I've just installed the latest version of Jenkins and enabled the so-called "Project-based Matrix Authorization Strategy".
I have added a few users with all privileges and some of them can see the "Manage Jenkins" option after logging into Jenkins, but there are people who can log in but can't see this option.
Really strange behavior. I have checked the configuration in jenkins.xml but it seems ok. Do you have any idea what can be an issue?
Thank you for any suggestions,
Foxrafi
Try using the link https://<JENKINS_URL>:8080/manage loaded the Manage Jenkins option on the UI.
OS: CentOS
Java Version: 1.8
It seems the permissions in config.xml are case-sensitive. So when there is such an entry :
<permission>hudson.model.Item.Build:mysuperuserlogin</permission>
and you log using LDAP authentication and this variant of password MySuperUserLogin, you will be able to log in successfully but you won't be able to use the permission.
Looks like your authorizationStrategy has been updated
Step 1: Go to your config.xml file and open this to any editor
sudo vim /var/lib/jenkins/config.xml
Step 2: Search authorizationStrategy tag inside xml file and change the value to
<authorizationStrategy class="hudson.security.FullControlOnceLoggedInAuthorizationStrategy">
Step 3: Restart Jenkins:
sudo systemctl restart jenkins
Try to log in now!
Here is the default xml file of Jenkins you can crosscheck your other configurations
<?xml version='1.1' encoding='UTF-8'?>
<hudson>
<disabledAdministrativeMonitors/>
<version>2.277.2</version>
<numExecutors>2</numExecutors>
<mode>NORMAL</mode>
<useSecurity>true</useSecurity>
<authorizationStrategy class="hudson.security.FullControlOnceLoggedInAuthorizationStrategy">
<denyAnonymousReadAccess>false</denyAnonymousReadAccess>
</authorizationStrategy>
<securityRealm class="hudson.security.HudsonPrivateSecurityRealm">
<disableSignup>true</disableSignup>
<enableCaptcha>false</enableCaptcha>
</securityRealm>
<disableRememberMe>false</disableRememberMe>
<projectNamingStrategy class="jenkins.model.ProjectNamingStrategy$DefaultProjectNamingStrategy"/>
<workspaceDir>${JENKINS_HOME}/workspace/${ITEM_FULL_NAME}</workspaceDir>
<buildsDir>${ITEM_ROOTDIR}/builds</buildsDir>
<markupFormatter class="hudson.markup.EscapedMarkupFormatter"/>
<jdks/>
<viewsTabBar class="hudson.views.DefaultViewsTabBar"/>
<myViewsTabBar class="hudson.views.DefaultMyViewsTabBar"/>
<clouds/>
<scmCheckoutRetryCount>0</scmCheckoutRetryCount>
<views>
<hudson.model.AllView>
<owner class="hudson" reference="../../.."/>
<name>all</name>
<filterExecutors>false</filterExecutors>
<filterQueue>false</filterQueue>
<properties class="hudson.model.View$PropertyList"/>
</hudson.model.AllView>
</views>
<primaryView>all</primaryView>
<slaveAgentPort>-1</slaveAgentPort>
<label></label>
<crumbIssuer class="hudson.security.csrf.DefaultCrumbIssuer">
<excludeClientIPFromCrumb>false</excludeClientIPFromCrumb>
</crumbIssuer>
<nodeProperties/>
<globalNodeProperties/>
</hudson>
Related
Jenkins - 2.263.1(LTS) deployed through tomcat on CentOS-8.2and have Nginx reverse proxy running in-front of Jenkins.
Under Manage Jenkins > Configure Systems - Apply and Save not working, Due to this error, i cannot Apply (or) Save any of my configurations, It always shows below error on browser (Firefox & Chrome).
HTTP Status 403 – Forbidden
Type Status Report
Message No valid crumb was included in the request
Description The server understood the request but refuses to authorize
it. Apache Tomcat/9.0.30
Also Jenkins > Manage Jenkins > Configure Global Security - Apply works. But Save not working this too results same above given error.
Systems log error message.
Feb 19, 2021 10:56:05 AM WARNING hudson.security.csrf.CrumbFilter
doFilter No valid crumb was included in request for
/jenkins/configSubmit by ankit.sahu. Returning 403.
Workaround tried:-
1) Under Configure Global security > CSRF Protection > Enable proxy compatibility( Tick marked Enabled). - Didn't work so disabled with below command.
2) hudson.security.csrf.GlobalCrumbIssuerConfiguration.DISABLE_CSRF_PROTECTION = true - Even this didn't solve the problem.
3) Installed the Strict Crumb Issuer plugin.
Enabled this plugin and unchecked Check the session ID from its configuration (Under Jenkins Configure Global Security).
4) Restated the Jenkins.
Even tried by adding below in /apache-tomcat-9.0.30/conf/tomcat-users.xml file.
<?xml version='1.0' encoding='utf-8'?>
<tomcat-users>
<role rolename="manager-gui"/>
<role rolename="manager-script"/>
<role rolename="manager-jmx"/>
<role rolename="manager-status"/>
<role rolename="admin-gui"/>
<role rolename="admin-script"/>
<user username="user" password="password" roles="manager-gui,manager-script,manager-jmx,manager-status,admin-gui,admin-script"/>
</tomcat-users>
However still experiencing same problem. I don't know how to fix it, Can someone help me?
You can (temporarily) disable CSRF with below groovy script. Go to Manage Jenkins >> Script Console, then execute the below groovy script.
import jenkins.model.Jenkins
def instance = Jenkins.instance
instance.setCrumbIssuer(null)
The nonces embedded into web output from Jenkins with CSRF protection are based (at least in part as I've read) on values from the requesting client. In addition to making sure your reverse proxy is correctly configured to pass X-Forwarded-For and X-Forwarded-Proto, make sure that Tomcat valve is in place to expose those header values in the servlet request API so Jenkins has access to them.
Add the following to $CATALINA_BASE/conf/server.xml, subordinate to the <Host> element:
<Valve className="org.apache.catalina.valves.RemoteIpValve" remoteIpHeader="x-forwarded-for" protocolHeader="x-forwarded-proto" />
ref: https://www.jenkins.io/doc/book/system-administration/reverse-proxy-configuration-troubleshooting/
ref: https://www.jenkins.io/doc/book/system-administration/reverse-proxy-configuration-with-jenkins/
ref: https://tomcat.apache.org/tomcat-9.0-doc/config/valve.html#Remote_IP_Valve
If you're using jenkinsapi, I resolved this error by specifying useCrumb=True in the constructor:
j = Jenkins(base_url, username=username, password=password, useCrumb=True)
Using this info https://hayato-iriumi.net/2019/05/23/how-to-install-jenkins-slave-as-windows-service/ we are setting up the Jenkins Slave on Windows server. Jenkins agent start from command line. but when we start from Windows service, its giving below error message? How to resolve this error message?
Service cannot be started. System.IO.InvalidDataException: Attribute <className> is missing in configuration XML
at winsw.Util.XmlHelper.SingleAttribute[TAttributeType](XmlElement node, String attributeName)
at winsw.Extensions.WinSWExtensionDescriptor.FromXml(XmlElement node)
at winsw.Extensions.WinSWExtensionManager.LoadExtension(String id)
at winsw.Extensions.WinSWExtensionManager.LoadExtensions()
at winsw.WrapperService.OnStart(String[] args)
at System.ServiceProcess.ServiceBase.ServiceQueuedMainCallback(Object state)
xml file we have
<service>
<id>JenkinsSlave</id>
<name>Jenkins agent</name>
<description>This service runs an agent for Jenkins automation server.</description>
<executable>c:\java\jdk-11\bin\java.exe</executable>
<arguments>-Xrs -jar "c:\jenkins\slave.jar" -jnlpUrl https://jenkinsmaster/jenkins/computer/slave01/slave-agent.jnlp -secret a4b5b4ddfd34a016cd3a8eb94cbe8f908613e33a66db5fa6f5f43a080aea3116 -workDir=c:\jenkins</arguments>
<workingdirectory>c:\jenkins</workingdirectory>
<logmode>rotate</logmode>
<onfailure action="restart">
<download from="https://jenkinsmaster/jenkins/jnlpJars/slave.jar" to="c:\jenkins\slave.jar">
<extensions>
<extension enabled="false" classname="winsw.Plugins.RunawayProcessKiller.RunawayProcessKillerExtension" id="killOnStartup">
<pidfile>c:\jenkins\jenkins_agent.pid</pidfile>
<stoptimeout>5000</stoptimeout>
<stopparentfirst>false</stopparentfirst>
</extension>
</extensions>
</download>
</onfailure>
</service>
Thanks
There are some errors in the sample "Jenkins-Slave.xml" that is presented at the linked web page (which yours is apparently based on). It has all elements and attributes named in lowercase, but actually some of them should be mixed case (as can be seen by the error message that it doesn't find attribute className).
