Securing the CruiseControl JMX interface

Aug 29, 2008 • Julian Simpson

Jim Huang commented on the CruiseControl series page about an issue on his project:

We integrate our build with automation deployment and test running. The problem we have is how to prevent people from clicking the force build button by mistake. Anyone clicking the button will lead to another QA deployment. There is no access control from cruisecontrol. Do you have any solution for this?

Jim, you didn't say if you were using the classic reporting application, or the new dashboard. And I'm not sure what operating system you're using. So here's some vague advice: you can block access to the JMX port. CruiseControl exposes all the state information and some commands via JMX over a TCP port. So securing that port is one way to stop accidental or deliberate messing with your CI server. On a Linux system you can block access to the port from certain machines using Iptables. Your options for Windows vary depending on your version that you have.

Just promise me that you'll be careful, Jim.