There are two ways to recover from a lock-out. Both require that the Jenkins instance be stopped and then restarted after completion of the steps.
The first way will remove all the roles that are defined in the system but does not require any manual editing of XML files
- Ensure that the Jenkins instance is stopped.
- Open a shell
Change into the
JENKINS_HOME
directory$ cd $JENKINS_HOME
Remove/rename the
nectar-rbac.xml
configuration file$ mv nectar-rbac.xml nectar-rbac.xml.old
- Start the the Jenkins instance.
- Ensure that the Jenkins instance is stopped.
- Open a command prompt
Change into the
JENKINS_HOME
directoryC:\> cd %JENKINS_HOME%
Remove/rename the
nectar-rbac.xml
configuration fileC:\...\Jenkins> ren nectar-rbac.xml nectar-rbac.xml.old
- Start the the Jenkins instance.
The second way will not remove any of the the roles that are defined in the system but requires manual editing of an XML file.
- Ensure that the Jenkins instance is stopped.
Open the
JENKINS_HOME/nectar-rbac.xml
in a text editor that can edit XML filesIt is a good idea to make a backup copy of the file before changing it.
The file should look something like General structure of the
nectar-rbac.xml
fileAdd the following line into the role that you want to have the overall Administrator permission
<permission id="hudson.model.Hudson.Administer"/>
- Save the file
- Start the the Jenkins instance.
General structure of the nectar-rbac.xml
file.
<?xml version='1.0' encoding='UTF-8'?> <nectar.plugins.rbac.strategy.RoleMatrixAuthorizationPlugin> <configuration class="..."> ... <role name="..."> <permission id="..."/> ... </role> ... <role name="anonymous"> ... </role> <role name="authenticated"> ... </role> ... </configuration> </nectar.plugins.rbac.strategy.RoleMatrixAuthorizationPlugin>
If you want to completely reset all of the Role Based Access Control plugin’s configuration, an irreversible action, you can use the script console to remove all of the user defined roles, local groups and role filters on all the objects within your Jenkins instance.
Warning
There is no way to recover the the user defined roles, local groups and role filters once you have reset the configuration other than by restoring a backup of the complete system, and this may have the side-effect of removing any changes that occur within the system after the configuration has been reset.
Only follow this procedure if you are absolutely sure that you want to wipe all of the Role Based Access Control plugin’s configuration
If you have been locked out of the system, you will need to follow one of the procedures in the section called “Recovering from a lock-out” to recover administrative access.
.
- Login to Jenkins using a web browser and open the
Script Console
from theManage Jenkins
screen. Type the following into the script text box:
nectar.plugins.rbac.strategy.RoleMatrixAuthorizationPlugin .getInstance().reset()
- You should have a screen that looks like Figure 8.18, “Using the script console to completely reset the Role Based Access Control plugin’s configuration”
- Click on the
Run
button. The screen should now look like Figure 8.19, “After successfully resetting the Role Based Access Control plugin’s configuration via the script console”
Figure 8.18. Using the script console to completely reset the Role Based Access Control plugin’s configuration
Figure 8.19. After successfully resetting the Role Based Access Control plugin’s configuration via the script console
You can remove permissions for a project by filtering out roles on that project using a role filter. In general it is best to add groups and roles to a project before applying the role filter, as if you filter all roles, you will be locked out from accessing the project completely. The strategy of filtering out all roles can be used to create secret projects, but there are times when it is necessary to recover or discover the projects that are hidden.
While there are various workarounds for this situation, best is to make sure that there is at least one administrative role with all permissions which is not filterable (see the section called “Configuring and managing roles”). The Jenkins administrator should grant this role to a group containing themselves, and the secret project will be visible again.