Continuous Integration — Setting up PHP Applications in Jenkins Part 2
This is the second part of the series and we will be securing the Jenkins server we earlier installed.
If you missed the first part of this series where I covered Jenkins Installation, Jenkins plugins installation, NGINX installation and reverse proxy setup, Click here.
It’s important to secure Continuous Integration servers like Jenkins to ensure that proprietary code, credentials and sensitive information are not leaked to the public.
There are various ways to secure the Jenkins server, but I decided to go with Google Login approach because most people have at least one google account and lots of organisations use Google Apps for Work.
This plugin lets you login to Jenkins with your Google account. It also allows you to restrict access to accounts in a given Google Apps domain.
Google Login Plugin Installation
I created the gist above to help with the installation. Line 4 installs the google-plugin using the jenkins-cli application and line 5 safely restarts the Jenkins server.
Obtaining OAuth 2.0 Credentials
To use this plugin, you must obtain OAuth 2.0 credentials from the Google Developers Console. These don’t need to belong to a special account, or even one associated with the domain you want to restrict logins to.
Instructions to create the Client ID and Secret:
- Login to the Google Developers Console
- Create a new project
- Under Credentials, Create OAuth Client ID by clicking Create Credentials
- The application type should be “Web Application”
- The authorised redirect URLs should contain JENKINS_ROOT_URL/securityRealm/finishLogin
Configure Global Security
With the OAuth credentials obtained now, we can go ahead to configure global security on the Jenkins server using the Google login plugin.
To configure global security go to Configure Global Security under Manage Jenkins, check the Enable Security checkbox, this shows additional options.
In the Security Realm section, select Login with Google and enter the Client ID and Client Secret obtained from the Google Developers Console; you can additionally add a Google Apps Domain if you want to limit access to users in a particular domain.
In the Authorisation section, select Logged-in users can do anything. Click the Apply button, immediately you would be prompted to login.
For additional security, I will advice you use the Project-based Matrix Authorisation Strategy, this strategy is provided by the Matrix Authorisation Strategy Plugin which is installed by default and offers matrix-based security authorisation strategies (global and per-project).
NB: Ensure you add permissions for your root user before applying changes when using the Project-based Matrix Authorisation Strategy so as not to lock yourself out of Jenkins.
In the second part of this series, we have been able to:
- Install Google Login Plugin
- Configure Global Security
In the part 3 of this series, we would be looking at setting up a basic PHP application on Jenkins. Watch Out!
Questions? Comments?, please drop your thoughts in the comments section or shoot me a mail at email@example.com. Don’t forget to hit the recommend 💚 button if you found this article useful and feel free to share with your network. 🙂