I have automated the deployments in Jenkins from slack by slash commands.
I need give permission for slash commands or restrict the slash command access only to particular users (i.e) some members in the channel can deploy the dev environment by using /deploy_dev but they should not able to deploy to staging and production environments.
In order to restrict access to a custom slash command just check which user invoked the slash command in your script and then either execute the command or deny it (and reply with an appropriate message).
Slack is always providing the user ID and user name with the request, so that information is available in your scripts. See the example below for a command request from Slack: (from the official documentation)
token=gIkuvaNzQIHg97ATvDxqgjtO
team_id=T0001
team_domain=example
enterprise_id=E0001
enterprise_name=Globular%20Construct%20Inc
channel_id=C2147483705
channel_name=test
user_id=U2147483697
user_name=Steve
command=/weather
text=94070
response_url=https://hooks.slack.com/commands/1234/5678
To manage who has access I would recommend using private channels, so that a user has to be member of a specific private channel if he wants to execute a specific slash command. You can call groups.info to get the user IDs of all members of a private channel in your script.
Note that slash commands are always accessible to all users and there is no global configuration option in Slack, which would allows you to grant access to specific slash commands. So you have to do this in your script as detailed above.
Related
I am using the latest docker image for jenkins (jenkins/jenkins:lts JENKINS_VERSION 2.208). I have started the container, configured jenkins and can manually build against a public repo. However, on my github account I have 2FA, which must remain. I have created a personal access token in Github, and used this in my jenkins config for github server section. I have validated that the connection is working by pressing the test connection link (I added secret text that used my personal access token from github):
In Github, I have wekhook settings with the IP address for where jenkins is hosted (the IP for the docker container) follwed by github-webhook (I have also tried using a dns mapped address for jenkins as well, e.g., http://jenkins-local/github-webhook), content type is application/json:.
I have github polling enabled in jenkins as well, however, it does not work on push requests to the repo. I see failure logs in Github within the webhooks section, this increases each time I make a push (the request keeps failing). I have searched wide across the internet and found documentation of suggestions on what to do, including this link here: securing your webhooks, but nothing is giving me the desired polling effect when a push is initiated and a build triggered. So my question is, is it possible to use 2FA and github webhooks? If it is possible, then what are the exact steps to do it?
If you have 2FA enabled, you cannot authenticate with a login/pass from your tools anymore. You need to create a token that you will use in place of your password.
The official documentation should get you there in almost no time.
In the end the solution was to download ngrok. The IP address that the I had previously tried and the dns mapped address were not publicly available. I tried using my public ip address as well, but that also didn't work. In the end, downloading ngrok gave me a publicly accessible ip address (the address will look like the following: http://1212344a.ngrok.io). If you also plan to use ngrok then ensure that when you start it from the command line/terminal that you also pass the same port for the application that is running locally, if one is required. Next, in github - settings - webhooks set the payload url to the url that ngrok provides in the terminal output, but also append /github-webhook/ on to the end of the address to complete the payload url (in my case this was http://1212344a.ngrok.io/github-webhook/ as the full payload url).
I'm trying to do a pretty simple thing I believe - trigger a Jenkins job from a slash command in slack. I want to type /dump in slack and that should trigger particular jenkins job. I'm using Slack Slash command to achieve this and the setup is very simple - type command, type URL, select POST/GET method.
I tried two methods - first was to use Build Authorization Token Root Plugin following this tutorial - in this case I configured Slack slash command to make GET request on the URL: http://jenkins_url:8080/job/db-dump-setup/build?token=MY_TOKEN - If I put the URL to my browser, the job gets triggered, if I run the /dump command, slack responds with:
slackbot [3:41 PM]
Darn - that slash command didn't work (error message: `403_client_error`). Manage the command at text.
The second approach I tried was following this tutorial. In this case I created new user in Jenkins and got API token. When running this command from my terminal: curl -X POST http://USER:TOKEN#slack_url:8080/job/db-dump-setup/build, the job gets again triggered, however when configuring the Slack slash command with the same URL and making POST request, I get the same error: 403_client_error
I tried to google this specific error but didn't find anything useful, also there are no more details for the error or any logs which could help me to troubleshoot this further.
Anyone run into something similar and knows how could I get this resolved?
I was able to resolve this so answering my own question in a case someone else runs into this. In order to make the first case work (Using the GET request), I had to enable the "Allow anonymous read access" in Jenkins, in Manage Jenkins -> Configure Global Security as per the screenshot below.
You should not need to enable anonymous access.Your jenkins requires authentication. Update your url like http://user:auth-token#jenkins-host:port.Auth token can be generated at the following URL JENKINS_HOST/me/configure
I want to create a slack message button and I understand that when the user clicks this button, Slack performs a callback to your app's "action URL" (called "request URL" in app's Interactive Messages settings).
Can I somehow specify this URL dynamically? If not, how do people deal with staging/test servers, etc?
No, you can not provide / set the action URL by script. It has to be entered manually on the config pages for your Slack app.
I have 3 stages (Development, Test, Production) and the way I deal with staging is that I create one clone of my Slack app for each stage. That allows me to specify a different Action URL (and any other request URLs, like slash commands, interactive buttons etc.) for each stage.
Note that if you want to run all clones in the same Slack team you might need to rename some of your artifact, e.g. slash commands or bot users accordingly.
Example: For my Slack app rafflebot I use the slash command /raffle. That becomes /raffle_t for my test environment and /raffle_d for my development environment.
I'm hosting a project on my Jenkins server. That project has a GitHub repo and I have it set up so it automatically builds new commits. In order for that to work, I need to input credentials for a github account that has full access to the repo.
The problem is, that if I want him to add his login info to the credentials list, I'd have to give him acces to all credentials on the server (I don't want that).
I tried using the credentials under "{username}" > "Credentials", but those didn't show up in the project setup (even with 100% access to everything on the server).
Is there a way for the user to store his credentials and use them for the project without giving him full access to all credentials on the server?
Add the user's credentials under Global security and then allow project based Matrix Authorization Strategy per project as shown:
I found the answer in this mailing list entry:
In short: You need to
install and activate the Authorize Projects Plugin,
enable "run as specific user" strategy in global security settings,
enable this for the project in question.
This allows you to use the credentials for this specific user.
Enabling ssh-agent is the final step to make this work conveniently.
On my Jenkins build server, I want to set an Authentication Token so that only users that know the token can fire off builds. (As described here.)
This doc page says that it should be configurable under my job's "Build Triggers" configuration.
However, my server has no such fields, and I'm running the latest version (1.546). Mine looks like this:
.
As you can see, this doesn't really look like the docs say it should.
How can I set this token?
You're missing the Trigger builds remotely (e.g., from scripts) Build Trigger:
This is only visible with Security enabled. To get this option from a freshly downloaded 1.546 WAR, I changed Configure Global Security from Anyone can do anything to at least Logged-in users can do anything. For ease/speed of testing, under Security Realm I selected Jenkins’ own user database and Allow users to sign up:
You can go to http://Jenkins-IP/jobs/me/configure to check and change your API access token. Also check whether the user you intend to use has necessary permissions to execute the builds in Manage Jenkins>Configure Global Security
Each jenkins user gets an authentication token - applicable since version 1.426 (more).
You can see yours, provided you are logged in your jenkins server, at http://your.jenkins.server/me/configure
(press 'show API token' button)
Then you can copy and paste it in your scripts (e.g. see here for an example usage).