• Type: New Feature
• Resolution: Fixed
• Priority: Major
• Component/s: swarm-plugin
• Labels:

  None
• Environment:

  Jenkins 1.580.1
  Swarm Plugin 1.20
  "Prevent Cross Site Request Forgery exploits" - Disabled
  

[JENKINS-25421] Allow Swarm client to be used when CSRF is disabled

Eric Lordahl created issue - 2014-11-03 22:33

Eric Lordahl made changes - 2014-11-03 22:35

Description

Original: I updated the Swarm plugin from 1.16 to 1.20 and began experiencing this issue. Enabling the CSRF prevention works fine. java -jar swarm.jar -executors 2 -mode exclusive -fsroot '~/jenkins' -master http://jenkins:8079/ -name <NAME> -username eric -password <PW> Discovering Jenkins master Attempting to connect to http://jenkins:8079/ aeac4e35-fe09-4da7-bb5c-579658910ff5 Could not obtain CSRF crumb. Response code: 404 Nov 3, 2014 5:19:48 PM org.apache.commons.httpclient.auth.AuthChallengeProcessor selectAuthScheme INFO: basic authentication scheme selected Nov 3, 2014 5:19:48 PM org.apache.commons.httpclient.HttpMethodDirector processWWWAuthChallenge INFO: Failure authenticating with BASIC 'Jenkins'@jenkins:8079 Failed to create a slave on Jenkins CODE: 401 Retrying in 10 seconds

New: I updated the Swarm plugin from 1.16 to 1.20 and began experiencing this issue. Enabling the CSRF prevention works fine. {noformat} java -jar swarm.jar -executors 2 -mode exclusive -fsroot '~/jenkins' -master http://jenkins:8079/ -name <NAME> -username eric -password <PW> Discovering Jenkins master Attempting to connect to http://jenkins:8079/ aeac4e35-fe09-4da7-bb5c-579658910ff5 Could not obtain CSRF crumb. Response code: 404 Nov 3, 2014 5:19:48 PM org.apache.commons.httpclient.auth.AuthChallengeProcessor selectAuthScheme INFO: basic authentication scheme selected Nov 3, 2014 5:19:48 PM org.apache.commons.httpclient.HttpMethodDirector processWWWAuthChallenge INFO: Failure authenticating with BASIC 'Jenkins'@jenkins:8079 Failed to create a slave on Jenkins CODE: 401 Retrying in 10 seconds {noformat}

Eric Lordahl made changes - 2014-11-03 22:36

Description

Original: I updated the Swarm plugin from 1.16 to 1.20 and began experiencing this issue. Enabling the CSRF prevention works fine. {noformat} java -jar swarm.jar -executors 2 -mode exclusive -fsroot '~/jenkins' -master http://jenkins:8079/ -name <NAME> -username eric -password <PW> Discovering Jenkins master Attempting to connect to http://jenkins:8079/ aeac4e35-fe09-4da7-bb5c-579658910ff5 Could not obtain CSRF crumb. Response code: 404 Nov 3, 2014 5:19:48 PM org.apache.commons.httpclient.auth.AuthChallengeProcessor selectAuthScheme INFO: basic authentication scheme selected Nov 3, 2014 5:19:48 PM org.apache.commons.httpclient.HttpMethodDirector processWWWAuthChallenge INFO: Failure authenticating with BASIC 'Jenkins'@jenkins:8079 Failed to create a slave on Jenkins CODE: 401 Retrying in 10 seconds {noformat}

New: I updated the Swarm plugin from 1.16 to 1.20 and began experiencing this issue. Enabling the CSRF prevention works fine. {noformat} java -jar swarm.jar -executors 2 -mode exclusive -fsroot '~/jenkins' -master http://jenkins:8079/ -name <NAME> -username eric -password <PW> Discovering Jenkins master Attempting to connect to http://jenkins:8079/ aeac4e35-fe09-4da7-bb5c-579658910ff5 Could not obtain CSRF crumb. Response code: 404 Nov 3, 2014 5:19:48 PM org.apache.commons.httpclient.auth.AuthChallengeProcessor selectAuthScheme INFO: basic authentication scheme selected Nov 3, 2014 5:19:48 PM org.apache.commons.httpclient.HttpMethodDirector processWWWAuthChallenge INFO: Failure authenticating with BASIC 'Jenkins'@jenkins:8079 Failed to create a slave on Jenkins CODE: 401 Retrying in 10 seconds {noformat}

