Skip to content

Remove anonymous access from Jenkins instances to reduce attack surface for bot crawlers

Summary

As described in #7421 (closed), we've had several attacks that were affecting our CI services directly and had side effects on other services as well.

For this reason, we have been forced to remove public (anonymous) access from all Jenkins instances to provide a stable service for human users.

In a few cases, build configurations had to be adjusted to deal with the missing access.

Examples:

So far, we are aware of the following possible issues:

  • Copying/downloading artifacts on the same Jenkins instance with tools like curl or wget no longer works.
    • SOLUTION: Request the installation of the Copy Artifact plugin which allows copying artifacts from one job to another job on the same Jenkins instance.
  • Copying/downloading artifacts across different Jenkins instances with tools like curl or wget no longer works.
    • SOLUTION: Request the creation of a Jenkins bot account and an API token to copy artifacts securely.
  • Accessing the Jenkins API on the same or a different Jenkins instance
    • SOLUTION: Request the creation of a Jenkins bot account and an API token to access the API securely.

Please open separate HelpDesk issues for requests as described above.

If you have questions or constructive feedback, please comment below.

Copyright © Eclipse Foundation AISBL. All rights reserved.     Privacy Policy | Terms of Use | Copyright Agent