We are using Subversion 1.8.8 and Jenkins 1.509.4 (with the Subversion v2.3 plugin) for our many project builds. Company policy requires authentication, so within Jenkins we are using LDAP security realm, and project-based security matrix for user global and also project authorization. Our SVN post-commit hook talk to Jenkins by using an LDAP service account created just for this occasion. When implementing this, I realized that in order for the hooks to actually trigger jobs, even with a valid username/password being sent, it was not enough to have that account listed as having full access to Jenkins on the security page; anonymous Job Read access was still required. It was also noted that the service account did not need any explicit access at all. For the jobs in question, polling is enabled. Both an explicit schedule (I tried H 0 1 1 *) and no explicit schedule were tried.
The side-effect of this configuration is that valid users of Jenkins can see every job on the server. This is a problem as this presents users with 200+ jobs, and most users only care about a handful of them.
Is there a configuration that will allow authentication for a post-commit hook, without enabling ANY anonymous access within Jenkins?
For a reference, our post-commit hook looks like this:
SVNLOOK=/usr/bin/svnlook
REPOS="$1"
REV="$2"
UUID=`${SVNLOOK} uuid $REPOS`
PW_SCRIPT=/home/ci/bin/get_ci_pw.sh
if [ ! -f $PW_SCRIPT ]; then
exit 0
fi
JENKINS_USER=ci
JENKINS_PW=`$PW_SCRIPT`
if [ "x$JENKINS_PW" = "x" ]; then
exit 0
fi
if [ "x${UUID}" = "x" ]; then
exit 1
fi
echo "${UUID} : ${REV} : ${REPOS}" >> /tmp/post_commit.out
/usr/bin/wget \
--connect-timeout=5 \
--tries=2 \
--http-user=$JENKINS_USER --http-password=$JENKINS_PW \
--header "Content-Type:text/plain;charset=UTF-8" \
--post-data "`${SVNLOOK} changed --revision $REV $REPOS`" \
--output-document /tmp/post-commit-wget \
http://ciserver:8888/subversion/${UUID}/notifyCommit?rev=${REV}
exit 0
In the above configuration, I was able to locate this information within the Jenkins logs:
May 27, 2014 3:36:12 PM INFO org.springframework.web.context.support.StaticWebApplicationContext prepareRefresh Refreshing
org.springframework.web.context.support.StaticWebApplicationContext@25e3951: display name [Root WebApplicationContext]; startup date [Tue May 27 15:36:12 EDT 2014]; root of context hierarchy
May 27, 2014 3:36:12 PM INFO org.springframework.web.context.support.StaticWebApplicationContext obtainFreshBeanFactory
Bean factory for application context [org.springframework.web.context.support.StaticWebApplicationContext@25e3951]: org.springframework.beans.factory.support.DefaultListableBeanFactory@9466053
May 27, 2014 3:36:12 PM INFO org.springframework.beans.factory.support.DefaultListableBeanFactory preInstantiateSingletons
Pre-instantiating singletons in org.springframework.beans.factory.support.DefaultListableBeanFactory@9466053: defining beans [filter,legacy]; root of factory hierarchy
May 27, 2014 3:36:30 PM WARNING hudson.scm.SubversionRepositoryStatus$JobTriggerListenerImpl onNotify
No subversion jobs found
May 27, 2014 3:36:30 PM INFO jenkins.scm.impl.subversion.SubversionSCMSource$ListenerImpl onNotify
Received post-commit hook from 47272b4f-b969-45fb-85a3-5cc10733bede for revision 1,995 on paths [mdeneaul/TIJ4/branches/1.1-SNAPSHOT/pom.xml]
May 27, 2014 3:36:30 PM INFO jenkins.scm.impl.subversion.SubversionSCMSource$ListenerImpl onNotify
No subversion consumers for UUID 47272b4f-b969-45fb-85a3-5cc10733bede
May 27, 2014 3:36:30 PM WARNING hudson.scm.SubversionRepositoryStatus doNotifyCommit
No interest in change to repository UUID 47272b4f-b969-45fb-85a3-5cc10733bede found
