Disable Jenkins CLI

Issue

  • I would like to disable the Jenkins CLI on my master machine.

Environment

  • Jenkins
  • CloudBees Jenkins Enterprise (CJE)
  • CloudBees Jenkins Operations Center (CJOC)

Resolution

To disable the CLI you can go to the groovy script console:

Paste the contents of the script below:

import java.nio.file.Files
import java.nio.file.Paths


def env = System.getenv()
def jhome = env['JENKINS_HOME']
def initDir = "$jhome/init.groovy.d"
def initDirPath = Paths.get(initDir)
def groovyFile = "$initDir/cli-shutdown.groovy"


// Create directory if it doesn't already exist
def sout = new StringBuilder(), serr = new StringBuilder()
if (!Files.exists(initDirPath)) {
  println "Creating Post-Initialization directory '${initDir}'..."
  def proc = "mkdir -p $initDir".execute()
  proc.consumeProcessOutput(sout, serr)
  proc.waitForOrKill(1000)
}


// This is the code that removes the CLI protocol
def codestr="""
/*
The MIT License
Copyright (c) 2015, Kohsuke Kawaguchi
Permission is hereby granted, free of charge, to any person obtaining a copy
of this software and associated documentation files (the "Software"), to deal
in the Software without restriction, including without limitation the rights
to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
copies of the Software, and to permit persons to whom the Software is
furnished to do so, subject to the following conditions:
The above copyright notice and this permission notice shall be included in
all copies or substantial portions of the Software.
THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
THE SOFTWARE.
*/
import jenkins.*
import jenkins.model.*
import hudson.model.*
import java.util.logging.Logger

Logger logger = Logger.getLogger("cli-shutdown.groovy")
logger.info("Disabling the Jenkins CLI...")

// disabled CLI access over TCP listener (separate port)
def p = AgentProtocol.all()
p.each { x ->
    if (x.name?.contains("CLI")) {
        logger.info("Removing protocol \${x.name}")
        p.remove(x)
    }
}

// disable CLI access over /cli URL
def removal = { lst ->
    lst.each { x ->
        if (x.getClass().name.contains("CLIAction")) {
            logger.info("Removing extension \${x.getClass().name}")
            lst.remove(x)
        }
    }
}
def j = Jenkins.instance
removal(j.getExtensionList(RootAction.class))
removal(j.actions)
logger.info("CLI disabled")
"""


try {
  // Persist in an initialization file so that CLI protocols
  // get removed upon Jenkins master restarting
  println "Creating Post-Initialization script '${groovyFile}'..."
  File file = new File(groovyFile)
  file.text = codestr
} catch (all) {
  println "Unable to create '$groovyFile'. " +
          "If master restarts, must apply this script again"
}


// Execute the same logic in place
GroovyShell shell = new GroovyShell(binding);
shell.evaluate(codestr);

into the console, and select run:

The following groovy script above will create a file in the directory $JENKINS_HOME/init.groovy.d/cli-shutdown.groovy.
The file will be executed at the start of Jenkins and will disable the CLI.
This will also run in place, so the script console will be disabled without requiring a restart.
If you would like to re-enable the script you can just remove this file, and restart your Jenkins instance.

Have more questions? Submit a request

0 Comments

Please sign in to leave a comment.