-
Improvement
-
Resolution: Fixed
-
Major
-
None
-
Platform: All, OS: All
Currently Hudson is configured to recognize JavaServlet view of authenticated
users. In the setup module a user can request hudson to enable security or
eschew it.
I would like to see 2 options for enable security:
Option #1: Require a user to have an admin role in order to launch a build or
configure anything. This option is supproted today.
Option #2: Forbid un authenticated users from seeing any information about the
hudson configuration and/or projects. Currently I can have this effect by
modifying build.xml to set the protected URL to / but I get the undesirable side
effect of requiring authentication to even see the graphics on the login page.
This feature is important to users who have internet accessible Hudson sites.
- is duplicated by
-
JENKINS-565 Customizable authorization
-
- Closed
-
-
JENKINS-1033 Build Trigger Type: Manual
-
- Closed
-
Hudson currently only has a very limited notion of security. Basically, you are
either an admin or not, and admin can do anything but users can't do much.
We obviously need more fine-grained access-control and authorization, such as:
Other access control requests made in the past includes:
So I'm going to use this issue to keep track of this request, which is a
superset of the original issue.
One design consideration is whether to delegate the authentication to the
container (like we do today), or handle that by ourselves. The latter would
allow Hudson to present UI like "register" and so on, but the former would be
easier.
A potentially useful library: http://www.acegisecurity.org/