Jenkins: commit email -> username mapping with Github OAuth plugin - jenkins

After updating the Jenkins email-ext plugin to 2.57.1, which has a security fix to avoid sending emails to non-Jenkins users, I'm seeing messages like this in build logs:
Not sending mail to user <user>#<domain> with no permission to view <project> #3
The Jenkins server is using the Github OAuth plugin for authentication and the role-based access control plugin for authorization (based on Github teams). The user definitely has permission because I could see the message in the build log on his machine with him logged in.
My guess is that Jenkins isn't correctly mapping the email address from the git commit to the user created by the Github OAuth plugin. How do I make that work? I've checked that the email address in the commit matches the email address shown when the user selects to configure his account in Jenkins.

Related

Bitbucket Webhook is not triggering Jenkins job even webhook returns 200

I am using bitbucket cloud and jenkins is running on ec2 instance on the private network.
Connection is well established between bitbucket and jenkins as when i run the job manually, the job shows the green status. However when i made the changes in the repo and it gets merged the webhook is not using my app password and as a result the job is getting failed.
I am getting authentication failed and It's basically asking me to use the app password. I have already created it but still webhook is not using it. I am getting the response 200 now in webhook means my webhook is able to reach the jenkins server but i am not sure why i am getting authentication failed.
Can you confirm that:
Your credentials are correctly placed under the credentials section of Jenkins. The username should be the username of the account you are using, and the password should be the app password. It should be present like this:
The ID of the credentials should be used within your pipeline script anywhere you want access to the Bitbucket repository.
Ensure that Bitbucket has access to your EC2 instance that runs Jenkins.
Basically, these are the 3 points where authentication can fail. Checking each point should reveal the problem.

SVN post commit hook is giving 403 forbidden while triggering Jenkins job

I am trying to implement my post commit hook from my SVN repo to trigger one Jenkins job for my spring boot microservice deployment. But when I am committing code change, its committing to SVN repository. But its not triggering Jenkins job and giving error like 403 forbidden and it showing post commit hook failed with error code 8 on dialog box,
I am getting error like the following:
My post commit hook file post-commit like the following (I was removed post-commit.tmpl and created new post-commit file and added content here):
And My Jenkins freestyle jobs like the following:
NB: Code change are successfully committing to SVN repository. Problem is when triggering the Jenkins job.
Have I made a mistake in any of my implementation?
Maybe you hit the CSRF (Cross Site Request Forgery) Jenkins protection.
CSRF protection uses a token (called crumb in Jenkins) that is created
by Jenkins and sent to the user. Any form submissions or similar
action resulting in modifications, like triggering builds or changing
configuration, requires that the crumb be provided.
Requests sent using the POST method are subject to CSRF protection in Jenkins >and generally need to provide a crumb.
If you have administrator permissions, you can configure CSRF Protection through Manage Jenkins » Configure Global Security » CSRF Protection.
If you authenticate your API calls with a username and a user API token then a crumb is not required from Jenkins 2.96. So you can:
Generate API token from Jenkins (admin permissions needed).
Then use the API token instead of password for your calls.
Reference:
https://www.jenkins.io/doc/book/security/csrf-protection/
Jenkins : Error 403 No valid crumb was included in the request : From TFS
https://support.cloudbees.com/hc/en-us/articles/219257077-CSRF-Protection-Explained
Jenkins: 403 No valid crumb was included in the request
This is probably a permission issue. See the subversion plugin documentation:
For this to work, your Jenkins has to allow anonymous read access (specifically, "Job > Read" access) to the system. If access control to your Jenkins is more restrictive, you may need to specify the username and password, depending on how your authentication is configured.

Jenkins - git requests for login credentials using Git plugin

I have a couple of Jobs that pull code from bitbucket and build it in jenkins.
I'm using Git plugin to specify the repository URL + the git credentials.
Even though I set the credentials in each Job configuration, each time there is a push to bitbucket(that triggers the jenkins job), Mac is asking for "git-credential-osxkeychain wants to user the "login" keychain".
If I enter the password, the job will run and it will not ask again for a couple of hours.
I would like to make it permanent so that message won't be prompted any more.
Any advice ? thank you.
First, that only happens if you are using https URLs, as part of a git credential helper.
Using SSH URLs would bypass that entirely.
If the actual error message is
git-credential-osxkeychain wants to use your confidential information stored in "xxx" in your keychain.
Check out "unable to click always allow on git-credential-osxkeychain popup": delete the bitbucket entry, and do a git ls-remote /url/bitbucket/repo to force the credential helper to ask those credentials again: enter them, then try your Jenkins jobs again.

How to handle TFS password on multiple Jenkins jobs?

I have set up a few Jenkins jobs which are using TFS. For each one I had to manually input TFS username and password inside the TFS plugin.
Is there a way to change password in all jobs using some king of global setting? Or do I have to manually change password on all jobs when I change my password.
Any help would be appreciated.
Thanks,
Daniel
Get latest TFS (5.0.0) and Credentials (2.1.4) plugins.
Add domain and credentials usable to connect to your TFS server via Jenkins > Configure Credentials.
Now select just added domain, click "Configure", and add your TFS server hostname (or proper wildcard) under Hostname > Include, so jenkins will know where provided credentials can be used.
Now, you can just leave user/password fields empty in job's TFS SCM configuration.
Instructions are mostly taken from TFS plugin GitHub page
Even though TFS Plugin bug Allow use of credentials from Credentials Plugin isn't resolved, all is working fine.
The TFS Plugin for Jenkins does not read the global credentials. You need to enter the username and password for each job manually.
In the Jenkins admin you can add "global" credentials. For this, as a Jenkins admin, go in :
Manage Jenkins > Manage Credentials > Add Credentials > Username with password and save it.
These credentials will be available in all the jobs configuration of this Jenkins instance.
If you don't the the Manage Credentials item, you'll maybe need to install the Jenkins Credentials Plugin

gerrit: use LDAP auth and have a gerrit-local account for Jenkins

We a new gerrit 2.2.1 server using LDAP authentication in our corporate environment. We also have a Jenkins server running as a local UNIX jenkins user that I want to get check in with gerrit and post build results into gerrit.
We don't have a "jenkins" LDAP account, and even if we did, the systems group doesn't give out passwords for system accounts, so I can't go into the web UI, create the account and add jenkins' publich ssh key. How I can add a "jenkins" account to gerrit that Jenkins can use? We already have a number of people registered in Gerrit, so I need to be careful with any operations.
A little more Google searching found Paulo Pires's blog post, which led to using Gerrit's create-account command.

Resources