Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-25421

Allow Swarm client to be used when CSRF is disabled

    XMLWordPrintable

Details

    • New Feature
    • Status: Closed (View Workflow)
    • Major
    • Resolution: Fixed
    • swarm-plugin
    • None
    • Jenkins 1.580.1
      Swarm Plugin 1.20
      "Prevent Cross Site Request Forgery exploits" - Disabled

    Description

      I updated the Swarm plugin from 1.16 to 1.20 and began experiencing this issue. Enabling the CSRF prevention works fine.

      java -jar swarm.jar -executors 2 -mode exclusive -fsroot '~/jenkins' -master http://jenkins:8079/ -name <NAME> -username eric -password <PW>
      
      Discovering Jenkins master
      Attempting to connect to http://jenkins:8079/ aeac4e35-fe09-4da7-bb5c-579658910ff5
      Could not obtain CSRF crumb. Response code: 404
      Nov 3, 2014 5:19:48 PM org.apache.commons.httpclient.auth.AuthChallengeProcessor selectAuthScheme
      INFO: basic authentication scheme selected
      Nov 3, 2014 5:19:48 PM org.apache.commons.httpclient.HttpMethodDirector processWWWAuthChallenge
      INFO: Failure authenticating with BASIC 'Jenkins'@jenkins:8079
      Failed to create a slave on Jenkins CODE: 401
      Retrying in 10 seconds
      

      Attachments

        Issue Links

          Activity

            adongare Anita Dongare added a comment -

            Hi team ,
            We are seeing the same issue on our Jenkins master, can someone help explain and resolve this error with swarm plugin ?

            Thanks
            Anita

            adongare Anita Dongare added a comment - Hi team , We are seeing the same issue on our Jenkins master, can someone help explain and resolve this error with swarm plugin ? Thanks Anita
            oleg_nenashev Oleg Nenashev added a comment -

            KK does not maintain this plugin anymore. Moving to unassigned to set the expectation

            oleg_nenashev Oleg Nenashev added a comment - KK does not maintain this plugin anymore. Moving to unassigned to set the expectation
            oleg_nenashev Oleg Nenashev added a comment - - edited

            I do not plan to fix the issue. Usage of this plugin (and Jenkins in general) is dangerous when CSRF protection is disabled. If somebody wants to invest his time into it, pull requests are welcome.

            oleg_nenashev Oleg Nenashev added a comment - - edited I do not plan to fix the issue. Usage of this plugin (and Jenkins in general) is dangerous when CSRF protection is disabled. If somebody wants to invest his time into it, pull requests are welcome.
            basil Basil Crow added a comment -

            Is this still a bug on recent versions of Jenkins core and Swarm client? I just tried connecting to a Jenkins master (2.150.1) with Swarm client 3.16 both with and without CSRF enabled on the Jenkins master, and things worked just fine.

            basil Basil Crow added a comment - Is this still a bug on recent versions of Jenkins core and Swarm client? I just tried connecting to a Jenkins master (2.150.1) with Swarm client 3.16 both with and without CSRF enabled on the Jenkins master, and things worked just fine.
            basil Basil Crow added a comment -

            The UI for disabling CSRF protection was removed from Jenkins 2.222, but it is still possible to disable CSRF through the unsupported hudson.security.csrf.GlobalCrumbIssuerConfiguration.DISABLE_CSRF_PROTECTION system property. I tested using this property and Swarm 3.21, and the Swarm client was able to successfully connect to Jenkins both before and after a Jenkins restart. It is likely this issue was fixed in some recent Swarm release. Please ensure that you are running the latest Swarm plugin and Swarm client, consulting the documentation regarding how to configure authentication and authorization if necessary. If you still encounter problems, please open a new issue with detailed steps to reproduce.

            basil Basil Crow added a comment - The UI for disabling CSRF protection was removed from Jenkins 2.222, but it is still possible to disable CSRF through the unsupported hudson.security.csrf.GlobalCrumbIssuerConfiguration.DISABLE_CSRF_PROTECTION system property. I tested using this property and Swarm 3.21, and the Swarm client was able to successfully connect to Jenkins both before and after a Jenkins restart. It is likely this issue was fixed in some recent Swarm release. Please ensure that you are running the latest Swarm plugin and Swarm client, consulting the documentation regarding how to configure authentication and authorization if necessary. If you still encounter problems, please open a new issue with detailed steps to reproduce.

            People

              Unassigned Unassigned
              elordahl Eric Lordahl
              Votes:
              6 Vote for this issue
              Watchers:
              11 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: