On Wed, Apr 09, 2014 at 03:44:03PM -0400, Jon Cope wrote: > I agree that it's not a great solution but it'll get me by while I > search for a more favorable one. Is there another way to utilize the > webhook feature without enabling any anon privileges?
I'm using it fine without allowing anonymous users to start builds. For extra security you can put a front-end web server (like Apache) in front of your Jenkins and disallow unauthenticated access, with the sole exception of /github-webhook. https://wiki.jenkins-ci.org/display/JENKINS/GitHub+Plugin#GitHubPlugin-SecurityImplications claims this is safe. > ----- Original Message ----- > From: "Kevin Fleming (BLOOMBERG/ 731 LEXIN)" <[email protected]> > To: [email protected] > Sent: Wednesday, April 9, 2014 2:07:17 PM > Subject: Re: Enabling Jenkins Security Blocks Github Webook <404 Error> > > Keep in mind that this will allow anyone to kick off builds of your > jobs if they can reach your Jenkins web interface. This may not be a > concern for you, but something to think about. > > ----- Original Message ----- > From: [email protected] > To: [email protected] > At: Apr 9 2014 14:25:54 > > Ah, no. Apologies, forgot to remove that. Initially I had it enabled > as disabling it seemed to break the webhook feature. Today with > Jobs:configure off, it seems to work fine. > > To clarify - Jobs: Read, Build | Overall: read Marius Gedminas -- IBM motto: "We found five vowels hiding in a corner, and we used them _all_ for the 'eieio' instruction so that we wouldn't have to use them anywhere else" -- Linus Torvalds
signature.asc
Description: Digital signature