Try this one instead:
<service>
<id>YourJenkinsSlaveServiceId</id>
<name>Your Jenkins Slave Service Name</name>
<description>This service runs an agent for Jenkins automation server.</description>
<executable>C:\Program Files\Java\JRE8\bin\java.exe</executable>
<arguments>-Xrs -jar "%BASE%\slave.jar" -jnlpUrl http://YourJenkinsServer:8080/computer/YourNodeName/slave-agent.jnlp -secret YourSecretStringConsistingOfHexadecimalCharacters -workDir=C:\YourNodeWorkDir</arguments>
<logmode>rotate</logmode>
<onfailure action="restart" />
<download from="http://YourJenkinsServer:8080/jnlpJars/agent.jar" to="%BASE%\slave.jar"/>
<extensions>
<extension enabled="true" className="winsw.Plugins.RunawayProcessKiller.RunawayProcessKillerExtension" id="killOnStartup">
<pidfile>%BASE%\jenkins_agent.pid</pidfile>
<stopTimeout>5000</stopTimeout>
<stopParentFirst>false</stopParentFirst>
</extension>
</extensions>
</service>
This is from a more detailed explanation of how to install an agent as a Windows service which I have given in this answer.
I too has the same issue similarly..
System.IO.FileNotFoundException: Unable to locate jenkins.xml file within executable directory or any parents
at winsw.ServiceDescriptor..ctor()
at winsw.WrapperService.Run(String[] _args, ServiceDescriptor descriptor)
at winsw.WrapperService.Main(String[] args)
Solution:
Save your jenkins-agent file as xml format. not just jenkins-agent.xml
we can use notepad++ to save the xml type.
similarly remove .exe at end of jenkins-agent.exe
Hope its useful.... cheers !!
The className, stopTimeout and stopParentFirst should not be in lower case.
Yesterday, I locked myself out of jenkins while trying to configure ldap authentication, so I followed the instructions in the wiki and disabled security in the config.xml file via ssh. Now I want to get back to the normal jenkins security, but the possibility is not given under "Configure Jenkins" anymore. So I'm looking for a possibility to restore normal security through the config.xml.
Here is the relevant part of the current config.xml file:
<hudson>
<disabledAdministrativeMonitors/>
<version>1.477</version>
<numExecutors>3</numExecutors>
<mode>NORMAL</mode>
<useSecurity>true</useSecurity>
<authorizationStrategy class="hudson.security.AuthorizationStrategy$Unsecured"/>
<securityRealm class="hudson.security.SecurityRealm$None"/>
...
</hudson>
Has anyone an idea or maybe a valid part of a config.xml?
<hudson>
<disabledAdministrativeMonitors/>
<version>2.130</version>
<numExecutors>2</numExecutors>
<mode>NORMAL</mode>
<useSecurity>true</useSecurity>
<authorizationStrategy class="hudson.security.FullControlOnceLoggedInAuthorizationStrategy">
<denyAnonymousReadAccess>true</denyAnonymousReadAccess>
</authorizationStrategy>
<securityRealm class="hudson.security.HudsonPrivateSecurityRealm">
<disableSignup>true</disableSignup>
<enableCaptcha>false</enableCaptcha>
</securityRealm>
...
</hudson>
I think you are looking for this as i am able to revert it back to my default config.xml remember always make a backup of config before modifying it.
just update those two tags authorizationStrategy & securityRealm and your are good to go. And for further reference check out
jenkins_xml_reference
Don't forget to remove authorizationStrategy and securityRealm as per point #6:
https://wiki.jenkins-ci.org/display/JENKINS/Disable+security
<useSecurity>true</useSecurity>
Just change it to False. Then you can access the Jenkins Config from the very beginning.
you missed to set the following:
<useSecurity>false</useSecurity>
Adding/replacing these three settings to config (~/jenkins_home/config.xml) did the trick (i.e. restored login page after it was gone for good when I changed the <useSecurity>true</useSecurity> to <useSecurity>false</useSecurity> and later restoring it to true did not restore status quo as expected):
<useSecurity>true</useSecurity>
<authorizationStrategy class="hudson.security.FullControlOnceLoggedInAuthorizationStrategy">
<denyAnonymousReadAccess>true</denyAnonymousReadAccess>
</authorizationStrategy>
Side note: the lock-out happened in my case when I switched from BasicAuth to OAuth forgetting to add a new user to the internal users database managed by Jenkins (that would match the Github username:)
Even I faced the same issue but later I could figure it out the issue.
we need to remove / at the end of the below line.
<securityRealm class="hudson.security.SecurityRealm$None"/>
it should be <securityRealm class="hudson.security.SecurityRealm$None">
This has worked for me.
I am only allowed to work with the command line terminal on Ubuntu.
I need to create a job in Jenkins with security credentials.
I already installed Jenkins in my machine, but the access is open. If I set-up security credentials on Jenkins, how can I specify these on the command line?
Follow these steps:
Generate a public ssh-key in the user you want to work with from the command line:
ssh-keygen
Just press enter whenever yo are asked to enter some value.
Copy the content of the file ~/.ssh/id_rsa.pub.
