Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-10647

SSH public key based CLI authentication added in 1.419 is broken in 1.421+

    Details

    • Type: Bug
    • Status: Resolved
    • Priority: Major
    • Resolution: Fixed
    • Component/s: cli, security
    • Labels:
      None
    • Environment:
      Solaris x86 JRE 1.5 and Archlinux x64 JRE 1.7

      Description

      I am using Unix user/group database for Security Realm and the SSH public key security for CLI added in version 1.419. This works great in 1.419 and 1.420, but is broken in 1.421 and 1.425 (and presumably versions in between... I discovered it didn't work in 1.425, which is currently the latest, and then went up from 1.419 until it broke).

      I am guessing it has to do with one of these changes in 1.421

      • PAM authentication wasn't working with Ubuntu 11.04 (issue 9486)
      • PAM authentication now works with CLI login mechanism. (issue 9681)
      • Generalized the mechanism to control scopes of security permissions

      I can insert a typo in my public key config to force an error with the authentication, in which case I will get an error saying the public key didn't work.

      However, when everything is setup correctly, and I receive no errors regarding the ssh keys, I always get the following stack trace about the anonymous user when trying to use the CLI. This occurs for any CLI command that requires Administer permission. Read-only commands like version do work.

      myhost:$ java -jar /opt/auto/jenkins/bin/jenkins-cli.jar -s http://myhost:9080 groovy /opt/auto/jenkins/bin/failedjobs.gsh
      hudson.security.AccessDeniedException2: anonymous is missing the Administer permission
      at hudson.security.ACL.checkPermission(ACL.java:53)
      at hudson.model.Node.checkPermission(Node.java:381)
      at hudson.cli.GroovyCommand.run(GroovyCommand.java:73)
      at hudson.cli.CLICommand.main(CLICommand.java:184)
      at hudson.cli.CliManagerImpl.main(CliManagerImpl.java:82)
      at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
      at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
      at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
      at java.lang.reflect.Method.invoke(Method.java:592)
      at hudson.remoting.RemoteInvocationHandler$RPCRequest.perform(RemoteInvocationHandler.java:274)
      at hudson.remoting.RemoteInvocationHandler$RPCRequest.call(RemoteInvocationHandler.java:255)
      at hudson.remoting.RemoteInvocationHandler$RPCRequest.call(RemoteInvocationHandler.java:215)
      at hudson.remoting.UserRequest.perform(UserRequest.java:118)
      at hudson.remoting.UserRequest.perform(UserRequest.java:48)
      at hudson.remoting.Request$2.run(Request.java:287)
      at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:417)
      at java.util.concurrent.FutureTask$Sync.innerRun(FutureTask.java:269)
      at java.util.concurrent.FutureTask.run(FutureTask.java:123)
      at java.util.concurrent.ThreadPoolExecutor$Worker.runTask(ThreadPoolExecutor.java:651)
      at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:676)
      at java.lang.Thread.run(Thread.java:595)

        Activity

        jmechler2 Jason Mechler created issue -
        scm_issue_link SCM/JIRA link daemon made changes -
        Field Original Value New Value
        Status Open [ 1 ] Resolved [ 5 ]
        Resolution Fixed [ 1 ]
        zeeshanlakhani Zeeshan Lakhani made changes -
        Resolution Fixed [ 1 ]
        Status Resolved [ 5 ] Reopened [ 4 ]
        scm_issue_link SCM/JIRA link daemon made changes -
        Status Reopened [ 4 ] Resolved [ 5 ]
        Resolution Fixed [ 1 ]

          People

          • Assignee:
            Unassigned
            Reporter:
            jmechler2 Jason Mechler
          • Votes:
            1 Vote for this issue
            Watchers:
            2 Start watching this issue

            Dates

            • Created:
              Updated:
              Resolved: