Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Adding cli_ssh_keyfile parameter to specify the location of a private key #352

Merged
merged 1 commit into from
Aug 8, 2015

Conversation

kevinhankens
Copy link
Contributor

Greetings! This patch allows the user to specify a key when issuing cli commands. This will prevent things like jenkins::cli::reload from being run as the anonymous user, which breaks if you want to use a restrictive permission scheme.

This might also solve #259.

@jenkinsadmin
Copy link

Thank you for a pull request! Please check this document for how the Jenkins project handles pull requests

@rtyler rtyler added this to the 1.5.0 - Jennings milestone Aug 8, 2015
rtyler pushed a commit that referenced this pull request Aug 8, 2015
Adding cli_ssh_keyfile parameter to specify the location of a private key
@rtyler rtyler merged commit 9c39706 into voxpupuli:master Aug 8, 2015
@rtyler
Copy link

rtyler commented Aug 8, 2015

Looks good to me @kevinhankens!

@claflico
Copy link

Can we get an example on how to use this? I added a local & jenkins user, copied that user's id_rsa.pub into jenkins and specified their private key using this variable but puppet runs keep failing. I get "Authentication failed. No private key accepted" when I run the command by hand.

I've tried it with the security_level set at both full_control & unsecured.

@leshiynyc
Copy link

having the same issue:

 class { '::jenkins':  
       executors => 5,
}

file  '/var/lib/jenkins/.ssh/id_rsa.pub':
     ensure => present,
      owner   => 'jenkins',
      group   => 'jenkins',
      mode   => '0644',
      source => "puppet:///modules/profile/jenkins/id_rsa.pub";

  class {'::jenkins::cli_helper':
    ssh_keyfile => '/var/lib/jenkins/.ssh/id_rsa',
  }

  class { '::jenkins::security':
    security_model => full_control,
  }

It fails with

Error: /usr/bin/java -jar /usr/lib/jenkins/jenkins-cli.jar -s http://127.0.0.1:8080 -i /var/lib/jenkins/.ssh/id_rsa groovy /usr/lib/jenkins/puppet_helper.groovy set_security full_control returned 255 instead of one of [0]
Error: /Stage[main]/Jenkins::Security/Jenkins::Cli::Exec[jenkins-security-full_control]/Exec[jenkins-security-full_control]/returns: change from notrun to 0 failed: /usr/bin/java -jar /usr/lib/jenkins/jenkins-cli.jar -s http://127.0.0.1:8080 -i /var/lib/jenkins/.ssh/id_rsa groovy /usr/lib/jenkins/puppet_helper.groovy set_security full_control returned 255 instead of one of [0]

if you run it on CLI

  /usr/bin/java -jar /usr/lib/jenkins/jenkins-cli.jar -s http://127.0.0.1:8080 -i /var/lib/jenkins/.ssh/id_rsa groovy /usr/lib/jenkins/puppet_helper.groovy set_security full_control
Authentication failed. No private key accepted.

@kevinhankens
Copy link
Contributor Author

Here's what I'm using:

  class { 'jenkins':
    require         => [
      User['jenkins'],
      File['/var/lib/jenkins/.ssh/jenkins_cli'],
    ],
    cli             => true,
    cli_ssh_keyfile => '/var/lib/jenkins/.ssh/jenkins_cli',
    install_java    => false,
  }

Make sure that the cli_ssh_keyfile resource is specified for the 'jenkins' class and it /should/ work.

@leshiynyc
Copy link

@kevinhankens

If I do :

class { '::jenkins':
  require         => [ User['jenkins'], File['/var/lib/jenkins/.ssh/id_rsa'], ],
  cli             => true,
  cli_ssh_keyfile => '/var/lib/jenkins/.ssh/id_rsa',
  install_java    => false,
  executors       => 5,
 }

It fails with a dependency cycle

(Anchor[jenkins::begin] => Class[Jenkins::Package] => Package[jenkins] => User[jenkins] => Class[Jenkins] => Anchor[jenkins::begin])
Try the '--graph' option and opening the resulting '.dot' file in OmniGraffle or GraphViz

that goes away if require is removed.

Does not fix the previous problems I had though

@kevinhankens
Copy link
Contributor Author

Sorry, I should have been more specific. I create the jenkins user myself and then place the key, so that's where the require comes from. So, unless you are creating the jenkins unix user yourself, you won't need that require at all.

For the authentication failure, I suspect that the jenkins service might need to be restarted before the key auth will work. I don't know the jenkins internals at all, but if you restart the jenkins service after they key is in place, will the puppet run succeed?

@leshiynyc
Copy link

@kevinhankens thanks for help. but still no luck here. going to try and dig some more.

@AAlvz
Copy link

AAlvz commented Sep 24, 2015

@kevinhankens did you find a way to use it with Hiera? .. Without the require of the key file this wont work afaik

@kevinhankens
Copy link
Contributor Author

I actually haven't tried it with hiera. The only thing I had to do was
restart the jenkins service before I could run the cli with the provided
key. I did that with an exec before running cli commands.

On Thu, Sep 24, 2015 at 11:59 AM, Alfonso A notifications@github.com
wrote:

@kevinhankens https://github.com/kevinhankens did you find a way to use
it with Hiera? .. Without the require of the key file this wont work


Reply to this email directly or view it on GitHub
#352 (comment)
.

Kevin Hankens
207.632.9342
www.kevinhankens.com
email@kevinhankens.com

@ltutar
Copy link

ltutar commented Jun 13, 2016

See #602

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

7 participants