Login/Register
Jenkins Slave 403 although Anonymous Slave connect has been enabled
Asked Answered
securityjenkinsslave
L

1

7

We are using a Jenkins Master and Slave (both Linux) type setup. Recently upgraded to LTS version and for some reason Slaves connects to Master only when Anonymous is given Admin privileges.

I have read the posts about providing Anonymous slave connect privileges but I receive a 403 request forbidden error when I try that.

The only way around for this is to provide Anonymous Admin privileges (which is risky) save it and then go back to Manage Jenkins > Configure Security > Remove Anonymous Admin > Add Slave connect privileges. The issue in doing this workaround is, I get the same 403 error when slave restarts until I give Anonymous admin privileges.

I have tried laying down a new slave.jar that didn’t help.

We are using a LDAP Bind account, is there an easy fix to this 403 issue without having to enter the bind password again (which we recently did after the Jenkins upgrade)

Larrylars answered 5/7, 2014 at 18:26 Comment(1)
Did you get any solution for this ? I am facing the similar issue nowJordan
T
2

Nothing like an answer 1.5 years later but I just ran across this!

The way I handled this is with the Role-Based Strategy plugin.

Summary

The basics are:

  1. Add and enable the Role-Based Strategy plugin
  2. Create a global group swarmclient
  3. Grant the swarmclient group the slave privileges only
  4. I currently allow the Anonymous group to be in the swarmclient group.
    • In the future I will probably deny swarmclient privileges for the Anonymous group and will instead create accounts in the swarmclient group.

Details

In Manage Jenkins > Configure Global Security > Authorization, enable Role-Based strategy.

enable Role-Based Strategy

In Manage Jenkins > Manage Roles > Manage and Define Roles I added "swarmclient" to the global roles. Give this group Create permissions in the slave section of the global settings:

swarmclient global group privileges

In newer versions of Jenkins the term "Slave" is replaced by "Agents"

Then in Manage Jenkins > Manage Roles > Assign Roles you add the Anonymous group to the swarmclient group:

assign Anonymous to swarmclient group

And finally, as mentioned above, if you want some restrictions on the machines that can connect as a swarm client, just:

  1. create user(s) for the swarm
  2. add them to the swarmclient group
  3. remove swarmclient permissions (on the Assign Roles) page from the Anonymous group.
Toilsome answered 18/3, 2016 at 17:40 Comment(3)
many thanks for the shared solution, @Damon. However I am still getting the 403 Jenkins error. In item 3. you say remove swarmclient permissions, however on the image the checkmark is set, so one should rather set the checkmark? also could you supply the swarm client CLI invocation, please? maybe -name argument is important and should match some pattern, etc?Compound
a memo for me and a hint for others: one could simulate swarm's "-master jenkins.url" option with curl jenkins.tld/plugin/swarm/slaveInfo -o - --trace /tmp/debug.txt and get some additional info that is not available from swarm client. Alpine 3.3 wget is a flattened BusyBox verision, so, e.g. curl should be installed :)Compound
This plugin helped a lot. I just don't like the idea, that some of the UI is visible to the public. Even if restricted and no sensitive information is visible.Descendant

© 2022 - 2024 — McMap. All rights reserved.