Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-16273

Slaves forbidden to request JNLP anonymously but -jnlpCredentials not offered

      All of my windows salve cannot connect to Jenkins master after upgrading to 1.498. Following messages showed up in slaves' jenkins-slave.err:

      java.io.IOException: Failed to load http://192.168.30.95/jenkins/computer/Fortify%201/slave-agent.jnlp: 403 Forbidden
      at hudson.remoting.Launcher.parseJnlpArguments(Launcher.java:238)
      at hudson.remoting.Launcher.run(Launcher.java:200)
      at hudson.remoting.Launcher.main(Launcher.java:173)

          [JENKINS-16273] Slaves forbidden to request JNLP anonymously but -jnlpCredentials not offered

          Pei-Tang Huang created issue -
          Pei-Tang Huang made changes -
          Priority Original: Major [ 3 ] New: Blocker [ 1 ]

          Stop the Jenkins slave service. Pasting the jnlp url ( http://192.168.30.95/jenkins/login?from=%2Fjenkins%2Fcomputer%2FFortify%25201%2Fslave-agent.jnlp ) in my browser and input my credential, the Jenkins slave agent starts.

          But after I click the File / Install as a service, the attached error message showed up to me.

          Pei-Tang Huang added a comment - Stop the Jenkins slave service. Pasting the jnlp url ( http://192.168.30.95/jenkins/login?from=%2Fjenkins%2Fcomputer%2FFortify%25201%2Fslave-agent.jnlp ) in my browser and input my credential, the Jenkins slave agent starts. But after I click the File / Install as a service, the attached error message showed up to me.
          Pei-Tang Huang made changes -
          Attachment New: jenkins-slave-error.jpg [ 23033 ]

          I confirm this bug for Jenkins 1.498 - it appears although User "anonymous" has Overall-> Read access. Jenkins 1.497 works fine.

          Markus Schulte added a comment - I confirm this bug for Jenkins 1.498 - it appears although User "anonymous" has Overall-> Read access. Jenkins 1.497 works fine.

          Trevor A added a comment -

          We had this issue and were finally able to resolve it by granting the Anonymous user the "Connect" privilege under the "Slave" section. The permissions can be found in the "Authorization" section of the "Configure Global Security" page under "Manage Jenkins."

          Trevor A added a comment - We had this issue and were finally able to resolve it by granting the Anonymous user the "Connect" privilege under the "Slave" section. The permissions can be found in the "Authorization" section of the "Configure Global Security" page under "Manage Jenkins."

          Jesse Glick added a comment -

          This is intentional—part of the security fix. In order to retrieve slave-agent.jnlp now, you need to provide authentication demonstrating that you are permitted to connect to the slave. This is generally done using an API token. Alternately, download the JNLP from your browser (while logged in as an admin) and save that, rather than attempting to connect to slave-agent.jnlp on the fly.

          @trevora: granting the Anonymous user the "Connect" privilege effectively bypasses (part of) the security fix. Do not do this unless you are on a trusted, closed network (in which case why are you running with security at all?).

          Jesse Glick added a comment - This is intentional—part of the security fix. In order to retrieve slave-agent.jnlp now, you need to provide authentication demonstrating that you are permitted to connect to the slave. This is generally done using an API token. Alternately, download the JNLP from your browser (while logged in as an admin) and save that, rather than attempting to connect to slave-agent.jnlp on the fly. @trevora: granting the Anonymous user the "Connect" privilege effectively bypasses (part of) the security fix. Do not do this unless you are on a trusted, closed network (in which case why are you running with security at all?).
          Jesse Glick made changes -
          Resolution New: Not A Defect [ 7 ]
          Status Original: Open [ 1 ] New: Resolved [ 5 ]

          Trevor A added a comment -

          @jglick: Could you please point me to some information on how to properly configure Windows slave agents after the security fix? We are running on a closed network, but I'd prefer to configure it the right way if possible. Any information would be greatly appreciated.

          If I understand correctly, the Windows service downloads and runs the slave-aget.jnlp when it starts using the parameters in the slave-agent.xml file. I'm not sure how to provide it an API key.

          While we are on a closed network, we run security to control who may administer the Jenkins server and who can set up build projects. We thought it best to leave our Anonymous user restricted so non-developers would not have access to the server. We only added the "Connect" privilege to get our system back up and running after the upgrade.

          Trevor A added a comment - @jglick: Could you please point me to some information on how to properly configure Windows slave agents after the security fix? We are running on a closed network, but I'd prefer to configure it the right way if possible. Any information would be greatly appreciated. If I understand correctly, the Windows service downloads and runs the slave-aget.jnlp when it starts using the parameters in the slave-agent.xml file. I'm not sure how to provide it an API key. While we are on a closed network, we run security to control who may administer the Jenkins server and who can set up build projects. We thought it best to leave our Anonymous user restricted so non-developers would not have access to the server. We only added the "Connect" privilege to get our system back up and running after the upgrade.

          Same issue here. Reading through the comments above it made me think: would it be possible to make when jnlp is first started through a web browser to save this jnlp to local Jenkins directory and automatically configure service to use this cached copy instead of requesting it from the server? This would make setting up slaves automatic again without altering security fix.

          Krzysztof Malinowski added a comment - Same issue here. Reading through the comments above it made me think: would it be possible to make when jnlp is first started through a web browser to save this jnlp to local Jenkins directory and automatically configure service to use this cached copy instead of requesting it from the server? This would make setting up slaves automatic again without altering security fix.

            Unassigned Unassigned
            beta Pei-Tang Huang
            Votes:
            14 Vote for this issue
            Watchers:
            26 Start watching this issue

              Created:
              Updated:
              Resolved: