How to disable a Jenkins job via curl?

Question

I want to disable a Jenkins job by sending a post curl request to Jenkins.

I've tried doing that using:

curl -X POST http://<server>:8080/<jobname>/disable
curl -X POST http://<server>:8080/<jobname>/disable?token=<token>
curl -u <username>:<token> POST http://<server>:8080/<jobname>/disable

but failed every time. The error i am getting is:

403 no valid crumb was included in the request

Is there a good curl based solution to this problem?

score 20 · Answer 1 · edited Jul 18 '18 at 11:13

No valid crumb means your Jenkins installation has a security option enabled which prevent requests send in a standard way to avoid one-click attacks. You can't use Jenkins CLI either, because it doesn't work yet.

Here are the steps using curl (replace localhost with your Jenkins address):

Note your user API Token (from /user/USER/configure).

Get your crumb:

CRUMB=$(curl -s 'http://USER:TOKEN@localhost:8080/crumbIssuer/api/xml?xpath=concat(//crumbRequestField,":",//crumb)')

Now you can disable the job by sending the crumb in the headers:
```
curl -X POST -H "$CRUMB" http://USER:TOKEN@localhost:8080/<jobname>/disable
```
^{If the above won't work for some reason, you may try to use -u USER:TOKEN instead.}

Works great! Note that it might be cleaner to use `curl -u user:pass http://localhost:8080/...` instead of having the user/pass in the URL itself (depending on how you're scripting it). — geerlingguy, Dec 08 '17 at 17:16

score 11 · Accepted Answer · edited May 23 '17 at 12:34

11

The crumb error indicates you are using CSRF Protection. You need to include a proper crumb header in your request. The crumb can be obtained from the Jenkins API as described on the Jenkins wiki page linked above. The answer for "Trigger parameterized build with curl and crumb" shows the syntax to adding the crumb header in the curl request.

edited May 23 '17 at 12:34

Community

1
1

answered Feb 18 '15 at 16:59

Dave Bacher

15,652
3
63
86

is the crumb data always fixed or I have to get it using a query everytime? – rrawat Feb 20 '15 at 00:19
@rwt The crumb is mostly static, but it does depend on the username and client IP. If you're writing a script where those parameters will vary, you're better off requesting the crumb at the start of the script. – Dave Bacher Feb 20 '15 at 17:34

score 4 · Answer 3 · answered Oct 25 '16 at 06:28

4

setup jenkins's "global security settings": Uncheck "Prevent Cross Site Request Forgery exploits"

answered Oct 25 '16 at 06:28

smilepy

57
1

5

Disabling CSRF protection opens a security hole and leaves your instance vulnerable to maliciously crafted links https://www.owasp.org/index.php/Cross-Site_Request_Forgery_(CSRF) – Andy Feb 28 '17 at 10:44

score 3 · Answer 4 · edited May 02 '18 at 11:35

3

I found the first part of kenorb's solution worked for me, i.e. getting the crumb, but for the second part, curl did not like that syntax, it said:

curl: (6) Couldn't resolve host 'http:'

So I had to use the following syntax which worked:

curl -H $CRUMB http://localhost:8080/<jobname>/disable -u USER:TOKEN

edited May 02 '18 at 11:35

kenorb

155,785
88
678
743

answered Sep 20 '16 at 08:57

Will

1,509
1
13
16

thank you, this is what i need in my java app, sending user:token in request header – To Kra Jan 19 '17 at 14:41

score 1 · Answer 5 · edited Jul 11 '16 at 18:13

1

The below is working for me

curl -X POST http://<servername>/job/jobname/disable

Make sure the user access to do that.

edited Jul 11 '16 at 18:13

kenorb

155,785
88
678
743

answered Feb 18 '15 at 09:02

DevD

664
5
16

How to disable a Jenkins job via curl?

5 Answers5

Linked