How do I enable security for Jenkins JNLP slaves?
If any anonymous read permissions are granted, then anyone in the world can download slave.jar and access the jnlp file at the (easy to guess) URLS on my server, and connect as a slave.
It turns out that this was actually a critical security vulnerability in Jenkins:
https://wiki.jenkins-ci.org/display/SECURITY/Jenkins+Security+Advisory+2013-01-04
In answer to my question, it seems the best approach is to disable all anonymous read access.
From the comments on this jenkins bug it seems that this behaviour (allowing anyone with read permissions to see the jnlp file) was changed in the course of fixing the security vulnerability, and you can now limit access to the jnlp file to particular users.
I couldn't find any documentation on the current behaviour either, but it's possible to get some clues by
- Revoking all permissions for "anynmous"
- Attempting to download the jnlp file without providing any credentials, using wget or similar
Step 2. will give a "403 forbidden" response which contains a something like
Authentication required<!--You are authenticated as: anonymousGroups that you are in:Permission you need to have (but didn't): hudson.model.Computer.Connect ... which is implied by: hudson.model.Computer.Disconnect ... which is implied by: hudson.model.Hudson.Administer-->The response also contains a javascript redirect, so you need to use wget or some other non-javascript-enabled method to be able to see it.
By trial and error, I found that "hudson.model.Computer.Connect" seems to map to the "Slave Connect" permission in the Jenkins UI.