Issue
-
When managing user permissions, a user might set a permission wrong and lose access when using their main administrator account. Regaining access can be done in a few steps.
-
Global security needs to be changed, unable to login as administrator.
Environment
-
CloudBees CI (CloudBees Core) on modern cloud platforms - Managed controller
-
CloudBees CI (CloudBees Core) on modern cloud platforms - Operations Center
-
CloudBees CI (CloudBees Core) on traditional platforms - Client controller
-
CloudBees CI (CloudBees Core) on traditional platforms - Operations Center
-
CloudBees Jenkins Enterprise - Managed controller
-
CloudBees Jenkins Enterprise - Operations center
Resolution
There are two methods you could follow to restore access:
-
Restore a Backup (Option 1): Revert to a backup of your previous security realm settings from before the changes. This method is preferred because it restores your previous authentication settings.
-
Disable Security (Option 2 and 3): Temporarily disable security entirely to reconfigure your security realm. This method is risky if your instance is accessible to others because it allows unrestricted access to all information, including secret credentials and all jobs. This method should only be used when you isolate network access to the instance during the timeframe when security is disabled.
Option 1
For option 1, which is restoring a backup of your previous security realm settings:
-
Stop the service.
-
Restore the
$JENKINS_HOME/config.xmlfrom the backup you took immediately before you changed the security realm. We recommmend you do adiffof the current content of$JENKINS_HOME/config.xmland the version from the backup before you replace it, to ensure you understand what you are reverting. -
Start the service.
Option 2
For option 2, which is disabling security entirely so you can reconfigure your security realm:
-
Stop the service.
-
Edit the
$JENKINS_HOME/config.xmlfile and locate this line:<useSecurity>true</useSecurity>
-
Set the value to
false. -
Start the service.
-
If you don’t know your
adminpassword when usingJenkins’ own user databasefor yourSecurity Realm, go toJENKINS_URL/user/admin/configureto set the newadminpassword. -
Now go to and choose your
Security RealmandAuthorizationsettings to re-enable security.
-
Option 3
For option 3, if you configure CloudBees CI using CloudBees Configuration as Code (CasC) choose this approach.
Locate your configuration file, review CloudBees Configuration as Code (CasC) for details.
-
Modify the
authorizationStrategydirective to unsecured in thejenkinssection so that it configures the Anyone can do anything authorization strategy:jenkins: authorizationStrategy: unsecured
-
Restart your instance to apply the modified configuration.
-
Once the issue causing lockout is resolved, restore your previous configuration and apply it.