April 16, 2017

Github Authentication & Authorization

We'll see how to setup authentication and authorization into Jenkins using a Github user and organization.

Continuous Integration
1 Series
Previous: Installing Jenkins
Next: Set Up a Blue Ocean Pipeline with Github

1. Plugins

Head to Manage Jenkins > Manage Plugins and install the Github Authentication plugin.

Jenkins will download the plugin, and they'll be available after a restart of Jenkins.

2. GitHub Auth Plugin

We'll use GitHub for Authentication.

  1. Head to Manage Jenkins > Configure Global Security.
  2. Under Security Realm, choose "Github Authentication Plugin"
  3. Head to GitHub.com and create an application under the organization (shipping-docker for me) we'll use to authenticate against.
    • Homepage: http://<server-hostname>
    • Auth callback url: http://<server-hostname>/securityRealm/finishLogin
  4. Fill in Client ID and Secret

I created a new user shippingdocker specifically for the following reasons:

  1. My main user (fideloper) has access to way more organizations than I want Jenkins to be able to see
  2. I can use this user as a "bot" user with restricted access

We'll also use GitHub for Authorization.

  1. Choose "GitHub Committer Authorization Strategy"
  2. Set Admin username as any you want to use. I'll use shippingdocker and fideloper
  3. Check the organizations you want Jenkins to know about. I'll just use shipping-docker.
  4. Check Use GitHub repository permissions and Grant READ permissions for /github-webhook

Once you save those, we'll be able to logout, and then back in. It will authenticate us against GitHub (Unfortunately giving Jenkins API access to a lot of repositories if you use your main user. The only way around that is to create a new user specifically for creating oAuth. That user can be restricted to just a few repositories).

3. Server Git Access

Jenkins, on the server, will need access to be able to run git commands against our Git repositories. This is another use for our user shippingdocker. We'll create an SSH key for this server and add the public key to our shippingdocker user so we can access the repositories this user has access to.

sudo su jenkins
cd ~
mkdir .ssh
cd .ssh
ssh-keygen -t rsa -b 4096 -C "jenkins-ci"
# Default name
# No password
cat id_rsa.pub
# Copy/paste as project deploy key or user-wide access
ssh -T git@github.com
# ^^ Imortant step to test and add github.com to known_hosts !

If you're interested in learning more about Docker and how I use Jenkins with a Docker workflow, check out the ? Shipping Docker series!

All Topics

Beginners

Development

Containers

PHP

Security

Proxies

Continuous Integration

Configuration Management

Databases