Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-21086

jenkins-cli requires Overall/Read permission for anonymous to perform a safe-shutdown

    Details

    • Type: Bug
    • Status: Resolved (View Workflow)
    • Priority: Major
    • Resolution: Duplicate
    • Component/s: cli
    • Labels:
      None
    • Environment:
      Version 1.544, Ubuntu 12.04.3 LTS, amd64, Openjdk 6b27-1.12.6-1ubuntu0.12.04.4
    • Similar Issues:

      Description

      Previously (Jenkins 1.534) we were using jenkins-cli to automate safe shutdown. But after upgrade to ver. 1.544 it stopped working.

      Our configuration uses Project-based Matrix Authorization Strategy.
      Here are 3 main users who involved into the shutdown procedure:

      • Anonymous - all permissions unset.
      • authenticated - Overall/Read, Job/Read, Job/Build
      • special jenkins-cli user - with Overall/Administer permission

      And here is the command to perform a safe shutdown

      java -jar jenkins-cli.jar -s http://localhost:8080 safe-shutdown --username "$JCLIUSER" --password "$JCLIPASSWD"
      

      So it has been working perfectly with the above configuration until I upgraded Jenkins to 1.544

      Now the command throws the error

      hudson.security.AccessDeniedException2: anonymous is missing the Overall/Read permission
      at hudson.security.ACL.checkPermission(ACL.java:54)
      at hudson.model.Node.checkPermission(Node.java:418)
      at hudson.cli.declarative.CLIRegisterer$1.main(CLIRegisterer.java:180)
      at hudson.cli.CliManagerImpl.main(CliManagerImpl.java:92)
      at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
      at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57)
      at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
      at java.lang.reflect.Method.invoke(Method.java:622)
      at hudson.remoting.RemoteInvocationHandler$RPCRequest.perform(RemoteInvocationHandler.java:299)
      at hudson.remoting.RemoteInvocationHandler$RPCRequest.call(RemoteInvocationHandler.java:280)
      at hudson.remoting.RemoteInvocationHandler$RPCRequest.call(RemoteInvocationHandler.java:239)
      at hudson.remoting.UserRequest.perform(UserRequest.java:118)
      at hudson.remoting.UserRequest.perform(UserRequest.java:48)
      at hudson.remoting.Request$2.run(Request.java:328)
      at hudson.remoting.InterceptingExecutorService$1.call(InterceptingExecutorService.java:72)
      at hudson.cli.CliManagerImpl$1.call(CliManagerImpl.java:63)
      at hudson.remoting.InterceptingExecutorService$2.call(InterceptingExecutorService.java:95)
      at java.util.concurrent.FutureTask$Sync.innerRun(FutureTask.java:334)
      at java.util.concurrent.FutureTask.run(FutureTask.java:166)
      at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1146)
      at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615)
      at java.lang.Thread.run(Thread.java:701)

      Of course, if I grant the permission to Anonymous, it will work. But I assume this is unsafe.

        Attachments

          Activity

          Hide
          precisiondev Precision Developer added a comment -

          This is also happening with reload-configuration on Jenkins 1.554.3

          Show
          precisiondev Precision Developer added a comment - This is also happening with reload-configuration on Jenkins 1.554.3
          Hide
          precisiondev Precision Developer added a comment -

          I was able to work around the issue by doing a jenkins_cli login command immediately before the command I wanted to perform... So I guess the username and password flags only work with login now?

          So if you want to do this:

          java -jar jenkins-cli.jar -s http://localhost:8080 safe-shutdown --username "$JCLIUSER" --password "$JCLIPASSWD"
          

          Try to do it like this:

          java -jar jenkins-cli.jar -s http://localhost:8080 login --username "$JCLIUSER" --password "$JCLIPASSWD"
          java -jar jenkins-cli.jar -s http://localhost:8080 safe-shutdown --username "$JCLIUSER" --password "$JCLIPASSWD"
          
          Show
          precisiondev Precision Developer added a comment - I was able to work around the issue by doing a jenkins_cli login command immediately before the command I wanted to perform... So I guess the username and password flags only work with login now? So if you want to do this: java -jar jenkins-cli.jar -s http: //localhost:8080 safe-shutdown --username "$JCLIUSER" --password "$JCLIPASSWD" Try to do it like this: java -jar jenkins-cli.jar -s http: //localhost:8080 login --username "$JCLIUSER" --password "$JCLIPASSWD" java -jar jenkins-cli.jar -s http: //localhost:8080 safe-shutdown --username "$JCLIUSER" --password "$JCLIPASSWD"
          Hide
          shiryaev Roman Shiryaev added a comment -

          The workaround really works for me too. Thank you so much!

          Show
          shiryaev Roman Shiryaev added a comment - The workaround really works for me too. Thank you so much!
          Hide
          danielbeck Daniel Beck added a comment -

          I expect this to be fixed in Jenkins 1.577 with the fix for JENKINS-23988. Please download that and test once it's available.

          Show
          danielbeck Daniel Beck added a comment - I expect this to be fixed in Jenkins 1.577 with the fix for JENKINS-23988 . Please download that and test once it's available.
          Hide
          danielbeck Daniel Beck added a comment -

          Assuming this is resolved in 1.577.

          Show
          danielbeck Daniel Beck added a comment - Assuming this is resolved in 1.577.

            People

            • Assignee:
              Unassigned
              Reporter:
              shiryaev Roman Shiryaev
            • Votes:
              2 Vote for this issue
              Watchers:
              6 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved: