Jenkins 采用API接口进行构建工程及错误解释(10)
Jenkins 采用API接口进行构建工程及错误解释 20211016
版本信息:Jenkins2.303.1
Jenkins 403 No valid crumb was included in the request 解决方案
错误清单
1、 请求api接口报错,csrf代理已经关闭
#请求api接口报错,csrf代理已经关闭
<html>
<head>
<meta http-equiv="Content-Type" content="text/html;charset=utf-8"/>
<title>Error 403 No valid crumb was included in the request</title>
</head>
<body><h2>HTTP ERROR 403 No valid crumb was included in the request</h2>
<table>
<tr><th>URI:</th><td>/jenkins/job/BTest/build</td></tr>
<tr><th>STATUS:</th><td>403</td></tr>
<tr><th>MESSAGE:</th><td>No valid crumb was included in the request</td></tr>
<tr><th>SERVLET:</th><td>Stapler</td></tr>
</table>
<hr><a href="https://eclipse.org/jetty">Powered by Jetty:// 9.4.42.v20210604</a><hr/>
2、账户密码错误报错,密码写对就行
# 账户密码错误报错,密码写对就行
<html>
<head>
<meta http-equiv="Content-Type" content="text/html;charset=utf-8"/>
<title>Error 401 Unauthorized</title>
</head>
<body><h2>HTTP ERROR 401 Unauthorized</h2>
<table>
<tr><th>URI:</th><td>/jenkins/job/BTest/build</td></tr>
<tr><th>STATUS:</th><td>401</td></tr>
<tr><th>MESSAGE:</th><td>Unauthorized</td></tr>
<tr><th>SERVLET:</th><td>Stapler</td></tr>
</table>
<hr><a href="https://eclipse.org/jetty">Powered by Jetty:// 9.4.42.v20210604</a><hr/>
</body>
</html>
思路寻找,解决第一个错误:
我现在要使用 webhook 发一个 post 请求给 jenkins,结果报了 403 错误。一个可行的解决方案就是给这个请求头加上 crumb。
错误提示是请求中没有包含crumb,但是加上之后还会出错,怀疑是jenkins本身的权限校验问题。
网上也存在有修改源代码的形式来解决此类问题。
也有直接配置CSRF解决的情况(但是我没测通):
https://stackoverflow.com/questions/44711696/jenkins-403-no-valid-crumb-was-included-in-the-request/54750559#54750559
最终解决来源于网上的资料的回复:
根据文章:https://coderedirect.com/questions/191379/jenkins-403-no-valid-crumb-was-included-in-the-request
A simple solution without need of making changes to source code (validated with Jenkins v2.222):
Install the Strict Crumb Issuer plugin (https://plugins.jenkins.io/strict-crumb-issuer/)
Enable this plugin and uncheck 'Check the session ID' from its configuration (Under Jenkins Configure Global Security)
A drawback is that this solution makes us dependent on the Strict Crumb Issuer plugin and removes a security feature. But since our application requires many other plugins and only runs behind the firewall without Internet access, this is acceptable.
Friday, August 6, 2021
- 较老版本的 jenkins 关闭跨站脚本伪造请求保护,新的采取Crumb
一、第一种解决方案
1、安装插件:Strict Crumb Issuer
manage Jenkins ->Configure Global Security ->跨站请求伪造保护,选择strict crumb issuer插件关闭 Check the session ID
2、通过GET请求,获取到crumb 值
获取精确的crumb
curl -u ‘admin:password’ “http://jenkins-url:/crumbIssuer/api/xml?xpath=concat(//crumbRequestField,%22:%22,//crumb)”
也可以如下请求,从结果中获取crumb:
curl -v -X GET http://jenkins-url:8080/crumbIssuer/api/json --user :
#
* About to connect() to 120.76.245.243 port 8080 (#0)
* Trying 120.76.245.243...
