Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-16273

Slaves forbidden to request JNLP anonymously but -jnlpCredentials not offered

      All of my windows salve cannot connect to Jenkins master after upgrading to 1.498. Following messages showed up in slaves' jenkins-slave.err:

      java.io.IOException: Failed to load http://192.168.30.95/jenkins/computer/Fortify%201/slave-agent.jnlp: 403 Forbidden
      at hudson.remoting.Launcher.parseJnlpArguments(Launcher.java:238)
      at hudson.remoting.Launcher.run(Launcher.java:200)
      at hudson.remoting.Launcher.main(Launcher.java:173)

          [JENKINS-16273] Slaves forbidden to request JNLP anonymously but -jnlpCredentials not offered

          Code changed in jenkins
          User: Jesse Glick
          Path:
          changelog.html
          core/src/main/resources/hudson/slaves/JNLPLauncher/main.jelly
          http://jenkins-ci.org/commit/jenkins/a1e709ddf0ca48b25ad07ee13a2fbdb0a6d97c0e
          Log:
          JENKINS-16273 Improved instructions for passing -jnlpCredentials.
          First, display instructions when the user has CONNECT, not necessarily ADMINISTER.
          Second, when anonymous users cannot CONNECT, show how to use -jnlpCredentials
          (and do not bother showing javaws, since it does not work in this case).

          SCM/JIRA link daemon added a comment - Code changed in jenkins User: Jesse Glick Path: changelog.html core/src/main/resources/hudson/slaves/JNLPLauncher/main.jelly http://jenkins-ci.org/commit/jenkins/a1e709ddf0ca48b25ad07ee13a2fbdb0a6d97c0e Log: JENKINS-16273 Improved instructions for passing -jnlpCredentials. First, display instructions when the user has CONNECT, not necessarily ADMINISTER. Second, when anonymous users cannot CONNECT, show how to use -jnlpCredentials (and do not bother showing javaws, since it does not work in this case).

          Jesse Glick added a comment -

          Fixed the display of the slave overview page. Leaving open since the slave installers do not write out -jnlpCredentials yet.

          Jesse Glick added a comment - Fixed the display of the slave overview page. Leaving open since the slave installers do not write out -jnlpCredentials yet.

          dogfood added a comment -

          Integrated in jenkins_main_trunk #2206
          JENKINS-16273 Improved instructions for passing -jnlpCredentials. (Revision a1e709ddf0ca48b25ad07ee13a2fbdb0a6d97c0e)

          Result = SUCCESS
          Jesse Glick : a1e709ddf0ca48b25ad07ee13a2fbdb0a6d97c0e
          Files :

          • core/src/main/resources/hudson/slaves/JNLPLauncher/main.jelly
          • changelog.html

          dogfood added a comment - Integrated in jenkins_main_trunk #2206 JENKINS-16273 Improved instructions for passing -jnlpCredentials. (Revision a1e709ddf0ca48b25ad07ee13a2fbdb0a6d97c0e) Result = SUCCESS Jesse Glick : a1e709ddf0ca48b25ad07ee13a2fbdb0a6d97c0e Files : core/src/main/resources/hudson/slaves/JNLPLauncher/main.jelly changelog.html

          Jesse Glick added a comment -

          Considering fixed. The outstanding issue of slave installers is trickier and has broader implications, filed separately as SECURITY-54.

          Jesse Glick added a comment - Considering fixed. The outstanding issue of slave installers is trickier and has broader implications, filed separately as SECURITY-54.

          Duane Bronson added a comment -

          @Jesse - thank you for taking a closer look at this. I have resorted to running without security in hopes that a better solution will be found for the "Logged-in users can do anything" authorization policy.

          How can I track SECURITY-54? Is the SECURITY project restricted from the general public? https://issues.jenkins-ci.org/secure/BrowseProjects.jspa shows the project, but it looks like it contains no issues.

          Duane Bronson added a comment - @Jesse - thank you for taking a closer look at this. I have resorted to running without security in hopes that a better solution will be found for the "Logged-in users can do anything" authorization policy. How can I track SECURITY-54? Is the SECURITY project restricted from the general public? https://issues.jenkins-ci.org/secure/BrowseProjects.jspa shows the project, but it looks like it contains no issues.

          Jesse Glick added a comment -

          @nerdmachine there is no need to run without security; you just need to manually specify -jnlpCredentials user:apitoken in jenkins-slave.xml.

          The SECURITY project is indeed restricted. See https://wiki.jenkins-ci.org/display/JENKINS/Security+Advisories for information.

          Jesse Glick added a comment - @nerdmachine there is no need to run without security; you just need to manually specify -jnlpCredentials user:apitoken in jenkins-slave.xml . The SECURITY project is indeed restricted. See https://wiki.jenkins-ci.org/display/JENKINS/Security+Advisories for information.

          Jesse Glick added a comment -

          Tested workaround for the combination of this and JENKINS-9679 in 1.480.2 for Windows service users on XP:

          1. Remove any existing service. (jenkins-slave.exe uninstall or see http://stackoverflow.com/a/197941/12916 for removing the service entry; and delete the slave directory.)
          2. From Windows slave machine, log in, browse to slave page, and click on the JNLP launch button; slave should start.
          3. Request Windows service installation.
          4. Stop service if you started it. (Control Panel » Admin Tools » Services)
          5. Copy your downloaded jenkins-slave.jnlp somewhere permanent, such as the slave FS root.
          6. Open jenkins-slave.xml in Notepad, find the -jnlpUrl, and change it to point to the downloaded JNLP. This will be a file-protocol URL and must use forward slashes like any URL, e.g.:
            -jnlpUrl file:/C:/jenkins/slave-agent.jnlp
          7. Start service. The slave should now be connected, and should reconnect properly after a reboot.

          Jesse Glick added a comment - Tested workaround for the combination of this and JENKINS-9679 in 1.480.2 for Windows service users on XP: Remove any existing service. ( jenkins-slave.exe uninstall or see http://stackoverflow.com/a/197941/12916 for removing the service entry; and delete the slave directory.) From Windows slave machine, log in, browse to slave page, and click on the JNLP launch button; slave should start. Request Windows service installation. Stop service if you started it. (Control Panel » Admin Tools » Services) Copy your downloaded jenkins-slave.jnlp somewhere permanent, such as the slave FS root. Open jenkins-slave.xml in Notepad, find the -jnlpUrl , and change it to point to the downloaded JNLP. This will be a file -protocol URL and must use forward slashes like any URL, e.g.: -jnlpUrl file:/C:/jenkins/slave-agent.jnlp Start service. The slave should now be connected, and should reconnect properly after a reboot.

          Code changed in jenkins
          User: Jesse Glick
          Path:
          changelog.html
          core/src/main/resources/hudson/slaves/JNLPLauncher/main.jelly
          http://jenkins-ci.org/commit/jenkins/17f0161e56dc2eb213415528061d8c8792694960
          Log:
          JENKINS-16273 Improved instructions for passing -jnlpCredentials.
          First, display instructions when the user has CONNECT, not necessarily ADMINISTER.
          Second, when anonymous users cannot CONNECT, show how to use -jnlpCredentials
          (and do not bother showing javaws, since it does not work in this case).(cherry picked from commit a1e709ddf0ca48b25ad07ee13a2fbdb0a6d97c0e)

          Conflicts:
          changelog.html

          SCM/JIRA link daemon added a comment - Code changed in jenkins User: Jesse Glick Path: changelog.html core/src/main/resources/hudson/slaves/JNLPLauncher/main.jelly http://jenkins-ci.org/commit/jenkins/17f0161e56dc2eb213415528061d8c8792694960 Log: JENKINS-16273 Improved instructions for passing -jnlpCredentials. First, display instructions when the user has CONNECT, not necessarily ADMINISTER. Second, when anonymous users cannot CONNECT, show how to use -jnlpCredentials (and do not bother showing javaws, since it does not work in this case).(cherry picked from commit a1e709ddf0ca48b25ad07ee13a2fbdb0a6d97c0e) Conflicts: changelog.html

          The new documentation is very helpful thank-you. I had no idea that you could use the user API key.

          Walter Kacynski added a comment - The new documentation is very helpful thank-you. I had no idea that you could use the user API key.

          Jesse Glick added a comment -

          @walterk82—yes this was always a possibility. There is a further change (SECURITY-54) which would supersede this technique, and may make it into 1.480.3, but it is still pending review.

          Jesse Glick added a comment - @walterk82—yes this was always a possibility. There is a further change (SECURITY-54) which would supersede this technique, and may make it into 1.480.3, but it is still pending review.

            Unassigned Unassigned
            beta Pei-Tang Huang
            Votes:
            14 Vote for this issue
            Watchers:
            26 Start watching this issue

              Created:
              Updated:
              Resolved: