search

mohamicorp / stash-jenkins-postreceive-webhook

Webhook used to notify Jenkins when commits are made to Stash
Other
138 stars 98 forks source link

Fails if Jenkins server "anonymous" doesn't have read permission #105

Open bobbradley opened 9 years ago

bobbradley commented 9 years ago

My Jenkins server has anonymous access completely blocked since I don't want people to see anything about my Jenkins instance. If I try to use the Stash Webhook to Jenkins, it always fails because it seems to require read access (Trigger button shows an error about lacking hudson.model.Hudson.Read).

That seems reasonable except if I use the Jenkins CI service with GitLab, it is able to trigger my Jenkins build successfully without needing any authentication. I set up a token in Jenkins and then use build?token= to trigger builds. I tried the same thing in the Stash Webhook for Jenkins, but it still fails.

It would be great if the Stash Webhook for Jenkins could trigger a build for a Jenkins server without needing read access to it similar to the way the Jenkins CI service for GitLab works.

mikesir87 commented 9 years ago

To make sure I understand correctly, by you adding the token, it works in GitLab, but it fails in Jenkins?

bobbradley commented 9 years ago

No, when using the token in GitLab, it works completely (i.e. GitLab change triggers Jenkins to start building). But when you using Stash and the Stash Webhook for Jenkins, I get an error on the Stash side (e.g. clicking the Trigger button in the Stash Webhook for Jenkins settings) because Jenkins is rejecting it.

bobbradley commented 9 years ago

I mentioned the GitLab case because GitLab's Jenkins CI seems to be doing something that makes this work from GitLab. But in my case, I'm using Stash for my git repo.

ghost commented 9 years ago

I can confirm that stash is not able to contact the jenkins CI if it does not have anonymous access and there's no way for the webhook to use the token.

jangoolie commented 8 years ago

I have a similar problem. All the web services at my workplace are authenticated using Kerberos/SPNEGO including Jenkins. SPNEGO auth is well supported in Java so the right way to solve this would be to issue a service principle for Stash and then have the webhooks plugin authenticate using a keytab. If support were to be added for using an API key to authenticate then it's probably a good idea to make the authentication framework generic and reusable. If the auth code is extensible I could submit a pull request to extend it to also support SPNEGO with a keytab.

EDIT: If anyone is curious my work-around for this was to connect Jenkins/Stash to a separate VLAN that only they are connected to and then modify the host files on those servers so they talk to each other over the 'unauthenticated backplane' rather than the regular data network.