Eric Lordahl made changes - 2014-11-03 22:36

Description

Original: I updated the Swarm plugin from 1.16 to 1.20 and began experiencing this issue. Enabling the CSRF prevention works fine. {noformat} java -jar swarm.jar -executors 2 -mode exclusive -fsroot '~/jenkins' -master http://jenkins:8079/ -name <NAME> -username eric -password <PW> Discovering Jenkins master Attempting to connect to http://jenkins:8079/ aeac4e35-fe09-4da7-bb5c-579658910ff5 Could not obtain CSRF crumb. Response code: 404 Nov 3, 2014 5:19:48 PM org.apache.commons.httpclient.auth.AuthChallengeProcessor selectAuthScheme INFO: basic authentication scheme selected Nov 3, 2014 5:19:48 PM org.apache.commons.httpclient.HttpMethodDirector processWWWAuthChallenge INFO: Failure authenticating with BASIC 'Jenkins'@jenkins:8079 Failed to create a slave on Jenkins CODE: 401 Retrying in 10 seconds {noformat}

New: I updated the Swarm plugin from 1.16 to 1.20 and began experiencing this issue. Enabling the CSRF prevention works fine. {noformat} java -jar swarm.jar -executors 2 -mode exclusive -fsroot '~/jenkins' -master http://jenkins:8079/ -name <NAME> -username eric -password <PW> Discovering Jenkins master Attempting to connect to http://jenkins:8079/ aeac4e35-fe09-4da7-bb5c-579658910ff5 Could not obtain CSRF crumb. Response code: 404 Nov 3, 2014 5:19:48 PM org.apache.commons.httpclient.auth.AuthChallengeProcessor selectAuthScheme INFO: basic authentication scheme selected Nov 3, 2014 5:19:48 PM org.apache.commons.httpclient.HttpMethodDirector processWWWAuthChallenge INFO: Failure authenticating with BASIC 'Jenkins'@jenkins:8079 Failed to create a slave on Jenkins CODE: 401 Retrying in 10 seconds {noformat}

Eric Lordahl made changes - 2014-11-03 22:37

Environment

Original: Jenkins 1.580.1 Swarm Plugin 1.20

New: Jenkins 1.580.1 Swarm Plugin 1.20 "Prevent Cross Site Request Forgery exploits" - Disabled

R. Tyler Croy made changes - 2016-07-25 23:51

Workflow

Original: JNJira [ 159387 ]

New: JNJira + In-Review [ 179967 ]

Collapse comment: Anita Dongare added a comment - 2016-11-15 04:17

Anita Dongare added a comment - 2016-11-15 04:17

Hi team ,
We are seeing the same issue on our Jenkins master, can someone help explain and resolve this error with swarm plugin ?

Thanks
Anita

Expand comment: Anita Dongare added a comment - 2016-11-15 04:17

Anita Dongare added a comment - 2016-11-15 04:17 Hi team , We are seeing the same issue on our Jenkins master, can someone help explain and resolve this error with swarm plugin ? Thanks Anita

Collapse comment: Oleg Nenashev added a comment - 2018-02-26 08:27

Oleg Nenashev added a comment - 2018-02-26 08:27

KK does not maintain this plugin anymore. Moving to unassigned to set the expectation

Expand comment: Oleg Nenashev added a comment - 2018-02-26 08:27

Oleg Nenashev added a comment - 2018-02-26 08:27 KK does not maintain this plugin anymore. Moving to unassigned to set the expectation

Oleg Nenashev made changes - 2018-02-26 08:27

Assignee

Original: Kohsuke Kawaguchi [ kohsuke ]

Collapse comment: Oleg Nenashev added a comment - 2018-08-28 07:59, Edited by Oleg Nenashev - 2018-08-28 07:59

Oleg Nenashev added a comment - 2018-08-28 07:59 - edited

I do not plan to fix the issue. Usage of this plugin (and Jenkins in general) is dangerous when CSRF protection is disabled. If somebody wants to invest his time into it, pull requests are welcome.

Expand comment: Oleg Nenashev added a comment - 2018-08-28 07:59, Edited by Oleg Nenashev - 2018-08-28 07:59

Oleg Nenashev added a comment - 2018-08-28 07:59 - edited I do not plan to fix the issue. Usage of this plugin (and Jenkins in general) is dangerous when CSRF protection is disabled. If somebody wants to invest his time into it, pull requests are welcome.

Load more newer events