How do I auth in Jenkins CLI without showing my password - jenkins

I am working in Jenkins and using their CLI to update plugins. I am running the command java -jar jenkins-cli.jar -s https://examplejenkins8080/ -webSocket install-plugin examplePluginName and outputs "ERROR: anonymous is missing the Overall/Read permission".
I found out I am in anonymous on the cli but want to change that to my credentials. The command to sign in on cli is "-webSocket -auth -USER -Pass" but I don't want to show my password. Is there a way around this using a command to not show my password?

There are multiple ways to pass credentials.
Option 1
Setting credentials as environment variables.
export JENKINS_USER_ID=kohsuke
export JENKINS_API_TOKEN=abc1234ffe4a
java -jar jenkins-cli.jar [-s JENKINS_URL] command ...
Option 2
Load credentials from a file. In this case you can save the credentials as USER:PASSWORD in a file and then point to that file.
java -jar jenkins-cli.jar [-s JENKINS_URL] -auth #/home/kohsuke/.jenkins-cli command ...
For more info check this document.

Related

Automate Setting Jenkins Credentials and Global Variables

I have Terraform+Ansible script that automates the deployment of a Jenkins server. However, I'd also like to pre-load that server with "Global" environment variables (Found in "Manage Jenkins" > "Configure System" > "Global Properties" > "Environment Variables"). I'm also looking to automatically set a few Jenkins credentials (found in "Manage Jenkins" > "Manage Credentials").
From what I understand, the credentials are stored encrypted in a file called /var/lib/jenkins/credentials.xml. And the global properties might be stored in config.xml in the same Jenkins directory, though the variables don't look very structured. I might be able to parse out the config.xml and add some values. But I'm wondering how I can create an encrypted secret that can be added to the credentials.xml.
Are there any tools or strategies for automating the creation of secrets and environment variables in Jenkins? I'm hoping that there's a better way to automate this other than parsing the xml documents. Any advice is much appreciated.
You shouldn't be manually altering these files. You can use one of the following options to automate Credential and Global variable creation.
Jenkins API.
Jenkins CLI.
Python-jenkinsapi. (Python wrapper for Jenkins API)
How to use Jenkins API to create credentials
Following commands need curl and jq. Execute in the same session.
# Change the following appropriately
JENKINS_URL="http://localhost:8080"
JENKINS_USER=admin
JENKINS_USER_PASS=admin
Get the Crumb
JENKINS_CRUMB=$(curl -u "$JENKINS_USER:$JENKINS_USER_PASS" -s --cookie-jar /tmp/cookies $JENKINS_URL'/crumbIssuer/api/xml?xpath=concat(//crumbRequestField,":",//crumb)')
Get the Access token
ACCESS_TOKEN=$(curl -u "$JENKINS_USER:$JENKINS_USER_PASS" -H $JENKINS_CRUMB -s \
--cookie /tmp/cookies $JENKINS_URL'/me/descriptorByName/jenkins.security.ApiTokenProperty/generateNewToken' \
--data 'newTokenName=GlobalToken' | jq -r '.data.tokenValue')
Create Credentials
curl -u $JENKINS_USER:$ACCESS_TOKEN \
-H $JENKINS_CRUMB \
-H 'content-type:application/xml' \
"$JENKINS_URL/credentials/store/system/domain/_/createCredentials" \
-d '<com.cloudbees.plugins.credentials.impl.UsernamePasswordCredentialsImpl>
<id>TestCredentials</id>
<description>This is sample</description>
<username>admin2</username>
<password>admin2</password>
</com.cloudbees.plugins.credentials.impl.UsernamePasswordCredentialsImpl>'
Note: The credential create URL format is /credentials/store/CREDENTIALS_STORE_NAME/domain/DOMAIN_NAME/ Change this appropriately if you want to create the Credential in a custom location. The easiest way to get this URL is by navigating to a existing credential from the UI and copying the URL.
How to create Credentials from Jenkins CLI
# Change the following appropriately
JENKINS_URL="http://localhost:8080"
JENKINS_USER=admin
JENKINS_USER_PASS=admin
Download the Jenkins CLI Jar
wget $JENKINS_URL/jnlpJars/jenkins-cli.jar
Create a file named cred.xml with the following content.
<com.cloudbees.plugins.credentials.impl.UsernamePasswordCredentialsImpl>
<scope>GLOBAL</scope>
<id>PassID</id>
<username>Username</username>
<password>password</password>
<description>Description</description>
</com.cloudbees.plugins.credentials.impl.UsernamePasswordCredentialsImpl>
Create credentials
java -jar jenkins-cli.jar -s $JENKINS_URL -auth $JENKINS_USER:$JENKINS_USER_PASS create-credentials-by-xml system::system::jenkins _ < cred.xml
How to create credentials with Jenkins Python API
Following is a simple sample to create Global credentials using Jenkins Python API.
from api4jenkins import Jenkins
j = Jenkins('http://localhost:8080', auth=('admin', 'admin'))
xmlPayload = '''<com.cloudbees.plugins.credentials.impl.UsernamePasswordCredentialsImpl>
<id>user-id</id>
<username>user</username>
<password>upassword</password>
<description>user id for testing</description>
</com.cloudbees.plugins.credentials.impl.UsernamePasswordCredentialsImpl>'''
j.credentials.create(xmlPayload)

How to safe restart jenkins?

I tried few ways to safe restart either in CLI using the command "java -jar jenkins-cli.jar -s http://localhost:8080/ -webSocket safe-restart" which says - "ERROR: Unexpected exception occurred while performing safe-restart command.
hudson.lifecycle.RestartNotSupportedException: Default Windows lifecycle does not support restart."
Tried http://localhost:8080/safeRestart - Jenkins cannot restart itself as currently configured.
Can anyone solve this issue of mine. I'm using generic jenkins via jenkins.war file

Installing local plugin via jenkins-cli

I've enabled 'Enable CLI over remoting'.
I've set TCP port for JNLP either fixed or random.
I've downloaded the jenkins-cli.jar successfully.
when preforming plugin-install command i receive:
When executing: java -jar jenkins-cli.jar -auth user:pass -s http://localhost:8080 install-plugin file:///folder/plugin.hpi
ERROR: Unexpected exception occurred while performing install-plugin command.
java.io.FileNotFoundException: /folder/plugin.hpi (No such file or directory)
Without the file://
/folder/plugin.hpi is neither a valid file, URL, nor a plugin artifact name in the update center
I've tried every possible combination, the file does exist.
Edit: from the exception it keeps thinking that it's url instead of file:
at java.io.FileInputStream.open0(Native Method)
at java.io.FileInputStream.open(FileInputStream.java:195)
at java.io.FileInputStream.<init>(FileInputStream.java:138)
at java.io.FileInputStream.<init>(FileInputStream.java:93)
at sun.net.www.protocol.file.FileURLConnection.connect(FileURLConnection.java:90)
at sun.net.www.protocol.file.FileURLConnection.getInputStream(FileURLConnection.java:188)
at java.net.URL.openStream(URL.java:1045)
at hudson.FilePath.copyFrom(FilePath.java:890)
"
Edit 2: It does work when given HTTP URL, but it will require me to upload it to a server which I don't have every time.
Edit 3: I tried moving the file to the same folder of Jenkins /var/lib/jenkins and give it permissions of 777.
It was a combination of #Alex O solution, and that I used -auth myuser:mypass instead of --username admin --password password and toggled --remoting.
It looks like this:
java -jar jenkins-cli.jar -s http://host-ip:8080/ -remoting install-plugin ./plugin.hpi --username my-user --password my-pass -restart
The URL that you provide as argument to install-plugin must be accessible by the Jenkins master process. If you get the error message
/folder/plugin.hpi (No such file or directory)
then there's most likely a problem with access rights, or /folder is not mounted on the master's host (or in the master's container, if you use docker).
This is why a HTTP URL does work.
So, for file:// URLs, you need to align filesystem mounts and permissions between CLI user/machine and Jenkins master user/machine.

Using the jenkins CLI (on fedora 23)

I have a jenkins instance running. To create this instance on a Fedora 23 machine, I installed jenkins (via dnf) and started it (via systemd). It is running and I can see it in my browser at http://localhost:8080.
I have been trying to follow the directions in https://wiki.jenkins-ci.org/display/JENKINS/Jenkins+CLI.
I download http://localhost:8080/jnlpJars/jenkins-cli.jar to my computer.
Then I try to run the program java -jar jenkins-cli.jar http://127.0.0.1 -s help and I get no main manifest attribute, in jenkins-cli.jar
When I check jenkins-cli.jar, sure enough there is no Main-Class entry in the manifest file.
What is the proper way to invoke the jenkins cli?
Addendum
https://wiki.jenkins-ci.org/display/JENKINS/Starting+and+Accessing+Jenkins has a separate procedure for using the jenkins cli, but it does not explain where to obtain jenkins.jar.
I have worked out a kludgy solution. I hope someone has a better idea.
On my instance I run
curl http://www.java2s.com/Code/JarDownload/localizer/localizer-1.9.jar.zip > localizaer-1.9.jar.zip
unzip localizaer-1.9.jar.zip
curl http://central.maven.org/maven2/commons-codec/commons-codec/1.9/commons-codec-1.9.jar > commons-code-1.9.jar
java -classpath /usr/share/jenkins/webroot/WEB-INF/jenkins-cli.jar:/usr/share/jenkins/webroot/WEB-INF/remoting.jar:/usr/share/jenkins/webroot/WEB-INF/slave.jar:/usr/share/jenkins/webroot/WEB-INF/classes:localizer-1.9.jar:commons-code-1.9.jar:localizer-1.9.jar hudson.cli.CLI -s http://localhost:8080 help
I don't like it because it is super-kludgy, but it seems to work.

hudson.security.AccessDeniedException2: anonymous is missing the Read permission

I'm running jenkins and getting this error
hudson.security.AccessDeniedException2: anonymous is missing the Read
permission
I tried many times, deleted cookies and all.
Disabling security is not the solution. It's probably there for a reason. Try "login" instead
java -jar jenkins-cli.jar -s http://yourserver/jenkins/ login --username usr --password qwerty
cheers
Similar issue I faced but with GitHub OAuth plugin,my problem and solution explained here
Errors
hudson.security.AccessDeniedException2: anonymous is missing the Overall/Administer permission at hudson.security.ACL.checkPermission(ACL.java:57)
org.kohsuke.github.HttpException: Server returned HTTP response code: -1, message: 'null' for URL: https://ghe.acme.com/api/v3/user
https://wiki.jenkins-ci.org/display/JENKINS/Disable+security
I am able to run
java -jar jenkins-cli.jar -s http://server get-job myjob > myjob.xml
works for me using abouv url
In addition to the above link, use these simple and clear steps
I think some of the answers in here were partial. This is how I resolved it:
Step Jenkins
/etc/init.d/jenkins stop
sudo vi /var/lib/jenkins/config.xml (Please copy the complete text somewhere first, so that later you don't run in other problems)
2.A. change useSecurity element's value to false
false
2.B. Remove authorizationStrategy block
Start Jenkins again:
/etc/init.d/jenkins start
Access Jenkins through URL and reconfigure security again.

Resources