Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-17539

Swarm clients fail to connect if GitHub for authentication

      We use swarm plugin to manage slaves. No we decided to use github-oauth2 and cant get slaves to work with it,

          [JENKINS-17539] Swarm clients fail to connect if GitHub for authentication

          Sam Gleske added a comment -

          The GitHub OAuth plugin release 0.21 supports using personal access tokens as a password. It is now documented in the wiki. Can you test that release?

          https://wiki.jenkins-ci.org/display/JENKINS/Github+OAuth+Plugin

          http://maven.jenkins-ci.org/content/repositories/releases/org/jenkins-ci/plugins/github-oauth/0.21/

          Sam Gleske added a comment - The GitHub OAuth plugin release 0.21 supports using personal access tokens as a password. It is now documented in the wiki. Can you test that release? https://wiki.jenkins-ci.org/display/JENKINS/Github+OAuth+Plugin http://maven.jenkins-ci.org/content/repositories/releases/org/jenkins-ci/plugins/github-oauth/0.21/

          I get the following error:

          While serving http://10.7.0.1:8080/plugin/swarm/slaveInfo: hudson.security.AccessDeniedException2: se-jenkins is missing the Slave/Create permission
          

          We have a se-jenkins user on github that is part of our organization. I'm unsure on how to give that user slave/create permission

          Stepan Mazurov added a comment - I get the following error: While serving http: //10.7.0.1:8080/plugin/swarm/slaveInfo: hudson.security.AccessDeniedException2: se-jenkins is missing the Slave/Create permission We have a se-jenkins user on github that is part of our organization. I'm unsure on how to give that user slave/create permission

          This is where the permission is checked:

          https://github.com/jenkinsci/swarm-plugin/blob/f7b9f88a79ae6557135e0cb8360b8d5aa9d5e931/plugin/src/main/java/hudson/plugins/swarm/PluginImpl.java#L54
          https://github.com/jenkinsci/swarm-plugin/blob/f7b9f88a79ae6557135e0cb8360b8d5aa9d5e931/plugin/src/main/java/hudson/plugins/swarm/PluginImpl.java#L157

          Adding se-jenkins as an admin works around the issue, but its not fantastic. Given that the security for that user is lax (its used as a bot and a shared ssh key), giving it admin permissions to jenkins is pretty bad.

          Ideally, the fix would be to add another field to specify "SlaveComputer" users.

          Stepan Mazurov added a comment - This is where the permission is checked: https://github.com/jenkinsci/swarm-plugin/blob/f7b9f88a79ae6557135e0cb8360b8d5aa9d5e931/plugin/src/main/java/hudson/plugins/swarm/PluginImpl.java#L54 https://github.com/jenkinsci/swarm-plugin/blob/f7b9f88a79ae6557135e0cb8360b8d5aa9d5e931/plugin/src/main/java/hudson/plugins/swarm/PluginImpl.java#L157 Adding se-jenkins as an admin works around the issue, but its not fantastic. Given that the security for that user is lax (its used as a bot and a shared ssh key), giving it admin permissions to jenkins is pretty bad. Ideally, the fix would be to add another field to specify "SlaveComputer" users.

          Sam Gleske added a comment -

          What is your settings? If you're using the GitHub Commiter Authorization strategy that probably won't work at all. You need to use something with more flexible permissions configuration such as the Matrix-based permission strategies. See the wiki for documentation.

          Sam Gleske added a comment - What is your settings? If you're using the GitHub Commiter Authorization strategy that probably won't work at all. You need to use something with more flexible permissions configuration such as the Matrix-based permission strategies. See the wiki for documentation .

          I am indeed using Github Commiter Authorization Strategy. I switched to matrix and added se-jenkins to slave permissions. Shame I can't use Commiter startegy.

          Stepan Mazurov added a comment - I am indeed using Github Commiter Authorization Strategy . I switched to matrix and added se-jenkins to slave permissions. Shame I can't use Commiter startegy.

          Sam Gleske added a comment - - edited

          The challenge with using GitHub Commiter Authorization Strategy is how do we determine who gets the slave permissions? Another thing you could try is just setting se-jenkins as an admin. With the GitHub Commiter Authorization Strategy. It should have all necessary permissions in that case.

          Sam Gleske added a comment - - edited The challenge with using GitHub Commiter Authorization Strategy is how do we determine who gets the slave permissions? Another thing you could try is just setting se-jenkins as an admin. With the GitHub Commiter Authorization Strategy. It should have all necessary permissions in that case.

          Sam Gleske added a comment -

          smazurov how are you connecting with the swarm plugin? Are you using the GitHub personal access token?

          Sam Gleske added a comment - smazurov how are you connecting with the swarm plugin? Are you using the GitHub personal access token?

          Sam Gleske added a comment -

          Also, contributions are welcome for slave users setting.

          Sam Gleske added a comment - Also, contributions are welcome for slave users setting.

          Stepan Mazurov added a comment - - edited

          Stepan Mazurov how are you connecting with the swarm plugin? Are you using the GitHub personal access token?

          Yes.

          Another thing you could try is just setting se-jenkins as an admin.

          This indeed did work, but was too permissive for my taste.

          Also, contributions are welcome for slave users setting.

          I took a look at the code, and to implement it in a way I want (add a field to specify slave users to commiter strategy settings), it appears it would require to modify a lot of code as it would be another discrete permission. I do not feel like the added convince over Matrix strategy is worth the tech debt of adding such functionality.

          I can now confirm that, with matrix strategy (or commiter strategy with bot account having admin access), a dedicated github "bot" account with a personal access token allows slaves to correctly connect, register themselves and execute tasks.

          I believe this issue can be considered resolved.

          Stepan Mazurov added a comment - - edited Stepan Mazurov how are you connecting with the swarm plugin? Are you using the GitHub personal access token? Yes. Another thing you could try is just setting se-jenkins as an admin. This indeed did work, but was too permissive for my taste. Also, contributions are welcome for slave users setting. I took a look at the code, and to implement it in a way I want (add a field to specify slave users to commiter strategy settings), it appears it would require to modify a lot of code as it would be another discrete permission. I do not feel like the added convince over Matrix strategy is worth the tech debt of adding such functionality. I can now confirm that, with matrix strategy (or commiter strategy with bot account having admin access), a dedicated github "bot" account with a personal access token allows slaves to correctly connect, register themselves and execute tasks. I believe this issue can be considered resolved.

          Sam Gleske added a comment -

          Great! Thanks for your follow up. I appreciate it.

          Sam Gleske added a comment - Great! Thanks for your follow up. I appreciate it.

            sag47 Sam Gleske
            kofemann kofemann
            Votes:
            5 Vote for this issue
            Watchers:
            11 Start watching this issue

              Created:
              Updated:
              Resolved: