Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-43767

Can't use declarative-linter remotely when using GitHub Authentication

    Details

    • Similar Issues:

      Description

      When using the GitHub Authentication plugin (which doesn't cache credentials) I'm unable to configure permission in such a way to allow users to run the `declarative-linter`.

      Via ssh ... declarative-linter the error message is ERROR: joecool is missing the N/A/GenericRead permission

      The jenkins-cli jar error is ERROR: Bad Credentials. Search the server log for <long-string> for more details.

      From the logs:

      Apr 21, 2017 7:56:19 AM hudson.cli.CLICommand main
      INFO: CLI login attempt failed: <long-string>
      hudson.security.UserMayOrMayNotExistException: Unexpected authentication type: org.acegisecurity.providers.UsernamePasswordAuthenticationToken@43274a68: Username: joecool; Password: [PROTECTED]; Authenticated: true; Details: null; Granted Authorities: authenticated
       at org.jenkinsci.plugins.GithubSecurityRealm.loadUserByUsername(GithubSecurityRealm.java:577)
       at hudson.cli.ClientAuthenticationCache.set(ClientAuthenticationCache.java:94)
       at hudson.cli.LoginCommand.run(LoginCommand.java:37)
       at hudson.cli.CLICommand.main(CLICommand.java:265)
       at hudson.cli.CliManagerImpl.main(CliManagerImpl.java:93)
       at sun.reflect.GeneratedMethodAccessor3429.invoke(Unknown Source)
       at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
       at java.lang.reflect.Method.invoke(Method.java:498)
       at hudson.remoting.RemoteInvocationHandler$RPCRequest.perform(RemoteInvocationHandler.java:895)
       at hudson.remoting.RemoteInvocationHandler$RPCRequest.call(RemoteInvocationHandler.java:870)
       at hudson.remoting.RemoteInvocationHandler$RPCRequest.call(RemoteInvocationHandler.java:829)
       at hudson.remoting.UserRequest.perform(UserRequest.java:153)
       at hudson.remoting.UserRequest.perform(UserRequest.java:50)
       at hudson.remoting.Request$2.run(Request.java:336)
       at hudson.remoting.InterceptingExecutorService$1.call(InterceptingExecutorService.java:68)
       at hudson.cli.CliManagerImpl$1.call(CliManagerImpl.java:64)
       at hudson.remoting.CallableDecoratorAdapter.call(CallableDecoratorAdapter.java:18)
       at hudson.remoting.CallableDecoratorList$1.call(CallableDecoratorList.java:21)
       at jenkins.util.ContextResettingExecutorService$2.call(ContextResettingExecutorService.java:46)
       at java.util.concurrent.FutureTask.run(FutureTask.java:266)
       at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
       at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
       at java.lang.Thread.run(Thread.java:745)

      Both Anonymous and authenticated users have "Overall" "Read" permissions.

      I understand it doesn't cache credentials, so it can't figure out if joecool is in a specific GitHub Org or Org*Team; but I would expect permissions granted to Anonymous or authenticated would work.

        Attachments

          Issue Links

            Activity

            Hide
            sag47 Sam Gleske added a comment -

            Great to hear!  Thanks so much for testing and confirming it was fixed for me.  This was a big help.

            Show
            sag47 Sam Gleske added a comment - Great to hear!  Thanks so much for testing and confirming it was fixed for me.  This was a big help.
            Hide
            docwhat Christian Höltje added a comment -

            It works!

            Show
            docwhat Christian Höltje added a comment - It works!
            Hide
            sag47 Sam Gleske added a comment -

            0.29 has been released.  Please try again since a lot of bug fixes were included related to authentication.

            Show
            sag47 Sam Gleske added a comment - 0.29 has been released.  Please try again since a lot of bug fixes were included related to authentication.
            Hide
            sag47 Sam Gleske added a comment -

            Jenkins API tokens are now supported for granting authorities which is a new feature added by https://github.com/jenkinsci/github-oauth-plugin/pull/87.  SSH will soon be supported as well but there's still a bug around it tracked by JENKINS-48423.

            Show
            sag47 Sam Gleske added a comment - Jenkins API tokens are now supported for granting authorities which is a new feature added by https://github.com/jenkinsci/github-oauth-plugin/pull/87 .  SSH will soon be supported as well but there's still a bug around it tracked by  JENKINS-48423 .
            Hide
            docwhat Christian Höltje added a comment -

             I'll check it out once I can work around JENKINS-44020

            Show
            docwhat Christian Höltje added a comment -  I'll check it out once I can work around  JENKINS-44020
            Hide
            sag47 Sam Gleske added a comment -

            This behavior should be recently fixed in release 0.27. As a user, generate a personal access token which has read:org and user:email scopes. These scopes are required in order for Jenkins to determine your authorizations from GitHub.

            Try executing the following:

            java -jar jenkins-cli.jar -s http://localhost:8080/ -noKeyAuth -http -auth samrocketman:[REDACTED personal access token] declarative-linter ...
            

            Let me know how it goes.

            Show
            sag47 Sam Gleske added a comment - This behavior should be recently fixed in release 0.27. As a user, generate a personal access token which has read:org and user:email scopes. These scopes are required in order for Jenkins to determine your authorizations from GitHub. Try executing the following: java -jar jenkins-cli.jar -s http://localhost:8080/ -noKeyAuth -http -auth samrocketman:[REDACTED personal access token] declarative-linter ... Let me know how it goes.
            Hide
            docwhat Christian Höltje added a comment - - edited

            I discovered I can work around it on our Jenkins via:

            curl -X POST -F "jenkinsfile=<Jenkinsfile" https://jenkins.example.com/pipeline-model-converter/validate
            

            I found this via https://github.com/jenkinsci/pipeline-model-definition-plugin/wiki/Validating-(or-linting)-a-Declarative-Jenkinsfile-from-the-command-line

            I don't know what the `-H` part is doing exactly (something about crumbs?) nor do I know why I don't need it.

            Show
            docwhat Christian Höltje added a comment - - edited I discovered I can work around it on our Jenkins via: curl -X POST -F "jenkinsfile=<Jenkinsfile" https://jenkins.example.com/pipeline-model-converter/validate I found this via https://github.com/jenkinsci/pipeline-model-definition-plugin/wiki/Validating-(or-linting)-a-Declarative-Jenkinsfile-from-the-command-line I don't know what the `-H` part is doing exactly (something about crumbs?) nor do I know why I don't need it.

              People

              • Assignee:
                sag47 Sam Gleske
                Reporter:
                docwhat Christian Höltje
              • Votes:
                0 Vote for this issue
                Watchers:
                2 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved: