Subject: Seeking Guidance on Jenkins Admin Access Removal – Key Challenges
Hi Jenkins Community,
We’re in the process of removing admin, SSH, and sudo access from our Jenkins instances. While we support this direction, several challenges have surfaced that we’d love your input on:
JCasC Reloading Without Admin Access
How can teams safely reload Jenkins Configuration as Code (JCasC) without admin rights or manual Groovy script approvals?
Groovy Script Approval Workflow
Is there a recommended way to automate or delegate Groovy script approvals in a locked-down Jenkins environment?
Plugin Management Without Admin Rights
Since JCasC doesn’t support plugin installs/updates, how do teams handle plugin requests and updates efficiently?
Troubleshooting Without SSH or Sudo
What are best practices for accessing Jenkins logs, restarting Jenkins safely, or inspecting system-level issues without root access or resolving file permission problems without root access?
Plugin Compatibility with JCasC
Is there a community-maintained list of plugins that don’t support JCasC? This would help us plan around limitations.
Restarting Jenkins Without Admin AccessHow can teams safely restart Jenkins (e.g.,safeRestart,prepareShutdown) without admin privileges? Are there community-supported alternatives?
We’d appreciate any advice, tools, or workflows that have helped others navigate similar transitions. Thanks in advance!
It will probably help if you describe how you operate Jenkins. Do you run it by installing the rpm and starting the service? Do you run your Jenkins in a docker container?
Also it’s not clear what kind of admin access you mean. Root access on OS level, Admin privileges on Jenkins itself?
To answer some questions
You must be admin in Jenkins to be able to reload JCasC configurations. Otherwise you could craft a yaml file that modifies the security realm and or the authorization settings and grant yourself admin permissions
Groovy script approval always requires admin permission, otherwise you could easily make yourself an admin
Plugin management requires admin permissions in Jenkins. Otherwise you can upload a self written malicious plugin that modifies security settings
While via the UI you can access logs from Jenkins (requires admin privileges) this only shows a limited amount of lines and not the complete log. To get access to the full log you will need to log on the machine as the jenkins user, then you can access all logs. When it comes to restarting Jenkins, you can do that in the UI, though again I think you need to be admin to be able to do that. On OS level restarting a service requires to be root normally, though there are also user level services possible to my knowledge. The jenkins user should not and doesn’t need sudo permissions. Use a personal user to access the machine where Jenkins is running (with corresponding audit logs) and grant this user sudo permissions to restart the service or fix any kind of problems in FS. Typically the user that is admin in Jenkins is also admin on the host. Ideally the host machine is not running anything else. It’s sole purpose is to run the Jenkins controller.
I’m not aware of such a list, if a plugin is not working with JCasC you can always manage the xml files directly though it prevents you from reloading its config via the UI. You would click though the system config to change such plugins.