Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-60942

swarm plugin requires anonymous/overall/read if not started with user/password

      Hi,

      I'm a heavy user of the Jenkins swarm plugin.

      we are using the plugin to enable users to connect their own machines to the server upon request, perform a check, and then disconnect it.

      since we don't require username/password to connect the machines, we had to enable the "anonymous/overall/read" in the global security security (we are using project based matrix authorization).

      what I recently discovered is that the jenkins server is not redirecting non-logged in users to the login page if they are trying to access the server using a link sent to them from a failed job execution. they get a 404 error instead.

      removing the anonymous/overall/read from global security - fixed that problem.

      however, now users are unable to connect their machines to the server unless they provide username and password.

      is there a way to make the swarm plugin NOT use the anonymous/overall/read from global security? maybe there is another way to make this combination work?

      this is a really weird behavior....

      I can provide additional info upon request.

          [JENKINS-60942] swarm plugin requires anonymous/overall/read if not started with user/password

          Basil Crow added a comment -

          Hey amidar, sorry for the late response. Are you saying that you are using Project-based Matrix Authorization granting anonymous users Agent/Create and Agent/Connect but not Overall/Read, and starting Swarm without a -username argument? This is unsupported. The recommended Project-based Matrix Authorization configuration for Swarm is to have a user with a Jenkins API token (or, less desirable, a password) with the Agent/Create and Agent/Connect permissions. In addition, either this dedicated user or the "Anonymous Users" or "Authenticated Users" groups must have the Overall/Read permission.

          Basil Crow added a comment - Hey amidar , sorry for the late response. Are you saying that you are using Project-based Matrix Authorization granting anonymous users Agent/Create and Agent/Connect but not Overall/Read, and starting Swarm without a -username argument? This is unsupported. The recommended Project-based Matrix Authorization configuration for Swarm is to have a user with a Jenkins API token (or, less desirable, a password) with the Agent/Create and Agent/Connect permissions. In addition, either this dedicated user or the "Anonymous Users" or "Authenticated Users" groups must have the Overall/Read permission.

          Basil Crow added a comment -

          Basil Crow added a comment - FYI I have documented the recommended configuration for Project-based Matrix Authorization Strategy .

          Jim Klimov added a comment -

          Update: after MD->ADOC migration, the strategy is documented at https://github.com/jenkinsci/swarm-plugin/blob/master/docs/security.adoc

          Jim Klimov added a comment - Update: after MD->ADOC migration, the strategy is documented at https://github.com/jenkinsci/swarm-plugin/blob/master/docs/security.adoc

            Unassigned Unassigned
            amidar Amit Dar
            Votes:
            0 Vote for this issue
            Watchers:
            3 Start watching this issue

              Created:
              Updated:
              Resolved: