Open Azarko opened 6 years ago
The token (which can be set per-job) and the 'Enable authentication for /project endpoint' feature are two different things. You don't need to use both.
Does your Multibranch Pipeline project actually trigger in this case? Or do you just get a 200 back when you test? If it triggers, that is a bug; if not, the 200 response is maybe not ideal, but probably happens due to the unique way that Multibranch triggering works.
By the way, see https://github.com/jenkinsci/gitlab-plugin/issues/418#issuecomment-247464294 for a clue about how to configure endpoint authentication.
Hm, now I don't quite understand how this should work.
Enable authentication for /project endpoint
is onhttps://my_gitlab.com/jenkins_sandbox/user-webhook-test
. Test
button return status 200, but not trigger jenkins project; any push to repo also return 200, but jenkins project is triggered and started.So authorization doesn't required. Or I did something wrong?
Thank you.
P.S. Maybe it is ok: I don't found any way to trigger project by webhook in repo that not speficied in project's settings. I mean that if my jenkins project uses gitlab_repo_1, and I set up webhook to this project in gitlab_repo_2, then project not triggers. So if project can be runned just by repos specified in project config, then I think this is enough for security (unauthorized users can't create and modify projects).
This sounds like a bug. Can you test something else please? Create a regular Pipeline job, not a Multibranch Pipeline, and attempt to trigger it with the webhook test and a push to the repo. It should not trigger the build. If that's correct, then this is just broken for Multibranch jobs, and I have a theory as to why.
As for your last question, I am not sure that the plugin will behave that way, and I would not want you to rely on that for security. We should fix this auth issue.
Ok.
I create new Pipeline project: http://my_jenkins.com:8080/job/pipeline_test
.
At job settings: enable Build when a change is pushed to GitLab
(if this option isn't enabled - project not triggers in any case).
http://my_jenkins.com:8080/project/pipeline_test/
.
Test
button and push to repo return 403: Error 403 anonymous is missing the Job/Build permission
.
Job not triggered.http://username:apitoken@my_jenkins.com:8080/project/pipeline_test/
.
Test
button and push to repo return 200 and job triggered successfully.So authorization works on Pipeline projects.
@Azarko OK, I think this is a bug in our support of Multibranch. Unlike the other project types, triggering a Multibranch job just tells Jenkins to reindex branches, and Jenkins decides whether to start a build or not. I guess the auth of the /project end point happens after that. Thanks, this is a bug.
hi, any update?
Issue
Context
Problem description
I have Role-Based authorization Strategy at my jenkins server and users without special permissions can't start any job. I'm install gitlab plugin; at jenkins configuration check
Enable authentication for '/project' end-point
. I'm not install any access tokens or something else, just install plugin and setenable authentication
. On gitlab project I create push-webhook to jenkins multibranch pipeline project, likehttp://jenkins_url:8080/project/test_webhooks/
without secret token.Then I press
Test
button and recieveHook executed successfully: HTTP 200
, but expectedError 403
Also I check it for freestyle project. If I not set secret token at job and webhook settings, after
Test
I recieve:If I set secret token at jenkins freestyle project and not set at webhook settings:
So, how can I set authorization for multibranch pipeline projects like on freestyle projects?