* Connected to 120.76.245.243 (120.76.245.243) port 8080 (#0)
* Server auth using Basic with user 'genekangit'
> GET /crumbIssuer/api/json HTTP/1.1
> Authorization: Basic Z2VuZWthbmdpdDp2ZVlqKmwrcjc5Wjc4a1VNZCYwQGZURlcpc2hnbz0mSg==
> User-Agent: curl/7.29.0
> Host: 120.76.245.243:8080
> Accept: */*
>
< HTTP/1.1 200 OK
< Date: Fri, 15 Oct 2021 15:05:52 GMT
< X-Content-Type-Options: nosniff
< X-Jenkins: 2.303.1
< X-Jenkins-Session: 8470ef97
< X-Frame-Options: deny
< Content-Type: application/json;charset=utf-8
< Set-Cookie: JSESSIONID.cf0e1294=node01e3god9uq9b2s1iixrqdss0ts8219.node0; Path=/; HttpOnly
< Expires: Thu, 01 Jan 1970 00:00:00 GMT
< Content-Length: 163
< Server: Jetty(9.4.42.v20210604)
<
* Connection #0 to host 120.76.245.243 left intact
{
"_class":"hudson.security.csrf.DefaultCrumbIssuer",
"crumb":"393fbcc5b1671544b571fd667e53e20d7aa6459331ed8c8ea43a268a12d6dad3",
"crumbRequestField":"Jenkins-Crumb"
}
3、通过POST请求,直接运行某一个工程的构建动作
将第2步获取的crumb粘贴到如下脚本中:
curl -X POST http://jenkins-url:8080/job//build --user : -H ‘Jenkins-Crumb: 393fbcc5b1671544b571fd667e53e20d7aa6459331ed8c8ea43a268a12d6dad3’
具体步骤:
- you have to installed the plugin called “Strict Crumb Issuer”
- Once installed restart the jenkins service
- got to “Manage Jenkins” --> “Configure Global Security” --> Under CSRF Protection, select “Strict Crumb Issue” from the drop down list --> - Click on Advance and uncheck everything but select “Prevent Breach Attack” option. --> Apply and save.
- Now run you crumb script.
二、第二种解决方案
1、用户设置中,添加token信息
I solved this by using API TOKEN as a basic authentication password. Here is how
Note: To Create the API TOKEN under Accounts icon -> configure -> API Token -> Add New token
2、通过POST请求启动任务
2.1、带参数
curl -v -X POST http://jenkins-url:8080/job//buildWithParameters?param=value --user :
2.2、不带参数
curl -X POST http://jenkins-url:8080/job//build --user :
3、远程调用Jenkins API启动任务(OK)
任务名: jobName
远程API服务地址:http://host:8080/jobName/jobName/build
请求方法:POST
用户名、密码添加方法:username:password@hostname:port ....
运行期望结果:
任务启动
服务返回 http status:201
当直接浏览器运行远程API构建工程时会出错
http://120.76.245.243:8080/job//build
官方提示:
You must use POST method to trigger builds. (From scripts you may instead pass a per-project authentication token, or authenticate with your API token.) If you see this page, it may be because a plugin offered a GET link; file a bug report for that plugin.
大致意思是:该请求方法是POST,需要通过身份认证或token校验,另外你提交的GET错误。
4、远程调用Jenkins API返回最新任务编号(OK)
任务名:jobName
远程API服务地址:http://host:8080/job/jobName/lastBuild/buildNumber
请求方法:GET
用户名、密码添加方法:username:password@hostname:port ....
运行期望结果:
任务启动
服务返回http status:201
5、远程调用Jenkins API查询任务状态(OK)
任务名:jobName
远程API服务地址:http://host:8080/job/jobName/<build number>/api/json
请求方法:GET
用户名、密码添加方法:username:password@hostname:port ....
运行期望结果:
任务详情JSON
服务返回http status:200
6、jenkinsapi库
pip install jenkinsapi
from jenkinsapi.jenkins import Jenkins
jk =Jenkins(url, username, password, useCrumb=True)
7、总结API说明
API首页:http://127.0.0.1:8080/api/
7.1、项目API
获取项目信息
接口:http://127.0.0.1:8080/job/{jobName}/api/json
方式:GET
7.2、获取项目构建信息
接口:http://127.0.0.1:8080/job/{jobName}/{buildNumber}/api/json
方式:GET
7.3、获取项目配置
接口:http://127.0.0.1:8080/job/{jobName}/config.xml
方式:GET
7.4、创建项目
接口:http://127.0.0.1:8080/createItem?name={projectName}
参数:–data-binary @config.xml
头部:-H “Content-Type:text/xml”
方式:POST
7.5、禁用项目
接口:http://127.0.0.1:8080/job/{jobName}/disable
方式:POST
7.6、启用项目
接口:http://127.0.0.1:8080/job/{jobName}/enable
方式:POST
7.7、删除项目
接口:http://127.0.0.1:8080/job/{jobName}/doDelete
方式:POST
7.8、构建项目
接口:http://127.0.0.1:8080/job/{jobName}/build
方式:POST
注意: 需要增加token信息或用户认证
请求:curl -X POST http://127.0.0.1:8080/job/{jobName}/build --user admin:apiToken
7.9、参数化构建
接口:http://127.0.0.1:8080/job/{jobName}/buildWithParameters
方式:POST
更多推荐
所有评论(0)