1. Overview
1.概述
Jenkins is an open-source automation server for automating partial and full software development cycles. It facilitates continuous integration and continuous delivery.
Jenkins是一个开源的自动化服务器,用于自动化部分和全部软件开发周期。它促进了持续集成和持续交付。
With Jenkins, we have the ability to provide different levels of security to different users. By default, we won’t need to provide full access to all users.
Jenkins security can be viewed, reset, or completely disabled from the Jenkins console (UI) and command line. Using the command line, we’ll need to change the Jenkins configuration.
通过Jenkins,我们有能力为不同的用户提供不同的安全级别。默认情况下,我们不需要向所有用户提供完全的访问权限。
可以从Jenkins控制台(UI)和命令行查看、重置或完全禁用Jenkins的安全性。使用命令行,我们将需要改变Jenkins的配置。
Before we proceed further, let us understand the problem first. Sometimes, we might forget the Jenkins login credentials. As a result, we cannot access Jenkins.
在我们进一步进行之前,让我们先了解一下这个问题。有时,我们可能忘记了Jenkins的登录凭证。因此,我们无法访问Jenkins。
In this tutorial, we’ll discuss different ways to regain access to the Jenkins console using the command line. We’ll learn to reset the lost password, disable the security, and other alternate approaches.
在本教程中,我们将讨论使用命令行重新获得对Jenkins控制台的访问的不同方法。我们将学习重置丢失的密码,禁用安全,以及其他替代方法。
It is assumed that we have SSH access to the Jenkins machine. Each solution that we’ll discuss now requires a restart of the Jenkins server. So make sure there are no jobs running on the machine.
假设我们有SSH访问到Jenkins机器。我们现在要讨论的每个解决方案都需要重新启动Jenkins服务器。因此,请确保机器上没有运行任何作业。
2. By Updating Jenkins Main Configuration File
2.通过更新Jenkins的主配置文件
Since we cannot access the Jenkins console, we’ll update the Jenkins configurations using the command line.
由于我们不能访问Jenkins控制台,我们将使用命令行更新Jenkins的配置。
2.1. Find Main Config File
2.1 寻找主配置文件
In general, we can install Jenkins in two ways on a Linux machine, using the package manager or using the WAR file. If Jenkins is installed using the package manager server, the path to the config.xml file will be /var/lib/jenkins/config.xml. On the other hand, if the Jenkins installation was done using a WAR file, then the config.xml file will be located in ~/.jenkins/config.xml
一般来说,我们可以通过两种方式在Linux机器上安装Jenkins,使用软件包管理器或使用WAR文件。如果使用软件包管理器服务器安装Jenkins,那么config.xml文件的路径将是/var/lib/jenkins/config.xml。另一方面,如果Jenkins的安装是使用WAR文件完成的,那么config.xml文件将位于~/.jenkins/config.xml。
If the config.xml file is not present in either of the paths mentioned above, we can use the find command to search in the entire machine:
如果config.xml文件不存在于上述任一路径中,我们可以使用find命令在整个机器中搜索。
$ find / -name config.xml2.2. Disable Jenkins Security
2.2.禁用Jenkins安全性
Once we’ve located the config.xml file, let’s update the following security attribute from true to false:
一旦我们找到config.xml文件,让我们把以下安全属性从true更新为false。
<useSecurity>false</useSecurity>Let’s update the config.xml file using the sed command if there is no access to an editor:
让我们使用sed命令来更新config.xml文件,如果没有访问编辑器的话。
$ sed -i 's/<useSecurity>true<\/useSecurity>/<useSecurity>false<\/useSecurity>/g' /var/lib/jenkins/config.xml2.3. Restart Jenkins
2.3.重新启动Jenkins
Finally, we’ll restart the Jenkins to bring the changes into effect. Use the following command if Jenkins is installed using the package manager:
最后,我们将重启Jenkins以使变化生效。如果Jenkins是用包管理器安装的,请使用下面的命令。
$ systemctl restart jenkinsIf Jenkins is installed using the WAR, first we need to stop the Java process, then restart Jenkins using the java -jar command.
如果Jenkins是使用WAR安装的,首先我们需要停止Java进程,然后使用java -jar命令重新启动Jenkins。
Now, when accessing the Jenkins console, it won’t ask for a password. This solution is simple but not recommended as it completely bypasses the security.
现在,当访问Jenkins控制台时,它将不会要求输入密码。这个解决方案很简单,但不推荐,因为它完全绕过了安全性。
3. By Updating Jenkins User Config File
3.通过更新Jenkins用户配置文件
Let’s now look into a better solution where we’ll reset the password in the Jenkins user’s config file. Let’s make sure that we have enough permissions to update the files present inside the Jenkins working directory.
