Enabling Jenkins Security Blocks Github Webook <404 Error>

[Jonathan Cope]

Github webhooks can't access the webhook url when security is enabled, preventing the build job from being activated.  The issue starts immediately upon enabling security but the jobs that pull from github repos can still be run manually from the CI server and will succeed.  With security turned off, there's no issue....other than having zero security.

Sec. Settings:
-Security Realm: Jenkins’ own user database + Allow Users to sign up
-Authorization: Matrix-based security

Plugins:
-Git Plugin
-Git Client Plugin

Git Response Error:

<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"/>
<title>Error 404 Not Found</title>
</head>
<body><h2>HTTP ERROR 404</h2>
<p>Problem accessing /job/my-job/build. Reason:
<pre>    Not Found</pre></p><hr /><i><small>Powered by Jetty://</small></i><br/>

I've been poking around the settings for a while now but haven't turned up anything that looks suspicious.

[Marius Gedminas]

On Mon, Apr 07, 2014 at 03:35:03PM -0700, Jonathan Cope wrote:
> Github webhooks can't access the webhook url when security is enabled,
> preventing the build job from being activated.

Sounds familiar. https://issues.jenkins-ci.org/browse/JENKINS-20140?

> The issue starts immediately upon enabling security but the jobs that
> pull from github repos can still be run manually from the CI server
> and will succeed. With security turned off, there's no issue....other
> than having zero security.
>
> Sec. Settings:
> -Security Realm: Jenkins’ own user database + Allow Users to sign up
> -Authorization: Matrix-based security
>

> Git Response Error:
>
> <html>
> <head>
> <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"/>
> <title>Error 404 Not Found</title>
> </head>
> <body><h2>HTTP ERROR 404</h2>
> <p>Problem accessing /job/my-job/build. Reason:
> <pre> Not Found</pre></p><hr /><i><small>Powered by Jetty://</small></i><br/>

Hm, the error I linked to returns 403, IIRC.

> I've been poking around the settings for a while now but haven't turned up
> anything that looks suspicious.

I use Jenkins 1.558 with matrix-based security enabled. GitHub webhook
plugin works fine, once I turned off CSRF prevention. My security
matrix grants Overall and Job Read to Anonymous.

Marius Gedminas
--
"question = (to) ? be : !be;" -- Shakespeare

[Jonathan Cope]

>>  My security matrix grants Overall and Job Read to Anonymous.

That did the trick.  After some fidgeting with anon permissions, the following allowed git to push the build.

Overall:
+read

and

Jobs:
+configure
+read
+build

[Kevin Fleming (BLOOMBERG/ 731 LEXIN)]

You are allowing 'anonymous' to configure your jobs? That sounds quite bad.

--
You received this message because you are subscribed to the Google Groups "Jenkins Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to jenkinsci-use...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[Jon Cope]

Ah, no. Apologies, forgot to remove that. Initially I had it enabled as disabling it seemed to break the webhook feature. Today with Jobs:configure off, it seems to work fine.

To clarify - Jobs: Read, Build | Overall: read

[Kevin Fleming (BLOOMBERG/ 731 LEXIN)]

Keep in mind that this will allow anyone to kick off builds of your jobs if they can reach your Jenkins web interface. This may not be a concern for you, but something to think about.

[Jon Cope]

I agree that it's not a great solution but it'll get me by while I search for a more favorable one. Is there another way to utilize the webhook feature without enabling any anon privileges?

[Kevin Fleming (BLOOMBERG/ 731 LEXIN)]

I was never able to find one. I suspect that what will be required is some sort of 'token' that can be embedded into the webhook URL and will provide rudimentary authentication to Jenkins, but I have no idea if there is any mechanism today to provide that.

[Marius Gedminas]

On Wed, Apr 09, 2014 at 03:44:03PM -0400, Jon Cope wrote:
> I agree that it's not a great solution but it'll get me by while I
> search for a more favorable one. Is there another way to utilize the
> webhook feature without enabling any anon privileges?

I'm using it fine without allowing anonymous users to start builds.

For extra security you can put a front-end web server (like Apache) in
front of your Jenkins and disallow unauthenticated access, with the sole
exception of /github-webhook.

https://wiki.jenkins-ci.org/display/JENKINS/GitHub+Plugin#GitHubPlugin-SecurityImplications
claims this is safe.

> ----- Original Message -----
> From: "Kevin Fleming (BLOOMBERG/ 731 LEXIN)" <kpfl...@bloomberg.net>
> To: jenkins...@googlegroups.com
> Sent: Wednesday, April 9, 2014 2:07:17 PM
> Subject: Re: Enabling Jenkins Security Blocks Github Webook <404 Error>
>
> Keep in mind that this will allow anyone to kick off builds of your
> jobs if they can reach your Jenkins web interface. This may not be a
> concern for you, but something to think about.
>
> ----- Original Message -----
> From: jenkins...@googlegroups.com
> To: jenkins...@googlegroups.com
> At: Apr 9 2014 14:25:54
>
> Ah, no. Apologies, forgot to remove that. Initially I had it enabled
> as disabling it seemed to break the webhook feature. Today with
> Jobs:configure off, it seems to work fine.
>
> To clarify - Jobs: Read, Build | Overall: read

Marius Gedminas
--
IBM motto: "We found five vowels hiding in a corner, and we used
them _all_ for the 'eieio' instruction so that we wouldn't have to use
them anywhere else"
-- Linus Torvalds