问题
I know it's weird but I can't delete/disable users from Jenkins. I check everywhere but no chance.
Jenkins ver is 2.217
When I click "People"-->"Any User", the options are like below;
If I click "configure" page and there is also nothing.
I also checked "Manage jenkins"->"Configure Global Security" but nothing in there also.
How can i do that?
Thanks!
回答1:
For a short answer: you can't do it from Jenkins
Jenkins LDAP authentication works as a gateway and passes all user/passwords request to the LDAP server configured. The only additional thing that Jenkins may do with LDAP authentication is work as a cache. So if you want to delete a user in Jenkins, you must delete it from your LDAP.
What you can do, is filter your user (use a group, check for a property of the user ie: check if the user is disabled or not)
Depending on what is your use case (property/group filtering), please check the pluging information page here
回答2:
You are mixing two different issues, which unfortunately happens often. See {JENKINS_URL}/securityRealm/:
- Authentication - validate who you are
- Authorization - validate what you can do
You are using LDAP plugin to authenticate to Jenkins (ie: username/password aspect). It's not clear what you are using for Authorization - what users are allowed to do. Out of the box, authenticated users can do anything unless you change the Authorization aspect.
If nothing else, to secure your system, make sure you have selected:
( o ) Logged-in users can do anything
and disabled:
[ _ ] Allow anonymous read access
(see this tip to add an admin after the fact)
The default authentication is Jenkins own internal authentication, but if you have LDAP, as long as someone is properly in the LDAP, they will be Authenticated. If you remove them from the LDAP they can't get in. LDAP plugin does provide for some control in that it can filter on a group for granular authentication.
Assuming you have no control over that, what you need is a form of Authorization - what can they do; the second portion of the screen.
I don't believe there's an LDAP based plugin that integrates Authorization with LDAP groups. That would require a SCIM compliant plugin. Even GitHub.com has only just recently added that capability to their site.
To restrict access, you must configure Authorization to one of:
- Matrix-based security
- Project-based Matrix Authorization Strategy
- Role-Based Strategy
Those options require Matrix Authorization Strategy plugin. For more information, review Jenkins Security on the site, or the book.
There are additional plugins which may provide more granular user mgmt, security or user/security control; Matrix Authorization Strategy(mentioned), Role-based Authorization Strategy, Folder-based Authorization Strategy come to mind.
You can implement something s simple as two roles: and Admin role and a User role. By default, assign a user neither, or just gets User until they request further access. Or grant everyone User, then selectively remove all roles from a user to effectively disable them - they'll be logged in but can't see or do anything. That's the best you can do as long as you have LDAP authentication and no controls.
来源:https://stackoverflow.com/questions/64524355/how-to-remove-an-ldap-user-from-jenkins