"Customise Build Parameters" on different TeamCity versions

Answered

Hello!

I experience some problems using TeamCity REST API on two different TeamCity versions. I use HTTP Auth on both of them like:

const httpAuthCredentials = "%system.teamcity.auth.userId%:%system.teamcity.auth.password%";

On first TeamCity Professional 2019.2.4 (build 72059) I can create new builds using REST API without any problems.

On second TeamCity Professional 2017.2.1 (build 50732) I can't create a build using REST API. Got the following response:
Responding with error, status code: 403 (Forbidden).\nDetails: jetbrains.buildServer.serverSide.auth.AccessDeniedException: You do not have "Customize build parameters" permission in project with internal id: project46\nAccess denied. Check the user has enough permissions to perform the operation.'

In both of this TeamCity I'm logged as Administrator (System administrator) with all existing permissions.

Maybe there are some permission differences in my request auth way.
Can someone advise something how to solve this issue?

7 comments
Comment actions Permalink

Found this issue with status Fixed for 2017.1.2.

As it says "the build user got permission to cancel, tag, pin, and run a build in the same build configuration".

Tell me, please, my situation is like it is said above? http://prntscr.com/v9b3xc
If yes, so why I got the error?

0
Comment actions Permalink

Hi,

Would you be able to share the complete request? I'm not able to reproduce this on my end using the following:

curl -X POST -H "Content-Type: text/plain" --user "%system.teamcity.auth.userId%:%system.teamcity.auth.password%" -d "newbuildconfig" "http://<teamcity url>/httpAuth/app/rest/projects/test/buildTypes"

Edit: I just realized I misread your issue as creating a build configuration. It would still be helpful to know your complete request, though. 

0
Comment actions Permalink

I was able to reproduce your issue with the following REST query:

curl -v -u "%system.teamcity.auth.userId%:%system.teamcity.auth.password%" "http://<teamcity url>/httpAuth/app/rest/buildQueue" --request POST --header "Content-Type:application/xml" --data '<build><buildType id="Test_Newconfig2"/><properties><property name="example.parameter" value="bbb"/></properties></build>'

As a workaround, I was able to hard-code the username:password in the script. You can include the password as a typed-parameter, so as not to expose the password. For information on typed-parameters, please see the documentation here: https://confluence.jetbrains.com/display/TCD10/Typed+Parameters

It appears that your issue was not included in the fix for TW-39206. If I'm interpreting the fix correctly, it would only apply if you were to queue a build of the same build configuration. It does appear your issue was fixed at a later point in time, based on the fact it works in 2019.2.4.

0
Comment actions Permalink

Hello! Thanks for your response!

I don't create build configuration, I try to trigger a build.

Executing my Node.js step, the error log is as follows:

[10:11:02]W: [Step 8/8] { error:
[10:11:02]W: [Step 8/8] { 
[10:11:02]W: [Step 8/8] response:
[10:11:02]W: [Step 8/8] { status: 403,
[10:11:02]W: [Step 8/8] statusText: '',
[10:11:02]W: [Step 8/8] headers: [Object],
[10:11:02]W: [Step 8/8] config: [Object],
[10:11:02]W: [Step 8/8] request: [ClientRequest],
[10:11:02]W: [Step 8/8] data:
[10:11:02]W: [Step 8/8] 'Responding with error, status code: 403 (Forbidden).\nDetails: jetbrains.buildServer.serverSide.auth.AccessDeniedException: You do not have "Customize build parameters" permission in project with internal id: project46\nAccess denied. Check the user has enough permissions to perform the operation.' },
[10:11:02]W: [Step 8/8] isAxiosError: true,
[10:11:02]W: [Step 8/8] toJSON: [Function] },
[10:11:02]W: [Step 8/8] isError: true }
[10:11:02]W: [Step 8/8] (node:12248) UnhandledPromiseRejectionWarning: Error: Error: Build request failure!
[10:11:02] : [Step 8/8] Process exited with code 0

 

I tried the workaround (to hardcode username instead of system.teamcity.auth.userId). Now I get error on another request (before build triggering) that gets list of agents. It says that username or password is incorrect:

[17:07:07]W: [Step 3/8] { error:
[17:07:07]W: [Step 3/8] { 
[17:07:07]W: [Step 3/8] response:
[17:07:07]W: [Step 3/8] { status: 401,
[17:07:07]W: [Step 3/8] statusText: '',
[17:07:07]W: [Step 3/8] headers: [Object],
[17:07:07]W: [Step 3/8] config: [Object],
[17:07:07]W: [Step 3/8] request: [ClientRequest],
[17:07:07]W: [Step 3/8] data:
[17:07:07]W: [Step 3/8] 'Incorrect username or password.\r\nTo login manually go to "/login.html" page' },
[17:07:07]W: [Step 3/8] isAxiosError: true,
[17:07:07]W: [Step 3/8] toJSON: [Function] },
[17:07:07]W: [Step 3/8] isError: true }
[17:07:07]W: [Step 3/8] (node:10132) UnhandledPromiseRejectionWarning: Error: Error: agentsList request failure

Request url was as follows:
http://pavlom:*******@localhost:8111/httpAuth/app/rest/agents

It only works if I hardcode login and password, without usage of any variables.
But this is totally insecure =(

0
Comment actions Permalink

Did you hardcode both the username and password? I get the same error if I try to use %system.teamcity.auth.password%. Instead, I created the parameter %secretpassword% and set it to be the password type to hide the password from being displayed anywhere. Then I used the following successfully:

curl -v -u "administrator:%secretpassword%" "<teamcity url>/httpAuth/app/rest/buildQueue" --request POST --header "Content-Type:application/xml" --data '<build><buildType id="Test_Newconfig2"/><properties><property name="example.parameter" value="bbb"/></properties></build>'
0
Comment actions Permalink

Yes, I had to hardcode both of them to trigger the build.

I tied to create a new build parameter like secretpass. Yes, it can be readonly and is not visible to all users in Run custom build window.

BUT, if someone with admin rights will change this parameter type from password to text - the password will be visible and show its original (hidden) value.

I'm sure that this approach is good enough but, unfortunately, security issue is still not solved.
This approach can be used only if on change any parameter type from password to any other, the content becomes random to prevent any personal data loose.

0
Comment actions Permalink

Hello Pavlo,

Since it works without issues in the newer TeamCity version, I suggest you upgrade your older instance. TeamCity 2017 is outdated and not supported any longer, which means that there will be no additional fixes in this version.

Please keep in mind that we only support the two latest 'major' versions. Given that TeamCity 2020.2 is about to be released, the 2019.2 version will also become obsolete. Please consider upgrading both your servers to the latest version available (2020.1.5 as of now).

0

Please sign in to leave a comment.