Basil Crow added a comment - 2019-10-29 22:17 katzdm ohzaki Can you provide me with a list of steps to reproduce the issue? Bonus points if you can submit a PR with a failing unit test. I tried updated the unit tests to use Jenkins 2.176.3 and DefaultCrumbIssuer , but the tests still passed: diff --git a/plugin/src/test/java/hudson/plugins/swarm/SwarmClientIntegrationTest.java b/plugin/src/test/java/hudson/plugins/swarm/SwarmClientIntegrationTest.java index b4d1f12..426e01c 100644 --- a/plugin/src/test/java/hudson/plugins/swarm/SwarmClientIntegrationTest.java +++ b/plugin/src/test/java/hudson/plugins/swarm/SwarmClientIntegrationTest.java @@ -12,6 +12,7 @@ import hudson.model.FreeStyleProject; import hudson.model.Node; import hudson.plugins.swarm.test.ProcessDestroyer; import hudson.plugins.swarm.test.TestUtils; +import hudson.security.csrf.DefaultCrumbIssuer; import hudson.tasks.BatchFile; import hudson.tasks.CommandInterpreter; import hudson.tasks.Shell; @@ -28,6 +29,7 @@ import org.apache.commons.lang.RandomStringUtils; import org.apache.commons.lang.math.NumberUtils; import org.junit.After; import org.junit.Assume; +import org.junit.Before; import org.junit.ClassRule; import org.junit.Rule; import org.junit.Test; @@ -51,6 +53,11 @@ public class SwarmClientIntegrationTest { private final ProcessDestroyer processDestroyer = new ProcessDestroyer(); + @Before + public void setIssuer() { + j.jenkins.setCrumbIssuer(new DefaultCrumbIssuer(false)); + } + /** Executes a shell script build on a Swarm Client agent. */ @Test public void buildShellScript() throws Exception { diff --git a/pom.xml b/pom.xml index cdaf0ed..3c7d7c2 100644 --- a/pom.xml +++ b/pom.xml @@ -24,7 +24,7 @@ <version>3.18-SNAPSHOT</version> <properties> - <jenkins.version>2.60.3</jenkins.version> + <jenkins.version>2.176.3</jenkins.version> <java.level>8</java.level> </properties>

Basil Crow added a comment - 2019-10-29 22:36 For what it's worth, I also tried a manual test of installing Jenkins 2.190.1, ensuring that "Prevent Cross Site Request Forgery exploits" was checked with "Default Crumb Issuer" as the crumb algorithm, and then running this command: java -jar swarm-client-3.17.jar -master <url> -username <username> -password <password> -name <name> -disableClientsUniqueId -deleteExistingClients This worked fine as well. Without being able to reproduce the error, I won't be able to make progress fixing this I'm afraid.

Dirk Kuypers added a comment - 2019-11-04 13:20 I am not sure if this is related. I am hit by 403 after a restart of the master. Node was connected via swarm, master restart due to (Windows) updates, swarm client refuses to connect with 403. Client restart does not help. After 24 hours something seems to expire and clients can connect again. I have installed the new Crumb Issuer Plugin and I have unticked the Session ID. Environment is Windows 2016 server for the master, Windows 10 for the clients, Active Directory and Role-Based Access (which can be found when googling for swarm and 403 quite often:-/)

Basil Crow added a comment - 2019-11-06 17:15 Thanks for the information bruce . Unfortunately this still doesn't get me any closer to reproducing the problem or resolving it. The unit tests I mentioned above do restart Jenkins (see PipelineJobTest ), although not on Windows. If someone can provide me with steps to reproduce this problem from scratch I would be very grateful.

Basil Crow added a comment - 2020-06-04 20:19 - edited Hey katzdm , ohzaki , and bruce , I think I have figured this out. This doesn't have anything to do with the CSRF configuration but rather the Authorization Strategy configuration. Your Swarm user needs the Overall/Read permission in order to obtain a CSRF token. I just recently documented the recommended configuration for Swarm with examples and screenshots for matrix-based security, project-based Matrix Authorization Strategy, and Role-Based Strategy. Please ensure that you have configured your permissions appropriately following the above documentation.