-
Bug
-
Resolution: Fixed
-
Major
We use swarm plugin to manage slaves. No we decided to use github-oauth2 and cant get slaves to work with it,
- is duplicated by
-
-
- Closed
-
[JENKINS-17539] Swarm clients fail to connect if GitHub for authentication
Jeff Koenig
added a comment - If I try to use the API key like this...
$ java -jar swarm-client-1.9-jar-with-dependencies.jar -master 'http://<server>:8080' -username <username> -password <api_key> Discovering Jenkins master Aug 13, 2013 12:00:29 PM org.apache.commons.httpclient.HttpMethodDirector executeWithRetry INFO: I/O exception (java.net.ConnectException) caught when processing request: Connection refused Aug 13, 2013 12:00:29 PM org.apache.commons.httpclient.HttpMethodDirector executeWithRetry INFO: Retrying request
otherwise if you don't specify a username or password...
$ java -jar swarm-client-1.9-jar-with-dependencies.jar -master 'http://50.16.76.207:8080' Discovering Jenkins master Aug 13, 2013 12:04:33 PM org.apache.commons.httpclient.HttpMethodDirector authenticateHost WARNING: Required credentials not available for BASIC <any realm>@50.16.76.207:8080 Aug 13, 2013 12:04:33 PM org.apache.commons.httpclient.HttpMethodDirector authenticateHost WARNING: Preemptive authentication requested but no default credentials available
I am able to get the swarm secret key using the api key and curl like this...
curl http://<username>:<api_key>@<server>:8080/plugin/swarm/slaveInfo
Jeff Koenig
added a comment - If I try to use the API key like this...
$ java -jar swarm-client-1.9-jar-with-dependencies.jar -master 'http://<server>:8080' -username <username> -password <api_key>
Discovering Jenkins master
Aug 13, 2013 12:00:29 PM org.apache.commons.httpclient.HttpMethodDirector executeWithRetry
INFO: I/O exception (java.net.ConnectException) caught when processing request: Connection refused
Aug 13, 2013 12:00:29 PM org.apache.commons.httpclient.HttpMethodDirector executeWithRetry
INFO: Retrying request
otherwise if you don't specify a username or password...
$ java -jar swarm-client-1.9-jar-with-dependencies.jar -master 'http://50.16.76.207:8080'
Discovering Jenkins master
Aug 13, 2013 12:04:33 PM org.apache.commons.httpclient.HttpMethodDirector authenticateHost
WARNING: Required credentials not available for BASIC <any realm>@50.16.76.207:8080
Aug 13, 2013 12:04:33 PM org.apache.commons.httpclient.HttpMethodDirector authenticateHost
WARNING: Preemptive authentication requested but no default credentials available
I am able to get the swarm secret key using the api key and curl like this...
curl http://<username>:<api_key>@<server>:8080/plugin/swarm/slaveInfo
Jeff Koenig
added a comment - Since this wasn't working for me, I came up with an alternative solution to using the swarm plugin. This solution doesn't have any plugin dependencies, and just uses the jenkins api to connect slaves.
Jeff Koenig
added a comment - Since this wasn't working for me, I came up with an alternative solution to using the swarm plugin. This solution doesn't have any plugin dependencies, and just uses the jenkins api to connect slaves.
https://github.com/jkoenig311/jenkins_slave_connector 
Hans-Christian Otto
added a comment - I am having this issue as well. Any progress on it? 
Atish Narlawar
added a comment - I think this issue is resolved with v20.
I ask @Sam to have a look again before mark it resolve
Atish Narlawar
added a comment - I think this issue is resolved with v20.
I ask @Sam to have a look again before mark it resolve 
Cervator
added a comment - Just encountered this - same situation, same logging, Jenkins Master v1.595 with GitHub OAuth enabled, new master-slave security stuff not enabled. Tried v19, 20, 21, 22, same result with each. Any updates or possible resolution?
I can custom code something but when this setup works it is sooo easy 
I tried a few different scenarios (only with v22 for some combinations, seems same anyway) and got it working using the built-in-user security enabled with Anonymous given full slave rights + overall read access (no user/pass on swarm launch). But that doesn't help with GitHub OAuth since you do not get those checkboxes. It actually also gets the two WARNINGS from above, three times in total, but does connect.
With GitHub OAth enabled I've got "Grant READ permissions for Anonymous Users" checked but it isn't enough. Creating a slave manually and connecting via the string including the -secret parameter works fine.
Cervator
added a comment - Just encountered this - same situation, same logging, Jenkins Master v1.595 with GitHub OAuth enabled, new master-slave security stuff not enabled. Tried v19, 20, 21, 22, same result with each. Any updates or possible resolution?
I can custom code something but when this setup works it is sooo easy
I tried a few different scenarios (only with v22 for some combinations, seems same anyway) and got it working using the built-in-user security enabled with Anonymous given full slave rights + overall read access (no user/pass on swarm launch). But that doesn't help with GitHub OAuth since you do not get those checkboxes. It actually also gets the two WARNINGS from above, three times in total, but does connect.
With GitHub OAth enabled I've got "Grant READ permissions for Anonymous Users" checked but it isn't enough. Creating a slave manually and connecting via the string including the -secret parameter works fine. Cervator
added a comment - Slight correction: I mean I tried the swarm plugin jar v19-22. I was at GitHub OAuth v19, but updating it to v20 didn't change anything 
Cervator
added a comment - Slight correction: I mean I tried the swarm plugin jar v19-22. I was at GitHub OAuth v19, but updating it to v20 didn't change anything 
Ryan Walls
added a comment - Any updates on this issue? 
Sam Gleske
added a comment - The GitHub OAuth plugin release 0.21 supports using personal access tokens as a password. It is now documented in the wiki. Can you test that release?
https://wiki.jenkins-ci.org/display/JENKINS/Github+OAuth+Plugin
http://maven.jenkins-ci.org/content/repositories/releases/org/jenkins-ci/plugins/github-oauth/0.21/
Sam Gleske
added a comment - The GitHub OAuth plugin release 0.21 supports using personal access tokens as a password. It is now documented in the wiki. Can you test that release?
https://wiki.jenkins-ci.org/display/JENKINS/Github+OAuth+Plugin
http://maven.jenkins-ci.org/content/repositories/releases/org/jenkins-ci/plugins/github-oauth/0.21/ 
Stepan Mazurov
added a comment - I get the following error:
While serving http://10.7.0.1:8080/plugin/swarm/slaveInfo: hudson.security.AccessDeniedException2: se-jenkins is missing the Slave/Create permission
We have a se-jenkins user on github that is part of our organization. I'm unsure on how to give that user slave/create permission
Stepan Mazurov
added a comment - I get the following error:
While serving http: //10.7.0.1:8080/plugin/swarm/slaveInfo: hudson.security.AccessDeniedException2: se-jenkins is missing the Slave/Create permission
We have a se-jenkins user on github that is part of our organization. I'm unsure on how to give that user slave/create permission Stepan Mazurov
added a comment - This is where the permission is checked:
https://github.com/jenkinsci/swarm-plugin/blob/f7b9f88a79ae6557135e0cb8360b8d5aa9d5e931/plugin/src/main/java/hudson/plugins/swarm/PluginImpl.java#L54
https://github.com/jenkinsci/swarm-plugin/blob/f7b9f88a79ae6557135e0cb8360b8d5aa9d5e931/plugin/src/main/java/hudson/plugins/swarm/PluginImpl.java#L157
Adding se-jenkins as an admin works around the issue, but its not fantastic. Given that the security for that user is lax (its used as a bot and a shared ssh key), giving it admin permissions to jenkins is pretty bad.
Ideally, the fix would be to add another field to specify "SlaveComputer" users.
