Ansible jenkins_plugin 模块返回“HTTP 错误 403:请求中未包含有效的面包屑" [英] Ansible jenkins_plugin module returns "HTTP Error 403: No valid crumb was included in the request"

问题描述

我使用 Ansible (v 2.8) 作为 Packer 模板背后的供应商来为 Jenkins 主节点构建 AMI.对于以前的版本，剧本成功通过.但是，从 Jenkins 版本 2.176.3 开始，jenkins_plugin 模块已经抛出:

I am using Ansible (v 2.8) as the provisioner behind a Packer template to build an AMI for a Jenkins master node. For previous versions, the playbook passed successfully. However, as of Jenkins version 2.176.3, the jenkins_plugin module has been throwing:

HTTP 错误 403:请求中未包含有效的面包屑

HTTP Error 403: No valid crumb was included in the request

我已经检索到面包屑并将其注册到一个变量中.我尝试将它传递给 jenkins_plugin 与 http_agent 字段，但这不起作用.我尝试使用 attributes，但这也无济于事.除非我遗漏了一些非常基本的东西，否则我已经无能为力了.

I have retrieved the crumb and registered it in a variable. I have tried passing it to jenkins_plugin with the http_agent field, but that doesn't work. I tried using attributes, but that didn't help either. Unless I am missing something incredibly basic, I am at the end of my tether.

- name:               Get Jenkins Crumb
  uri:
    force_basic_auth: yes
    url_username:     ****
    url_password:     ****
    url:              http://localhost:8080/crumbIssuer/api/json
    return_content:   yes
  register:           jenkins_crumb
  until:              jenkins_crumb.content.find('Please wait while Jenkins is getting ready') == -1
  retries:            10
  delay:              5

- name:               Install plugin
  jenkins_plugin:
    name:             "{{ item }}"
    version:          latest
    force_basic_auth: yes
    url_username:     ****
    url_password:     ****
    http_agent:       "Jenkins-Crumb:{{ jenkins_crumb.json.crumb }}"
  with_items:         "{{ jenkins_plugins }}"

我期望安装插件和愉快构建的 AMI.我得到的是HTTP 错误 403:请求中没有包含有效的面包屑"并且 Packer 构建失败.

I expected installed plugins and a happily built AMI. What I got was "HTTP Error 403: No valid crumb was included in the request" and the Packer build failed.

推荐答案

看起来像 2.176 LTS 版本 强制将初始令牌生成调用的 Web 会话 ID 与 crumb 一起包含在使用所述 crumb 的后续调用中.

Looks like a change to the crumb issuer in the 2.176 LTS release forces the inclusion of the web session id of the initial token generation call along with the crumb in subsequent calls that use said crumb.

CSRF 令牌(碎屑)现在仅对创建它们的网络会话有效，以限制攻击者获取它们的影响.使用/crumbIssuer/api URL 获取 crumb 的脚本现在将无法执行受 CSRF 保护的操作，除非脚本在后续请求中保留 Web 会话 ID.

CSRF tokens (crumbs) are now only valid for the web session they were created in to limit the impact of attackers obtaining them. Scripts that obtain a crumb using the /crumbIssuer/api URL will now fail to perform actions protected from CSRF unless the scripts retain the web session ID in subsequent requests.

除了建议您暂时禁用 CSRF 之外，同一文档还建议您只能禁用新功能，而不是整个 CSRF，这应该允许您的打包程序/ansible 像以前一样完成，因为-写的.

In addition to the suggestion that you temporarily disable CSRF, the same doc suggests that you could only disable the new functionality, rather than CSRF as a whole, which should allow your packer/ansible to complete as it previously did, as-written.

要禁用此改进，您可以将系统属性 hudson.security.csrf.DefaultCrumbIssuer.EXCLUDE_SESSION_ID 设置为 true.

To disable this improvement you can set the system property hudson.security.csrf.DefaultCrumbIssuer.EXCLUDE_SESSION_ID to true.

在 /etc/default/jenkins 中添加以下行清除了我自己的剧本(Ansible 2.8.4、Ubuntu 18.04、OpenJDK 11.0.4)中的 CSRF 问题

Adding the following line in /etc/default/jenkins cleared the CSRF issues in my own playbook (Ansible 2.8.4, Ubuntu 18.04, OpenJDK 11.0.4)

JAVA_ARGS="$JAVA_ARGS -Dhudson.security.csrf.DefaultCrumbIssuer.EXCLUDE_SESSION_ID=true"

在工具维护人员赶上 API 更改之前，这可能是一个足够好的拐杖.

Might be a good-enough crutch until tool maintainers catch up with the API changes.

这篇关于Ansible jenkins_plugin 模块返回“HTTP 错误 403:请求中未包含有效的面包屑"的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！