Go to your jenkins home screen in a browser and login with a user with full access, Then click on the right on Users and then on the user you are currently logged with. Then click on settings (or configuration??).
In the field SSH public keys paste the content of the id_rsa.pub file. Save the changes.
And that's all! Now you are able to work with jenkins from the command line.
From the command line
The following is the configuration file of my jenkins main user (with all the privileges). Pay attention to the setting <authorizedKeys>. You should paste there the public ssh key. I haven't made that, but surely if you add the necessary lines to your config file it works. The file is in /path_to_jenkins/users/user_name/config.xml
<?xml version='1.0' encoding='UTF-8'?>
<user>
<fullName>admin</fullName>
<description></description>
<properties>
<jenkins.security.ApiTokenProperty>
<apiToken>pP08W9tzs2jlCrVCY9I2o6y2RNu3Huw85Y2f99/Uif7dia1W7piGpzsrpstln/jw</apiToken>
</jenkins.security.ApiTokenProperty>
<com.cloudbees.plugins.credentials.UserCredentialsProvider_-UserCredentialsProperty plugin="credentials#1.4">
<credentials/>
</com.cloudbees.plugins.credentials.UserCredentialsProvider_-UserCredentialsProperty>
<hudson.tasks.Mailer_-UserProperty plugin="mailer#1.4">
<emailAddress>admin#mail.com</emailAddress>
</hudson.tasks.Mailer_-UserProperty>
<hudson.model.MyViewsProperty>
<primaryViewName></primaryViewName>
<views>
<hudson.model.AllView>
<owner class="hudson.model.MyViewsProperty" reference="../../.."/>
<name>Alle</name>
<filterExecutors>false</filterExecutors>
<filterQueue>false</filterQueue>
<properties class="hudson.model.View$PropertyList"/>
</hudson.model.AllView>
</views>
</hudson.model.MyViewsProperty>
<hudson.security.HudsonPrivateSecurityRealm_-Details>
<passwordHash>1DF2ykjkkkjkkQXW</passwordHash>
</hudson.security.HudsonPrivateSecurityRealm_-Details>
<org.jenkinsci.main.modules.cli.auth.ssh.UserPropertyImpl>
<authorizedKeys>ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEA4P1b/5RpibQgDZpKPD7lTQLjtyMrIQH43ns62PO72koL9zJe6qrAYcTIDNOUvSYNYyKfrgt6Z5zB8MvvENQLWezDKTWNXINhZml0PxOlc9ZaHbQX6UqyFbTS6o+ZEGs+K92Yi/XwK5hTmN5Igsw5BQYEs5cOsd5H2PoEZdhK1X0XAEBX/+p6aNy585+/scgZj0jSIvcX+pnzsCJLKmeYadlLnbrvebf9u6pu8MI9RuAY5dvPfpSL4WynWwS1QvY4z535TqPaaAlM3qXqH0pcOlxgW1iUkJqti3JnnxpBNXLmXalmq+4/d7mUrRBx+HKbh5ZpNZad9vaelAjAsNg+uw== user#machine_name</authorizedKeys>
</org.jenkinsci.main.modules.cli.auth.ssh.UserPropertyImpl>
<hudson.search.UserSearchProperty>
<insensitiveSearch>false</insensitiveSearch>
</hudson.search.UserSearchProperty>
</properties>
</user>
I just changed the starting prompt location to the folder in which the jar file is located. For example, if your jar file's location and name is:
C:\Users\Tod\file.jar
you can do two commands:
cd C:\Users\Tod
java -jar file.jar
Trying to use Maven from the command line. Have setup the setting.xml proxy -
<proxy>
<id>optional</id>
<active>true</active>
<protocol>http</protocol>
<username></username>
<password></password>
<host>access.lb.xxx.org</host>
<port>80</port>
<nonProxyHosts>local.net|some.host.com</nonProxyHosts>
</proxy>
From cmd screen tried running the command - mvn archetype:generate -X
Getting errors like -
...
Caused by: org.sonatype.aether.transfer.ArtifactTransferException:
Could not transfer artifact org.apache.maven.plugins:maven-release-plugin:pom:2.0
from/to central (http://repo.maven.apache.org/maven2): Access denied to:
http://repo.maven.apache.org/maven2/org/apache/maven/plugins/maven-release
plugin/2.0/maven-release-plugin-2.0.pom, ReasonPhrase:Forbidden.
at org.sonatype.aether.connector.wagon.WagonRepositoryConnector$4.wrap
(WagonRepositoryConnector.java:951) ...
Can't figure out if the proxy setting is correct? Is there a workaround to go pass the proxy? Or any other way to get me going to create a simple maven project at the least?
Thanks