Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-25421

Allow Swarm client to be used when CSRF is disabled

    • Icon: New Feature New Feature
    • Resolution: Fixed
    • Icon: Major Major
    • swarm-plugin
    • None
    • Jenkins 1.580.1
      Swarm Plugin 1.20
      "Prevent Cross Site Request Forgery exploits" - Disabled

      I updated the Swarm plugin from 1.16 to 1.20 and began experiencing this issue. Enabling the CSRF prevention works fine.

      java -jar swarm.jar -executors 2 -mode exclusive -fsroot '~/jenkins' -master http://jenkins:8079/ -name <NAME> -username eric -password <PW>
      
      Discovering Jenkins master
      Attempting to connect to http://jenkins:8079/ aeac4e35-fe09-4da7-bb5c-579658910ff5
      Could not obtain CSRF crumb. Response code: 404
      Nov 3, 2014 5:19:48 PM org.apache.commons.httpclient.auth.AuthChallengeProcessor selectAuthScheme
      INFO: basic authentication scheme selected
      Nov 3, 2014 5:19:48 PM org.apache.commons.httpclient.HttpMethodDirector processWWWAuthChallenge
      INFO: Failure authenticating with BASIC 'Jenkins'@jenkins:8079
      Failed to create a slave on Jenkins CODE: 401
      Retrying in 10 seconds
      

          [JENKINS-25421] Allow Swarm client to be used when CSRF is disabled

          Anita Dongare added a comment -

          Hi team ,
          We are seeing the same issue on our Jenkins master, can someone help explain and resolve this error with swarm plugin ?

          Thanks
          Anita

          Anita Dongare added a comment - Hi team , We are seeing the same issue on our Jenkins master, can someone help explain and resolve this error with swarm plugin ? Thanks Anita

          Oleg Nenashev added a comment -

          KK does not maintain this plugin anymore. Moving to unassigned to set the expectation

          Oleg Nenashev added a comment - KK does not maintain this plugin anymore. Moving to unassigned to set the expectation

          Oleg Nenashev added a comment - - edited

          I do not plan to fix the issue. Usage of this plugin (and Jenkins in general) is dangerous when CSRF protection is disabled. If somebody wants to invest his time into it, pull requests are welcome.

          Oleg Nenashev added a comment - - edited I do not plan to fix the issue. Usage of this plugin (and Jenkins in general) is dangerous when CSRF protection is disabled. If somebody wants to invest his time into it, pull requests are welcome.

          Basil Crow added a comment -

          Is this still a bug on recent versions of Jenkins core and Swarm client? I just tried connecting to a Jenkins master (2.150.1) with Swarm client 3.16 both with and without CSRF enabled on the Jenkins master, and things worked just fine.

          Basil Crow added a comment - Is this still a bug on recent versions of Jenkins core and Swarm client? I just tried connecting to a Jenkins master (2.150.1) with Swarm client 3.16 both with and without CSRF enabled on the Jenkins master, and things worked just fine.

          Basil Crow added a comment -

          The UI for disabling CSRF protection was removed from Jenkins 2.222, but it is still possible to disable CSRF through the unsupported hudson.security.csrf.GlobalCrumbIssuerConfiguration.DISABLE_CSRF_PROTECTION system property. I tested using this property and Swarm 3.21, and the Swarm client was able to successfully connect to Jenkins both before and after a Jenkins restart. It is likely this issue was fixed in some recent Swarm release. Please ensure that you are running the latest Swarm plugin and Swarm client, consulting the documentation regarding how to configure authentication and authorization if necessary. If you still encounter problems, please open a new issue with detailed steps to reproduce.

          Basil Crow added a comment - The UI for disabling CSRF protection was removed from Jenkins 2.222, but it is still possible to disable CSRF through the unsupported hudson.security.csrf.GlobalCrumbIssuerConfiguration.DISABLE_CSRF_PROTECTION system property. I tested using this property and Swarm 3.21, and the Swarm client was able to successfully connect to Jenkins both before and after a Jenkins restart. It is likely this issue was fixed in some recent Swarm release. Please ensure that you are running the latest Swarm plugin and Swarm client, consulting the documentation regarding how to configure authentication and authorization if necessary. If you still encounter problems, please open a new issue with detailed steps to reproduce.

            Unassigned Unassigned
            elordahl Eric Lordahl
            Votes:
            6 Vote for this issue
            Watchers:
            11 Start watching this issue

              Created:
              Updated:
              Resolved: