Ansible jenkins_plugin模块返回"HTTP错误403:请求中未包含有效碎屑". [英] Ansible jenkins_plugin module returns "HTTP Error 403: No valid crumb was included in the request"

问题描述

我正在使用Ansible(v 2.8)作为Packer模板背后的供应商来为Jenkins主节点构建AMI.对于以前的版本，剧本已成功通过.但是，从Jenkins 2.176.3版开始，jenkins_plugin模块已引发"HTTP错误403:请求中未包含有效碎屑"错误.

I am using Ansible (v 2.8) as the provisioner behind a Packer template to build an AMI for a Jenkins master node. For previous versions, the playbook passed successfully. However, as of Jenkins version 2.176.3, the jenkins_plugin module has been throwing "HTTP Error 403: No valid crumb was included in the request" errors.

我已经检索了面包屑并将其注册在变量中.我尝试使用http_agent字段将其传递到jenkins_plugin，但这不起作用.我尝试使用attributes，但这也无济于事.除非我缺少令人难以置信的基本知识，否则我将束手无策.

I have retrieved the crumb and registered it in a variable. I have tried passing it to jenkins_plugin with the http_agent field, but that doesn't work. I tried using attributes, but that didn't help either. Unless I am missing something incredibly basic, I am at the end of my tether.

- name:               Get Jenkins Crumb
  uri:
    force_basic_auth: yes
    url_username:     ****
    url_password:     ****
    url:              http://localhost:8080/crumbIssuer/api/json
    return_content:   yes
  register:           jenkins_crumb
  until:              jenkins_crumb.content.find('Please wait while Jenkins is getting ready') == -1
  retries:            10
  delay:              5

- name:               Install plugin
  jenkins_plugin:
    name:             "{{ item }}"
    version:          latest
    force_basic_auth: yes
    url_username:     ****
    url_password:     ****
    http_agent:       "Jenkins-Crumb:{{ jenkins_crumb.json.crumb }}"
  with_items:         "{{ jenkins_plugins }}"

我希望安装插件和一个愉快构建的AMI.我得到的是"HTTP错误403:请求中未包含有效碎屑"，并且Packer构建失败.

I expected installed plugins and a happily built AMI. What I got was "HTTP Error 403: No valid crumb was included in the request" and the Packer build failed.

推荐答案

类似于

Looks like a change to the crumb issuer in the 2.176 LTS release forces the inclusion of the web session id of the initial token generation call along with the crumb in subsequent calls that use said crumb.

CSRF令牌(小块)现在仅对创建它们的Web会话有效，以限制攻击者获取它们的影响.使用/crumbIssuer/api URL获取垃圾的脚本现在将无法执行受CSRF保护的操作，除非该脚本在后续请求中保留了Web会话ID.

CSRF tokens (crumbs) are now only valid for the web session they were created in to limit the impact of attackers obtaining them. Scripts that obtain a crumb using the /crumbIssuer/api URL will now fail to perform actions protected from CSRF unless the scripts retain the web session ID in subsequent requests.

除了建议您暂时禁用CSRF之外，同一文档还建议您只能禁用新功能，而不是整个CSRF，这应允许您的打包程序/可打包程序像以前那样完成，如-

In addition to the suggestion that you temporarily disable CSRF, the same doc suggests that you could only disable the new functionality, rather than CSRF as a whole, which should allow your packer/ansible to complete as it previously did, as-written.

要禁用此改进，可以将系统属性hudson.security.csrf.DefaultCrumbIssuer.EXCLUDE_SESSION_ID设置为true.

To disable this improvement you can set the system property hudson.security.csrf.DefaultCrumbIssuer.EXCLUDE_SESSION_ID to true.

在/etc/default/jenkins中添加以下行，清除了我自己的剧本中的CSRF问题(Ansible 2.8.4，Ubuntu 18.04，OpenJDK 11.0.4)

Adding the following line in /etc/default/jenkins cleared the CSRF issues in my own playbook (Ansible 2.8.4, Ubuntu 18.04, OpenJDK 11.0.4)

JAVA_ARGS="$JAVA_ARGS -Dhudson.security.csrf.DefaultCrumbIssuer.EXCLUDE_SESSION_ID=true"

在工具维护者赶上API更改之前，可能会成为足够的拐杖.

Might be a good-enough crutch until tool maintainers catch up with the API changes.

这篇关于Ansible jenkins_plugin模块返回"HTTP错误403:请求中未包含有效碎屑".的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！