[JIRA] (JENKINS-61375) Cannot disable CSRF

[Rocha@Stratovan.com (JIRA)]

John Rocha created an issue

Jenkins / JENKINS-61375 Cannot disable CSRF Issue Type: Task Assignee: Unassigned Attachments: image-2020-03-06-13-25-49-111.png Components: core Created: 2020-03-06 21:27 Environment: fedora-20 Jenkins ver. 2.223 Priority: Blocker Reporter: John Rocha I have: Jenkins 2.204.4 running on a Windows 10 machine Jenkins 2.223 running on a Fedora20 machine Jenkins 2.204.4 running on a Centos7 machine The windows machine triggers jobs on the Fedora20 and Centos7 machines Using the "Trigger a remote parameterized job" plugin. This plugin 'triggers' the appropriate job on the Fedora20 and Centos7 machines. The last time the Fedora20 job succesfully ran "CSRF protection was disabled". Fedora20's jenkins version was updated and now Fedora20 fails. The output also now shows that "CSRF protection is now enabled." The Centos7 machine still works, and has CSRF disabled. However, if I enable CSRF on Cento7 I get the failure. I attempted to disable CSRF on Fedora20, and the option is no longer there. It now looks like this: There is only one option setting the curmb issuer to "Default crumb issuer" Add Comment

This message was sent by Atlassian Jira (v7.13.12#713012-sha1:6e07c38)

[dbeck@cloudbees.com (JIRA)]

Daniel Beck closed an issue as Won't Fix

Fix your client to HTTP Basic authenticate using an API token, then you don't need a CSRF crumb and everything just works (and it's been that way since late 2017). For the short term, there is an "escape hatch" in setting the system property hudson.security.csrf.GlobalCrumbIssuerConfiguration.DISABLE_CSRF_PROTECTION to true before Jenkins starts. Note that this might go away in the future. Again, fix whatever clients you're using.

Jenkins / JENKINS-61375 Cannot disable CSRF

Change By: Daniel Beck Status: Open Closed Resolution: Won't Fix

Add Comment

[Rocha@Stratovan.com (JIRA)]

John Rocha commented on JENKINS-61375

Re: Cannot disable CSRF Daniel Beck, What do you mean "Fix your client." I'm just using Jenkins plugins. I don't have a client. I have Jenkins on slave and Jenkins on master. Jenkins on master uses trigger remote paramaterized job, for that you give the slave hostname information, and the name of the Jenkins job to trigger and it works. What specifically are you referring to – fix client and HTTP Basic authentication?

Add Comment

[dbeck@cloudbees.com (JIRA)]

Daniel Beck commented on JENKINS-61375

Re: Cannot disable CSRF Jenkins on master uses trigger remote paramaterized job Your client in that case is https://plugins.jenkins.io/Parameterized-Remote-Trigger/

Add Comment

[Rocha@Stratovan.com (JIRA)]

John Rocha commented on JENKINS-61375

Re: Cannot disable CSRF For those of you that stumble upon this issue. It is resolved with a Jenkins configuration change. There may be other ways to resolve this, but this is how I resolved it. Configure remote machine remote machine to add a token Log on to Jenkins as the user that will execute the job (i.e. build user) Select People Select your user ID (i.e. build user). Select Configure Find the section titled API Token to add a token Select Add new Token Select Generate Copy the token and keep it. This is the only time the token will be in plain text for you to copy. Select [Save] to save the token with the user Configure calling machine's remote parameterized interface to use this token Log on to Jenkins on the calling machine Select Manage Jenkins. Select Configure System. Scroll down to the the section Parameterized Remote Trigger Configuration and find the entry for the remote machine you added a token to in the previous step. Change Authentication to Token Authentication. Set the User Name to the correct user (i.e. build user) Paste the copied token from the previous configuration into the API Token_ field. Select [Save] This should fix the remote parameter calls. It should now work even with CSRF enabled.

Add Comment