Stepan Mazurov
added a comment - This is where the permission is checked:
https://github.com/jenkinsci/swarm-plugin/blob/f7b9f88a79ae6557135e0cb8360b8d5aa9d5e931/plugin/src/main/java/hudson/plugins/swarm/PluginImpl.java#L54
https://github.com/jenkinsci/swarm-plugin/blob/f7b9f88a79ae6557135e0cb8360b8d5aa9d5e931/plugin/src/main/java/hudson/plugins/swarm/PluginImpl.java#L157
Adding se-jenkins as an admin works around the issue, but its not fantastic. Given that the security for that user is lax (its used as a bot and a shared ssh key), giving it admin permissions to jenkins is pretty bad.
Ideally, the fix would be to add another field to specify "SlaveComputer" users. Sam Gleske
added a comment - What is your settings? If you're using the GitHub Commiter Authorization strategy that probably won't work at all. You need to use something with more flexible permissions configuration such as the Matrix-based permission strategies. See the wiki for documentation.
Sam Gleske
added a comment - What is your settings? If you're using the GitHub Commiter Authorization strategy that probably won't work at all. You need to use something with more flexible permissions configuration such as the Matrix-based permission strategies. See the wiki for documentation . Stepan Mazurov
added a comment - I am indeed using Github Commiter Authorization Strategy. I switched to matrix and added se-jenkins to slave permissions. Shame I can't use Commiter startegy.
Stepan Mazurov
added a comment - I am indeed using Github Commiter Authorization Strategy . I switched to matrix and added se-jenkins to slave permissions. Shame I can't use Commiter startegy. The challenge with using GitHub Commiter Authorization Strategy is how do we determine who gets the slave permissions? Another thing you could try is just setting se-jenkins as an admin. With the GitHub Commiter Authorization Strategy. It should have all necessary permissions in that case.
Sam Gleske
added a comment - - edited The challenge with using GitHub Commiter Authorization Strategy is how do we determine who gets the slave permissions? Another thing you could try is just setting se-jenkins as an admin. With the GitHub Commiter Authorization Strategy. It should have all necessary permissions in that case. Sam Gleske
added a comment - smazurov how are you connecting with the swarm plugin? Are you using the GitHub personal access token?
Sam Gleske
added a comment - smazurov how are you connecting with the swarm plugin? Are you using the GitHub personal access token? Sam Gleske
added a comment - Also, contributions are welcome for slave users setting. Stepan Mazurov how are you connecting with the swarm plugin? Are you using the GitHub personal access token?
Yes.
Another thing you could try is just setting se-jenkins as an admin.
This indeed did work, but was too permissive for my taste.
Also, contributions are welcome for slave users setting.
I took a look at the code, and to implement it in a way I want (add a field to specify slave users to commiter strategy settings), it appears it would require to modify a lot of code as it would be another discrete permission. I do not feel like the added convince over Matrix strategy is worth the tech debt of adding such functionality.
I can now confirm that, with matrix strategy (or commiter strategy with bot account having admin access), a dedicated github "bot" account with a personal access token allows slaves to correctly connect, register themselves and execute tasks.
I believe this issue can be considered resolved.
Stepan Mazurov
added a comment - - edited Stepan Mazurov how are you connecting with the swarm plugin? Are you using the GitHub personal access token?
Yes.
Another thing you could try is just setting se-jenkins as an admin.
This indeed did work, but was too permissive for my taste.
Also, contributions are welcome for slave users setting.
I took a look at the code, and to implement it in a way I want (add a field to specify slave users to commiter strategy settings), it appears it would require to modify a lot of code as it would be another discrete permission. I do not feel like the added convince over Matrix strategy is worth the tech debt of adding such functionality.
I can now confirm that, with matrix strategy (or commiter strategy with bot account having admin access), a dedicated github "bot" account with a personal access token allows slaves to correctly connect, register themselves and execute tasks.
I believe this issue can be considered resolved. Sam Gleske
added a comment - Great! Thanks for your follow up. I appreciate it. 
I also have this issue. Could we potentially use the jenkins API to authenticate around this?