Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-61375

Cannot disable CSRF

    XMLWordPrintable

    Details

    • Type: Task
    • Status: Closed (View Workflow)
    • Priority: Blocker
    • Resolution: Won't Fix
    • Component/s: core
    • Labels:
      None
    • Environment:
      fedora-20
      Jenkins ver. 2.223
    • Similar Issues:

      Description

      I have:

      1. Jenkins 2.204.4 running on a Windows 10 machine
      2. Jenkins 2.223 running on a Fedora20 machine
      3. Jenkins 2.204.4 running on a Centos7 machine

      The windows machine triggers jobs on the Fedora20 and Centos7 machines Using the "Trigger a remote parameterized job" plugin. This plugin 'triggers' the appropriate job on the Fedora20 and Centos7 machines.

      The last time the Fedora20 job succesfully ran "CSRF protection was disabled".

      Fedora20's jenkins version was updated and now Fedora20 fails. The output also now shows that "CSRF protection is now enabled."

      The Centos7 machine still works, and has CSRF disabled. However, if I enable CSRF on Cento7 I get the failure.

      I attempted to disable CSRF on Fedora20, and the option is no longer there. It now looks like this:

      There is only one option setting the curmb issuer to "Default crumb issuer"

        Attachments

          Activity

          Hide
          danielbeck Daniel Beck added a comment -

          Fix your client to HTTP Basic authenticate using an API token, then you don't need a CSRF crumb and everything just works (and it's been that way since late 2017).

          For the short term, there is an "escape hatch" in setting the system property hudson.security.csrf.GlobalCrumbIssuerConfiguration.DISABLE_CSRF_PROTECTION to true before Jenkins starts. Note that this might go away in the future. Again, fix whatever clients you're using.

          Show
          danielbeck Daniel Beck added a comment - Fix your client to HTTP Basic authenticate using an API token, then you don't need a CSRF crumb and everything just works (and it's been that way since late 2017). For the short term, there is an "escape hatch" in setting the system property hudson.security.csrf.GlobalCrumbIssuerConfiguration.DISABLE_CSRF_PROTECTION to true before Jenkins starts. Note that this might go away in the future. Again, fix whatever clients you're using.
          Hide
          rocha_stratovan John Rocha added a comment -

          Daniel Beck, What do you mean "Fix your client." I'm just using Jenkins plugins. I don't have a client. I have Jenkins on slave and Jenkins on master. Jenkins on master uses trigger remote paramaterized job, for that you give the slave hostname information, and the name of the Jenkins job to trigger and it works. What specifically are you referring to – fix client and HTTP Basic authentication?

          Show
          rocha_stratovan John Rocha added a comment - Daniel Beck , What do you mean "Fix your client." I'm just using Jenkins plugins. I don't have a client. I have Jenkins on slave and Jenkins on master. Jenkins on master uses trigger remote paramaterized job, for that you give the slave hostname information, and the name of the Jenkins job to trigger and it works. What specifically are you referring to – fix client and HTTP Basic authentication?
          Hide
          danielbeck Daniel Beck added a comment -

          Jenkins on master uses trigger remote paramaterized job

          Your client in that case is https://plugins.jenkins.io/Parameterized-Remote-Trigger/

          Show
          danielbeck Daniel Beck added a comment - Jenkins on master uses trigger remote paramaterized job Your client in that case is https://plugins.jenkins.io/Parameterized-Remote-Trigger/
          Hide
          rocha_stratovan John Rocha added a comment -

          For those of you that stumble upon this issue. It is resolved with a Jenkins configuration change.

          There may be other ways to resolve this, but this is how I resolved it.

          1. Configure remote machine remote machine to add a token
            1. Log on to Jenkins as the user that will execute the job (i.e. build user)
            2. Select People
            3. Select your user ID (i.e. build user).
            4. Select Configure
            5. Find the section titled API Token to add a token
              1. Select Add new Token
              2. Select Generate
              3. Copy the token and keep it. This is the only time the token will be in plain text for you to copy.
            6. Select [Save] to save the token with the user

          2. Configure calling machine's remote parameterized interface to use this token
            1. Log on to Jenkins on the calling machine
            2. Select Manage Jenkins.
            3. Select Configure System.
            4. Scroll down to the the section Parameterized Remote Trigger Configuration and find the entry for the remote machine you added a token to in the previous step.
            5. Change Authentication to Token Authentication.
            6. Set the User Name to the correct user (i.e. build user)
            7. Paste the copied token from the previous configuration into the API Token_ field.
          3. Select [Save]

          This should fix the remote parameter calls. It should now work even with CSRF enabled.

          Show
          rocha_stratovan John Rocha added a comment - For those of you that stumble upon this issue. It is resolved with a Jenkins configuration change. There may be other ways to resolve this, but this is how I resolved it. Configure remote machine remote machine to add a token Log on to Jenkins as the user that will execute the job (i.e. build user) Select People Select your user ID (i.e. build user). Select Configure Find the section titled API Token to add a token Select Add new Token Select Generate Copy the token and keep it. This is the only time the token will be in plain text for you to copy. Select [Save] to save the token with the user Configure calling machine's remote parameterized interface to use this token Log on to Jenkins on the calling machine Select Manage Jenkins . Select Configure System . Scroll down to the the section Parameterized Remote Trigger Configuration and find the entry for the remote machine you added a token to in the previous step. Change Authentication to Token Authentication . Set the User Name to the correct user (i.e. build user) Paste the copied token from the previous configuration into the API Token _ field. Select [Save] This should fix the remote parameter calls. It should now work even with CSRF enabled.

            People

            Assignee:
            Unassigned Unassigned
            Reporter:
            rocha_stratovan John Rocha
            Votes:
            0 Vote for this issue
            Watchers:
            2 Start watching this issue

              Dates

              Created:
              Updated:
              Resolved: