信号处理程序如何在 Linux 上执行?

相关推荐
最近更新
标签