61

I do not want new users to be able to sign up. So in Jenkin's Configuration, I disabled "Allow users to sign up" with using Jenkin's own user database.

But how can I manually add users now? Also, is there a default admin user I should take care of?

fabb
  • 11,660
  • 13
  • 67
  • 111

4 Answers4

81

There is "Create Users" in "Manage Jenkins".

fabb
  • 11,660
  • 13
  • 67
  • 111
  • 29
    It seems it now is under "Manage Jenkins" > "Manage Users" > "Create User" (at `/securityRealm/addUser` ) – kapex Mar 27 '14 at 11:33
  • 13
    Also note that this icon is not shown if you don't have the Jenkins security realm set as "Jenkins own user database" under "Manage Jenkins" > "Configure Global Security" – user64141 Oct 01 '14 at 19:01
  • 3
    But how does one add the first user then? If I turn on security I'm logged out. – Bojan Markovic Dec 04 '14 at 09:10
  • 1
    On Jenkins 1.595, I don't see any "Create Users" or "Manage Users" – Igbanam Dec 22 '14 at 14:39
  • 13
    This is the worst security setup I have ever seen ;) You have to first enable Security under "Global Security", and you have to select "Jenkins own user database" and do not forget to select all users have own rights and users can sign up themselves, otherwise you have blocked yourself quite efficiently. – kap Apr 17 '15 at 22:54
  • @kap your comment is not just a comment, it's the correct answer :-) Perhaps you might create a answer? – Matthias M Jun 18 '15 at 19:27
  • 3
    I agree it's not a great security setup. However I've found a way to do it: Manage Jenkins -> Jenkins own user database, Anyone can do anything. Then you are not forced to login or signup. Manage Jenkins -> Manage Users and you create your users, then setup security accordingly. – vezenkov Aug 05 '15 at 10:54
  • @iGbanam This is because you must first Enable Security. – DBedrenko Jul 29 '17 at 13:31
  • I'm glad I'm not the only one who assumed enabling Security with no users wouldn't let anybody log in! Fortunately Jenkins is smart enough to not do that. – Ben S Sep 28 '17 at 10:22
20

In case "Allow users to sign up" was already disabled and security turned on and there is no user you can use to login the only way to go is to change Jenkins configuration manually on the server and restart server.

Thing to change is in Jenkins Home folder i config.xml file. change

<useSecurity>true</useSecurity>

to

<useSecurity>false</useSecurity>

restart and refresh browser

Voila!!!

Michal K
  • 321
  • 2
  • 4
  • 1
    as a side note, if you have setup matrix security addtional tags are added which will cause the bootstrap to fail. removing the authorizationStrategy and securityRealm tags will do the trick in the case where you have enabled matrix security. – ebt Jun 16 '15 at 16:44
  • WARNING: This will disable security on your Jenkins installation and is not required in order to create new users. If your intent is to create new users and you have not lost access to your Jenkins installation, then I do not recommend this. – Sam Gleske Feb 04 '18 at 14:55
12

Manage Jenkins -> Jenkins own user database, Anyone can do anything. Then you are not forced to login or signup. Manage Jenkins -> Manage Users and you create your users, then setup security accordingly.

If you don't setup the security method first there is no way to add users.

A convenient way for configuring Jenkins is to edit the config.xml file directly and use the Manage Jenkins -> Reload configuration from Disk hyperlink instead of restarting the service.

vezenkov
  • 4,009
  • 1
  • 26
  • 27
  • It's Manage Jenkins -> Configure Global Security -> Jenkins own user database, Anyone can do anything. You answer helped me – Wilder Valera Jun 15 '17 at 15:31
  • WARNING: "anyone can do anything" means you have disabled security completely because anonymous is part of "anyone". I do not recommend this. – Sam Gleske Feb 04 '18 at 14:51
  • 1
    ""anyone can do anything" ..., then setup security accordingly." This is just a temporary workaround so that you can set the security up. I also don't recommend leaving it with "Anyone can do anything" enabled - there is no sense of users then :)... – vezenkov Feb 06 '18 at 20:40
6

The recommended way to handle this is to use matrix based security and leave sign up on. Set default permissions to nothing, this way when people sign up they can't actually do anything until you explicitly grant them permissions. If you don't want to leave the sign up on for some reason, you will have to enable to add users and then disable when you are done. As far as I know there is no way to add a user with sign up turned off unless you want to hand edit the config files.

There is no default admin user, you will want to make sure you add yourself with max permissions or you risk getting locked out when you enable security.

CIGuy
  • 5,076
  • 28
  • 37
  • Ok, so I should *not* add usernames that have not yet registered to the matrix, otherwise I risk some intruder to register with such a username and instantly getting the set permissions. – fabb Aug 22 '12 at 07:37
  • Yes, you will also want to make sure that you add a group to the matrix called "Authenticated" with no default permissions. This will ensure that anyone who registers has to wait until you explicitly add them with a higher permissions level before they can access anything. – CIGuy Aug 22 '12 at 15:13
  • I've removed all permissions of user "Anonymous", isn't that enough to make registered users which are not listed in the matrix not see anything? Is "Authenticated" some builtin group? And how can I add users to groups? – fabb Aug 22 '12 at 21:25
  • Yes, Authenticated is a built in group. Any logged in user is added to this group by default. Anonymous only covers users who are not logged in. – CIGuy Aug 22 '12 at 21:30
  • 1
    I tried signing up as a user not in the matrix. I just get `Status Code: 404` from the server then. Looks safe to me? – fabb Aug 23 '12 at 10:15
  • Also, adding `Authenticated` to the matrix shows a big red minus at the left of the name indicating that this user/group does not exist. – fabb Aug 23 '12 at 10:16
  • WARNING: Allowing sign up (even if you don't allow signed up accounts permissions by default) leaves your Jenkins installation vulnerable to zero-day vulnerabilities which require an account in order to do privilege escalation. I do not recommend this. – Sam Gleske Feb 04 '18 at 14:53