I'm using python to do some API requests against a Jenkins instance that needs to be locked down, ie, the overall read permission for anonymous users must be unset, however, once I enable CSRF, I stop being able to access /crumbIssuer, even with valid credentials from a user using it's token.

Does it make sense to create a crumb issuer specific permission? This would allow me to give that permission to anonymous users which would then allow me to get the crumb before making any requests from a user with proper credentials...

Is this something that can be implemented with a plugin? Either by disabling any permissions required to READ /crumbIssuer ?