Reputation: 11588
Jenkins: 'Trigger Builds Remotely' with ?token not working when Matrix Authorization Strategy is used
I'm having a problem with triggering builds in Jenkins with authentication enabled and wondering if anyone has ideas.
I have Global Security configured to use LDAP with "Project-based Matrix Authorization Strategy" enabled. The "Anonymous" user has the "Job > Build" privilege, and no other privileges (in particular, the "Anonymous" user does NOT have "Overall > Read" privilege, since I don't want everyone to be able to view the list of jobs and other general information).
I want an automated script to be able to trigger a build using the "Trigger Builds Remotely" feature, where I specify a ?token=[token] value in the URL and the standard authentication should be bypassed, as long as the [token] value matches the one I set in the job's Configure page. The goal is to NOT need to provide a regular username/password in the request but simply provide the token for this specific job.
The documentation seems to indicate this should work:
https://wiki.jenkins-ci.org/display/JENKINS/Quick+and+Simple+Security
So specifically, I am expecting this HTTP request to work:
curl -i https://jenkinsHost/job/ProjectName/build?token=test
But I get:
[~]$ curl -i https://jenkinsHost/job/ProjectName/build?token=test
HTTP/1.1 403 Forbidden
Date: Sat, 27 Apr 2013 23:17:03 GMT
Server: Winstone Servlet Engine v0.9.10
Content-Type: text/html;charset=UTF-8
Content-Length: 629
X-Powered-By: Servlet/2.5 (Winstone/0.9.10)
Set-Cookie: JSESSIONID.e9bc4765=e1f0a30b9f04b3740bae527a7822b2d5; Path=/; HttpOnly
Connection: close
<html><head><meta http-equiv='refresh' content='1;url=/login?from=%2Fjob%2FProjectName%2Fbuild%3Ftoken%3Dtest'/>
<script>
window.location.replace('/login?from=%2Fjob%2FProjectName%2Fbuild%3Ftoken%3Dtest');</script>
</head>
<body style='background-color:white; color:white;'>
Authentication required
</body></html>
When I DO use API authentication, the request works:
curl --username "test_user:API_KEY" https://hostname/job/ProjectName/build?token=test
But again, according to the documentation I think it is supposed to bypass the global authentication if ?token is present and matches the project token I configure. Why is this not working? What other information/logs can I provide?
Upvotes: 26
Views: 34380
Answers (2)
Reputation: 857
Example for using the "Build Authorization Token Root" plugin with POST:
wget --post-data="job=MyJob&token=SECRET&MyParameter=hello" http://servername/jenkins/buildByToken/buildWithParameters
note that "Trigger Builds Remotely" must be activated for this job (with authorization token "SECRET")
Upvotes: 0
Reputation: 6513
There's a new plugin that allows you to do that even when Jenkins prohibits anonymous read access:
Use:
$ curl 'http://jenkins/buildByToken/build?job=jobname&token=mytoken'
Scheduled.
Likewise with buildWithParameters.
Upvotes: 41
Related Questions
- Parameterized Remote Trigger plugin doesn't respect Build Token Root
- How do I add authToken for "Trigger builds remotely" to job's config.xml
- Parameterized remote job via triggerRemoteJob() function using Tokens
- Jenkins "Trigger builds remotely" > "Authentication Token" option missing
- Jenkins Trigger builds remotely
- Authenticate with remote jenkins using CLI
- Unable to login to Jenkins after enabling matrix based authentication in Jenkins
- How to trigger Jenkins builds remotely using URL with parameters
- jenkins no trigger build remotely option
- Triggering builds remotely in Jenkins