Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-35310

ComputedFolder shows BuildAuthorizationToken configuration but does not actually support it

      Trying to use the "Trigger builds remotely (e.g., from scripts)" Build Trigger from a multibranch pipeline project doesn't seem to work.

      If I check off the box and type in a token and click save, the job saves successfully but it does not write an authToken element to the job config and the item is unchecked in the configuration when I reload the page. Even manually setting an authToken and POSTing the config doesn't work. While the element is there in the config, I'm not able to kick a job off with the token.

      I can post some screenshots and config snippets if that will be helpful, but this seems to be reproducible easily enough that it might be overkill.

      I've been able to reproduce this with a fresh Jenkins 2.x install as well.

      Repro case

      Given: A Jenkins 1.651.2 instance with some kind of security enabled (e.g. anonymous users cannot build jobs). And the pipeline plugins installed.

      1. Create a freestyle or single pipeline job.
      2. Under "Build Triggers," select "Trigger builds remotely (e.g., from scripts)"
      3. Enter "hello" in the "Authentication Token" field
      4. Save the job.
      5. POST to jobUrl/build?token=hello (e.g. curl -XPOST http://172.17.0.2:8080/job/freestyle/build?token=hello)
      6. Observe the job is triggered.
      7. Create a multibranch pipeline job.
      8. Add an authentication token as above.
      9. Save the job.
      10. POST to jobUrl/build?token=hello (e.g. curl -XPOST http://172.17.0.2:8080/job/multibranch/build?token=hello)
      11. Observe you receive an "Authentication required" error.
      12. Go back to the job configuration and observe the Build Trigger isn't enabled.

          [JENKINS-35310] ComputedFolder shows BuildAuthorizationToken configuration but does not actually support it

          Jesse Glick added a comment -

          Finally see what everyone is talking about—an option on the multibranch folder, not the actual jobs (branch projects). This was never intended to even be presented; ComputedFolder/configure-details.jelly should not use <p:config-trigger/>.

          To initiate branch indexing from a script, you must use the build REST API with an authentication token.

          Jesse Glick added a comment - Finally see what everyone is talking about—an option on the multibranch folder, not the actual jobs (branch projects). This was never intended to even be presented; ComputedFolder/configure-details.jelly should not use <p:config-trigger/> . To initiate branch indexing from a script, you must use the build REST API with an authentication token.

          Jesse Glick added a comment -

          trigger builds upon push events

          This should be done with the webhook for the Git plugin, /git/notifyCommit.

          Jesse Glick added a comment - trigger builds upon push events This should be done with the webhook for the Git plugin, /git/notifyCommit .

          Pieter Kokx added a comment -

          jglick
          > To initiate branch indexing from a script, you must use the build REST API with an authentication token.

          Which is exactly what we are trying to do. The build REST API however, only exposes this for the actual jobs (the /job/<project>/<job>/build endpoint). So either there is some endpoint we cannot find (some missing documentation I guess?). Or some configuration for an auth token that is missing. Or something else.

          Most of us that are here, are here because we couldn't get it to work.

          > This should be done with the webhook for the Git plugin, /git/notifyCommit.

          Which only works if you use the Git plugin. However, since we kinda need GitHub build status notifications for commits, we use that instead. Neither could I find an alternative for this webhook when using the GitHub plugin.

          Also, if we use some magic and trigger builds directly on the actual jobs themselves, this will have the side-effect that doing a re-index will also trigger a new build on the same job. Which means you have a lot of useless double builds clogging your build servers.

          For now, we are forced to use active polling, and poll GitHub for changes every 2 minutes. However, we really prefer not to have to do that.

          Pieter Kokx added a comment - jglick > To initiate branch indexing from a script, you must use the build REST API with an authentication token. Which is exactly what we are trying to do. The build REST API however, only exposes this for the actual jobs (the /job/<project>/<job>/build endpoint). So either there is some endpoint we cannot find (some missing documentation I guess?). Or some configuration for an auth token that is missing. Or something else. Most of us that are here, are here because we couldn't get it to work. > This should be done with the webhook for the Git plugin, /git/notifyCommit . Which only works if you use the Git plugin. However, since we kinda need GitHub build status notifications for commits, we use that instead. Neither could I find an alternative for this webhook when using the GitHub plugin. Also, if we use some magic and trigger builds directly on the actual jobs themselves, this will have the side-effect that doing a re-index will also trigger a new build on the same job. Which means you have a lot of useless double builds clogging your build servers. For now, we are forced to use active polling, and poll GitHub for changes every 2 minutes. However, we really prefer not to have to do that.

          Jostein Gogstad added a comment - - edited

          Authentication tokens doesn't work, as Jesse pointed out. The following endpoints works for triggering indexing and builds in multibranch projects:

          curl -isk -u gitlab:5d7b834xxxxxxxxxxxxxxx6c1e0c9f3 -X POST https://myjenkins.internal.com/job/my_multibranch_job/job/Branches/build
          HTTP/1.1 302 Found
          ...
          