现在让我们来看看一个更好的解决方案,我们将在Jenkins用户的配置文件中重置密码。让我们确保我们有足够的权限来更新Jenkins工作目录中的文件。
3.1. Find User Config File
3.1 查找用户配置文件
Before going any further, let’s dive deep into the Jenkins directory structure. Jenkins creates a users directory to store all the user account details. This directory will be present inside the Jenkins working directory. We’ll find a config.xml file corresponding to each Jenkins user at the following file path:
在进一步讨论之前,让我们深入了解Jenkins的目录结构。Jenkins创建了一个users目录来存储所有用户账户的详细信息。这个目录将出现在Jenkins的工作目录内。我们将在以下文件路径找到与每个Jenkins用户对应的config.xml文件。
<Jenkins_Working_Directory>/users/<Jenkins_User_Folder>/config.xmlHere the Jenkins_Working_Directory is a directory that stores all the logs, configurations and builds artifacts. The default path for the Jenkins working directory is /var/lib/jenkins. The Jenkins_User_Folder is the folder name of the Jenkins user:
这里的Jenkins_Working_Directory是一个存储所有日志、配置和构建工件的目录。Jenkins工作目录的默认路径是/var/lib/jenkins。 Jenkins_User_Folder是Jenkins用户的文件夹名称。
$ cd /var/lib/jenkins/users/
$ ls
user1_4268539434599263174 user2_948489902389144094 user3_162302090988132370 users.xml
$ cd user1_4268539434599263174/
$ ls
config.xml3.2. Generate BCrypt Hash
3.2.生成BCrypt Hash
The user config file that we just discovered includes many user-level configurations, including the password hash. Jenkins uses bcrypt hashing algorithm to generate the hash of the password. The bcrypt algorithm uses a salt round that decides the number of iterations before returning the final hash. Hence, it is multi-layer secured.
我们刚刚发现的用户配置文件包括许多用户级配置,包括密码散列。Jenkins 使用 bcrypt 散列算法来生成密码的哈希值。bcrypt算法使用盐轮来决定返回最终哈希值之前的迭代次数。因此,它是多层次的安全。
Simply put, we’ll choose a new password, generate its hash and replace the hash in the config.xml file. This way, our password will reset successfully. To encrypt the password and generate its hash, we’ll use this publicly available tool.
简单地说,我们将选择一个新的密码,生成它的哈希值,并在config.xml文件中替换该哈希值。这样一来,我们的密码就会成功重置。为了加密密码并生成其哈希值,我们将使用这个公开可用的工具。
Let us assume a case where we have lost the password for the root user. We now decided to update the new password as secret. The hash generated using the online tool for secret is $2a$10$a7XcruSVvyb0.6ckv97/hOqqTuVx.qzuf7oq9He6HG7puq8DzYwFq
让我们假设一个案例,我们丢失了根用户的密码。我们现在决定将新的密码更新为secret。使用在线工具为secret生成的哈希值是$2a$10$a7XcruSVvyb0.6ckv97/hOqqTuVx.qzuf7oq9He6HG7puq8DzYwFq。
Note that for the same password, a different hash will be generated each time we encrypt our password. This behavior proves how powerful the bcrypt algorithm is.
注意,对于同一个密码,我们每次加密密码时都会产生不同的哈希值。这种行为证明了bcrypt算法是多么强大。
3.3. Update Config File
3.3.更新配置文件
Let’s now replace the passwordHash in the user config.xml file:
现在我们来替换用户config.xml文件中的passwordHash。
<passwordHash>#jbcrypt:$2a$10$a7XcruSVvyb0.6ckv97/hOqqTuVx.qzuf7oq9He6HG7puq8DzYwFq</passwordHash>Here jBCrypt denotes the Java implementation of bcrypt. Finally, we need to restart the Jenkins server to bring the changes into effect. Our password is now reset to secret.
这里jBCrypt表示bcrypt的Java实现。最后,我们需要重新启动Jenkins服务器以使这些变化生效。我们的密码现在被重置为秘密。
This approach is better than the previous one because it does not affect the security of other Jenkins users.
这种方法比前一种方法好,因为它不影响其他詹金斯用户的安全。
4. Using Another User
4.使用另一个用户
Since we have lost the password for the admin user, let’s create a new user with the root privileges. We’ll use this new user to reset the old user’s password from the Jenkins console.
由于我们已经丢失了管理员用户的密码,让我们创建一个具有root权限的新用户。我们将使用这个新用户从Jenkins控制台重置旧用户的密码。
At last, we’ll clean up all the configurations and the new user that we created.
最后,我们将清理所有的配置和我们创建的新用户。
4.1. Enable Signup
4.1 启用注册
By default, Jenkins provides the signup option during initial installation. Let’s enable this by setting the disableSignup attribute in the main config.xml (/var/lib/jenkins/config.xml OR ~/.jenkins/config.xml) file to false:
默认情况下,Jenkins在初始安装时提供了注册选项。让我们通过将主config.xml(/var/lib/jenkins/config.xml或~/.jenkins/config.xml)文件中的disableSignup属性设置为false。
<disableSignup>false</disableSignup>4.2. Create New Root User
4.2.创建新的根用户
Let’s now restart the Jenkins server and access the Jenkins console. This time, we’ll find a link to create a new account on the Jenkins login page.
现在让我们重新启动Jenkins服务器并访问Jenkins控制台。这一次,我们会在Jenkins的登录页面上找到一个创建新账户的链接。
Let’s first signup for a new user (myuser) from the Jenkins console. Then attach admin privileges to this user by updating the main config.xml file:
让我们首先从Jenkins控制台注册一个新用户(myuser)。然后通过更新主config.xml文件给这个用户附加管理员的权限。
<roleMap type="globalRoles">
<role name="admin" pattern=".*">
<permissions>
...
</permissions>
<assignedSIDs>
<sid>myuser</sid>
</assignedSIDs>
</role>
<roleMap/>Here, we have added the newly created user around the sid tag inside the assignedSIDs tag. Now restart the Jenkins server.
这里,我们在sid标签内的assignedSIDs标签周围添加了新创建的用户。现在重新启动Jenkins服务器。
4.3. Update the Password
4.3.更新密码
Let’s log in with the new user (myuser) and head over to Manage Jenkins > Manage Users. Now select the user (root) for which we wish to update the password and update the password.
让我们用新的用户(myuser)登录并前往Manage Jenkins > Manage Users。现在选择我们希望更新密码的用户(root),并更新密码。
Let’s now save and apply the changes. This will successfully update the password of the user that we lost previously.
现在让我们保存并应用这些变化。这将成功地更新我们之前丢失的用户的密码。
4.4. Clean Up
4.4.清理
Once we have recovered the password, let’s clean up everything. First, we’ll remove the newly created user, myuser. To do so, log in with the admin user for which we just recovered the password. Then, go to Manage Jenkins > Manage Users and delete the user that we created earlier.
一旦我们恢复了密码,让我们来清理一切。首先,我们将删除新创建的用户,myuser。要做到这一点,用我们刚刚找回密码的管理员用户登录。然后,进入Manage Jenkins > Manage Users,删除我们之前创建的用户。
Secondly, we need to delete the user entry from the assignedSIDs tag in the config.xml file. Finally, disable the signup functionality by setting back the disableSignup flag to true.
其次,我们需要从config.xml文件中的assignedSIDs标签删除用户条目。最后,通过将disableSignup标志设为true来禁用签到功能。
This solution does not cause any harm to Jenkins’s security. It is helpful when users are managed using the role-based mechanism using the Role-based Authorization Strategy plugin.
这种解决方案不会对Jenkins的安全性造成任何损害。当使用基于角色的授权策略插件,使用基于角色的机制来管理用户时,它是有帮助的。
5. Delete the Configurations
5.删除配置
If none of the above methods works due to some reason, we can delete the configurations attributes/file. It will disable the security for all the Jenkins users. Therefore, this is not a recommended way to get the job done.
如果由于某种原因,上述方法都不起作用,我们可以删除配置的属性/文件。这将禁用所有Jenkins用户的安全。因此,这不是一个值得推荐的工作方式。
5.1. Delete Configuration Attributes
5.1.删除配置属性
We can delete the useSecurity and authorizationStrategy security attributes from config.xml to disable the security settings in Jenkins:
我们可以从config.xml中删除useSecurity和authorizationStrategy安全属性,以禁用Jenkins的安全设置。
$ sudo ex +g/useSecurity/d +g/authorizationStrategy/d -scwq /var/lib/jenkins/config.xmlLet’s restart the Jenkins server. Once we have access to Jenkins, we can re-enable security from the Configure Global Security page on the Jenkins console.
让我们重新启动Jenkins服务器。一旦我们能够访问Jenkins,我们就可以从Jenkins控制台的 “配置全局安全 “页面重新启用安全。
5.2. Delete Configuration File
5.2.删除配置文件
We can also delete the Jenkins config.xml file to disable the security:
我们也可以删除Jenkins的config.xml文件来禁用安全。
$ rm -f /var/lib/jenkins/config.xmlNote that all the configuration changes previously made will be discarded and the default configuration file will be loaded.
注意,之前所做的所有配置更改将被丢弃,默认配置文件将被加载。
Again, we need to restart the Jenkins server for the changes to take effect.
同样,我们需要重新启动Jenkins服务器以使这些变化生效。
6. Conclusion
6.结论
In this article, we went through different approaches to regain access to the Jenkins console after losing the password.
在这篇文章中,我们通过不同的方法,在失去密码后重新获得对Jenkins控制台的访问。
First, we looked into a way to disable the security completely. This will also affect other users. Therefore it is not recommended.
首先,我们研究了一种完全禁用安全的方法。这也会影响其他用户。因此,不建议这样做。
Further, we reset the password by overriding the hash in the Jenkins config.xml file and by creating another admin user. This is a perfect way to solve the problem without hindering any other aspects of Jenkins.
此外,我们通过覆盖Jenkins config.xml文件中的哈希值和创建另一个管理员用户来重置密码。这是解决这个问题的一个完美方法,不会妨碍Jenkins的任何其他方面。
Finally, we deleted the Jenkins configuration security-related properties and files to disable the security.
最后,我们删除了Jenkins配置安全相关的属性和文件以禁用安全。