7

There used to be a way for an anonymous user - such as a script - to query certain aspects of Jenkins via its REST API. For example, finding out the name of a user who started a particular build job, or the date it executed. However the security model changed in the last few years which seems to make this much more difficult, even for read-only access.

I'm using Jenkins with ADS authentication. I need to provide API access to a script, but I don't want to use a particular user's personal API token (hard-coded in the script) because the script might be run by anyone in my organisation, including as part of other automation, and I don't want to tie this to a specific employee.

Instead I need a job-based token - one which is set for the job. There's a build token, but I don't think this works for the REST API.

I thought about creating a special "auto" user, and creating a token for that user, but the Active Directory config seems to prevent me from creating new Jenkins users. I cannot create a new AD user because I simply don't have the ability to do that in my organisation.

What's the best approach to using API tokens for anonymous access? Also, is there a way to ensure the token only provides limited access - e.g. read only? Ideally such a token would be restricted to a specific set of jobs, rather than global.

Vadim Kotov
  • 8,084
  • 8
  • 48
  • 62
davidA
  • 12,528
  • 9
  • 64
  • 96
  • Note: I've tried `Allow anonymous read access` and that does allow global read-only access via the API, but it's not token-based or job-based, so it's a bit broader than what I need. – davidA Sep 24 '18 at 00:05
  • you need this - https://wiki.jenkins.io/display/JENKINS/Build+Token+Root+Plugin – Stan E Sep 24 '18 at 07:45
  • 1
    @StanEremin will this enable access to the part of the API that returns build information, such as the name of the user that started the build? – davidA Sep 25 '18 at 08:05

2 Answers2

2

There is not. Feature request is JENKINS-56465.

OrangeDog
  • 36,653
  • 12
  • 122
  • 207
1

See https://stackoverflow.com/a/49938577/97831 on how to add users to the Jenkins database with authentication already enabled.

API tokens are the same as password, functionally speaking. If you could do it with the password, you can do it with the API token. If you want an API token to have read-only access, then the user it's associated with should be restricted to read-only access.

Jason Swager
  • 6,421
  • 6
  • 41
  • 56
  • Ok, thanks, that could work - although that would still be "global" access by default I think (insofar as what the dedicated new user has access to). I'll look into finer-grained permissions for my special user to see if I can restrict it to specific jobs. – davidA Sep 25 '18 at 08:07