          It gives 302, but it both indexes and trigger builds on branches with new commits. Since the authentication token doesn't work, you'll have to use an user level authentication token and use it as password in a BASIC authentication scheme, you'll find the user authentication token under https://myjenkins.internal.com/user/USERNAME/configure (press "Show token"). If your SCM-vendor doesn't support explicitly specifying BASIC credentials (gitlab has no configuration for this), you can embed it in the url. Our push hook in GitLab is https://gitlab:5d7b834xxxxxxxxxxxxxxx6c1e0c9f3@myjenkins.internal.com/job/my_multibranch_job/job/Branches/build

          Finally if you want to trigger builds on specific branches in a multibranch pipeline, they can be triggered as such

          curl -isk -u gitlab:5d7b834xxxxxxxxxxxxxxx6c1e0c9f3 -X POST https://myjenkins.internal.com/job/my_multibranch_job/job/Branches/job/develop/build
          HTTP/1.1 201 Created
          

          Hope that helps

          Jostein Gogstad added a comment - - edited Authentication tokens doesn't work, as Jesse pointed out. The following endpoints works for triggering indexing and builds in multibranch projects: curl -isk -u gitlab:5d7b834xxxxxxxxxxxxxxx6c1e0c9f3 -X POST https://myjenkins.internal.com/job/my_multibranch_job/job/Branches/build HTTP/1.1 302 Found ... It gives 302 , but it both indexes and trigger builds on branches with new commits. Since the authentication token doesn't work, you'll have to use an user level authentication token and use it as password in a BASIC authentication scheme, you'll find the user authentication token under https://myjenkins.internal.com/user/USERNAME/configure (press "Show token"). If your SCM-vendor doesn't support explicitly specifying BASIC credentials (gitlab has no configuration for this), you can embed it in the url. Our push hook in GitLab is https://gitlab:5d7b834xxxxxxxxxxxxxxx6c1e0c9f3@myjenkins.internal.com/job/my_multibranch_job/job/Branches/build Finally if you want to trigger builds on specific branches in a multibranch pipeline, they can be triggered as such curl -isk -u gitlab:5d7b834xxxxxxxxxxxxxxx6c1e0c9f3 -X POST https://myjenkins.internal.com/job/my_multibranch_job/job/Branches/job/develop/build HTTP/1.1 201 Created Hope that helps

          Truc Nguyen added a comment -

          Hi,

          Just sharing kind of workaround here. My use case is to trigger branch indexing from GitHub webhook.
          Since using authentication token doesn't work with branch indexing, I created a "trigger" job (regular job type) which:
          1. Listens to GitHub webhook using authentication token
          2. Possibly parse GitHub payload to check for branch (refs)
          3. Trigger branch indexing on Multibranch pipeline job using:

          curl -sS -u basic_user:basic_password -X POST ${JENKINS_URL}/job/multibranch-pipeline-job/build?cause=GitHub+push
          

          So basically I have:

          [GitHub] --> [Trigger job] --> [Multibranch pipeline job]
          

          Adding this "trigger" job avoids active polling on the multibranch pipeline job.

          HTH

          Truc Nguyen added a comment - Hi, Just sharing kind of workaround here. My use case is to trigger branch indexing from GitHub webhook. Since using authentication token doesn't work with branch indexing, I created a "trigger" job (regular job type) which: 1. Listens to GitHub webhook using authentication token 2. Possibly parse GitHub payload to check for branch (refs) 3. Trigger branch indexing on Multibranch pipeline job using: curl -sS -u basic_user:basic_password -X POST ${JENKINS_URL}/job/multibranch-pipeline-job/build?cause=GitHub+push So basically I have: [GitHub] --> [Trigger job] --> [Multibranch pipeline job] Adding this "trigger" job avoids active polling on the multibranch pipeline job. HTH

          Jesse Glick added a comment -

          Neither could I find an alternative for this webhook when using the GitHub plugin.

          You need to install the github-branch-source plugin, which interprets GitHub webhooks.

          Jesse Glick added a comment - Neither could I find an alternative for this webhook when using the GitHub plugin. You need to install the github-branch-source plugin, which interprets GitHub webhooks.

          truc thanks for the tip - was that basic_user:basic_password pair based on a Jenkins credentials object or something else?

          Daniel Fehrenbach added a comment - truc thanks for the tip - was that basic_user:basic_password pair based on a Jenkins credentials object or something else?

          tzafrir added a comment - - edited

          This should be done with the webhook for the Git plugin, /git/notifyCommit.

          jglick I ended up doing just that and it works fine without requiring special permission. Yet post message to this address (as what gilab webhook provides) result with "no valid crumb was included in the request"

          tzafrir added a comment - - edited This should be done with the webhook for the Git plugin, /git/notifyCommit. jglick I ended up doing just that and it works fine without requiring special permission. Yet post message to this address (as what gilab webhook provides) result with "no valid crumb was included in the request"

          Jesse Glick added a comment -

          Yet post message to this address (as what gilab webhook provides) result with "no valid crumb was included in the request"

          File an RFE for git-plugin.

          Jesse Glick added a comment - Yet post message to this address (as what gilab webhook provides) result with "no valid crumb was included in the request" File an RFE for git-plugin .

          Jesse Glick added a comment -

          (a CrumbExclusion specifically)

          Jesse Glick added a comment - (a CrumbExclusion specifically)

            jglick Jesse Glick
            nmaclennan Norm MacLennan
            Votes:
            19 Vote for this issue
            Watchers:
            38 Start watching this issue

              Created:
              Updated:
              Resolved: