Jenkins - need JENKINS_HOME but missing the Overall/Administer permission for systemInfo

Question

I'm automating a Jenkins tool using the Jenkins API that needs to know the value of $JENKINS_HOME. This tool is running outside of Jenkins.

I'm using http:///systemInfo to see the environment variables.

Unfortunately the API for this doesn't have the env vars:

http:///api/xml/systemInfo

The problem is, the systemInfo page requires admin, it gives the error that the user is missing the Overall/Administer permission.

So - why does systemInfo need admin (but the XML doesn't) - or more importantly, how can I get the JENKINS_HOME for a given Jenkins server using regular user credentials?

What version of Jenkins are you using? I presume your tool is external to Jenkins and not groovy ? — Ian W, Oct 24 '20 at 01:07
Clarified the question: I'm using the API, so Win/Linux/OSX shouldn't matter - this is all a tool that exists outside Jenkins and uses the API to query info from Jenkins. — David Ljung Madison Stellar, Oct 24 '20 at 06:11

Jan · Answer 1 · 2020-10-24T12:25:21.553

1

Why does systeminfo need admin

why does systeminfo need admin (but the XML doesn't)

Imagine the following hypothetical situation:

There is one administrator who manages the software projects and jenkins instance, he can set secret information into environment-variables (like some specific SECRET_KEY that can be used by the jenkins pipeline).

If now every ordinary user or service in the project could read all the environment variables, he could also get direct access to the SECRET_KEY, without being in the controlled environment of jenkins-configurations that are only accessible on the server.

How to access environment variables outside the server

how can I get the JENKINS_HOME for a given Jenkins server using regular user credentials?

I guess you need to make some kind of token / private-key available to the service/user that can be used to make elevated-privilege requests to the server. For example explained in this stackoverflow question:

stackoverflow: How to get the API Token for Jenkins

With this token you can then have elevated privileges for clients. E.g. extracted from jenkins.io an example for authenticating scripted clients:

curl -X POST -L --user jenkins:apiToken \
    https://jenkins.yourcompany.com/job/your_job/build

I hope this is also covering your desired api-access-point for xml.

Some more resources on jenkins authentication

jenkins-authentication ways
api-tokens (for versions 2.129+)

edited Oct 24 '20 at 12:25

answered Oct 24 '20 at 06:50

Jan

2,025
17
27

I wish there was a way to get an API key that would allow for access to systeminfo (where we don't happen to have any hidden secrets in our ENV vars) without then effectively giving anyone with that key admin rights. – David Ljung Madison Stellar Oct 25 '20 at 19:02
So your situation is: You have a Jenkins Instance (server) running. And there are normal users using the Jenkins server. Now you would like to create a tool that any user may install/use on their local machine which should have the internal capability to extract the `JENKINS_HOME` env-var without any modifications on the server and without giving it theoretically admin-abilities via an apiKey. Also you do not want to add any extra servers or anything other than one out-of-the-box jenkins instance? – Jan Oct 26 '20 at 10:30
Do you also need that, if I would be a user of a completely different Jenkins Instance that has nothing to do with your environment, you would like me to be able to install your tool on my local machine and interact with my jenkins-instance without the server even knowing there is such a tool... and this tool should then be capable of retrieving the `JENKINS_HOME` env-var of that instance? – Jan Oct 26 '20 at 10:33
Bingo - that's the dream. I want a way for a tool to get JENKINS_HOME without needing admin and without needing to change the Jenkins setup. Looks like that's probably not possible - though I can't think of a reason that the JENKINS_HOME would need to be protected. I'm guessing it's just functionality that's not implemented (like much of the Jenkins API). – David Ljung Madison Stellar Oct 26 '20 at 20:36

score 1 · Answer 2 · answered Oct 24 '20 at 12:43

how can I get the JENKINS_HOME for a given Jenkins server using regular user credentials

I think there is no place where this is directly exposed to non-admin users.

A clean way to exhibit the path in a controlled manner is to extract the information once during Jenkins startup, and putting it to a place where all others can access it.

E.g., you could provide the path via $JENKINS_URL/userContent/jenkins_home.txt by adding the the following init script in $JENKINS_HOME/init.groovy.d/create-jenkins-home.groovy

import jenkins.model.Jenkins
Jenkins.get().getRootDir().toPath().resolve("userContent").resolve("jenkins_home.txt").setText(Jenkins.get().getRootDir().getPath())

It looks like you are right - and Jan's answer explains why it's true. Unfortunately, your workaround (while I voted it up) doesn't work right in my situation which is that I am creating a general purpose Jenkins tool that otherwise doesn't need changes to the Jenkins config - but I think it'll be useful to other people searching for this info. — David Ljung Madison Stellar, Oct 25 '20 at 19:02

Jenkins - need JENKINS_HOME but missing the Overall/Administer permission for systemInfo

2 Answers2

Why does systeminfo need admin

How to access environment variables outside the server