@Extension @Symbol(value="jnlp") public class JnlpSlaveAgentProtocol extends AgentProtocol
AgentProtocol
that accepts connection from agents.
Once connected, remote agents can send in commands to be executed on the master, so in a way this is like an rsh service. Therefore, it is important that we reject connections from unauthorized remote agents.
We do this by computing HMAC of the agent name. This code is sent to the agent inside the .jnlp file (this file itself is protected by HTTP form-based authentication that we use everywhere else in Jenkins), and the agent sends this token back when it connects to the master. Unauthorized agents can't access the protected .jnlp file, so it can't impersonate a valid agent.
We don't want to force the JNLP agents to be restarted whenever the server restarts, so right now this secret master key is generated once and used forever, which makes this whole scheme less secure.
ExtensionPoint.LegacyInstancesAreScopedToHudson
Modifier and Type | Field and Description |
---|---|
static HMACConfidentialKey |
SLAVE_SECRET
This secret value is used as a seed for agents.
|
Constructor and Description |
---|
JnlpSlaveAgentProtocol() |
Modifier and Type | Method and Description |
---|---|
String |
getDisplayName()
Returns the human readable protocol display name.
|
String |
getName()
Protocol name.
|
void |
handle(Socket socket)
Called by the connection handling thread to execute the protocol.
|
boolean |
isOptIn()
Allow experimental
AgentProtocol implementations to declare being opt-in. |
void |
setHub(NioChannelSelector hub) |
all, isRequired, of
public static final HMACConfidentialKey SLAVE_SECRET
@Inject public void setHub(NioChannelSelector hub)
public boolean isOptIn()
AgentProtocol
implementations to declare being opt-in.
Note that Jenkins.setAgentProtocols(Set)
only records the protocols where the admin has made a
conscious decision thus:
opt-in -> opt-out -> opt-in
.
Implementations should never flip-flop: opt-in -> opt-out -> opt-in -> opt-out
as that will basically
clear any preference that an admin has set. This latter restriction should be ok as we only ever will be
adding new protocols and retiring old ones.isOptIn
in class AgentProtocol
true
if the protocol requires explicit opt-in.Jenkins.setAgentProtocols(Set)
public String getName()
AgentProtocol
getName
in class AgentProtocol
public String getDisplayName()
getDisplayName
in class AgentProtocol
public void handle(Socket socket) throws IOException, InterruptedException
AgentProtocol
handle
in class AgentProtocol
IOException
InterruptedException
Copyright © 2004–2017. All rights reserved.