Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-45479

API tokens and Job/Read permission issue

    XMLWordPrintable

    Details

    • Type: Bug
    • Status: Closed (View Workflow)
    • Priority: Minor
    • Resolution: Cannot Reproduce
    • Component/s: role-strategy-plugin
    • Environment:
    • Similar Issues:

      Description

      When using the Role Strategy plugin, a non-admin user (having only Overall/read permission) can't use his API Token to interact with the Jenkins instance. However, using the user's LDAP password works and if the user is given the Global Job/Read permission, it also works.

      Detail:

       I manage a lot of different projects in a multi-tenant Jenkins instance, using the RBAS plugin, by defining project roles for each Folder I create.

      We received a request to download Maven artifacts via curl/wget from a certain project Folder.

      All users of the Jenkins instance have the Overall/Read permission, as can be seen in Selection_477.jpg.

      The users who have access to that folder DO have the Job/Read permission, as part of the Project Role, as can be seen in Selection_478.jpg .

      However, when a person from that project tries to access the REST API with his token, he receives the following error:

       

      <html>
      <head>
      <meta http-equiv="Content-Type" content="text/html; charset=UTF-8"/>
      <title>Error 404 Not Found</title>
      </head>
      <body><h2>HTTP ERROR 404</h2>
      <p>Problem accessing /jenkins/job/DFP/job/DataFab/job/build/job/core/lastSuccessfulBuild/api/json/. Reason:
      <pre>    Not Found</pre></p><hr><i><small>Powered by Jetty://</small></i><hr/>

      </body>
      </html>

      And if he tries the same with his LDAP password, the call succeeds.

      When I added the Job/Read permission as a Global permission, it also succeeded.

      Any ideas?

       

        Attachments

          Activity

          Hide
          oleg_nenashev Oleg Nenashev added a comment -

          Could you please check it with another Authorization Strategy? I doubt it is a Role Strategy issue, but it may be an issue in the core

          Show
          oleg_nenashev Oleg Nenashev added a comment - Could you please check it with another Authorization Strategy? I doubt it is a Role Strategy issue, but it may be an issue in the core
          Hide
          oleg_nenashev Oleg Nenashev added a comment -

          ping

          Show
          oleg_nenashev Oleg Nenashev added a comment - ping
          Hide
          oleg_nenashev Oleg Nenashev added a comment -

          No response from the reporter

          Show
          oleg_nenashev Oleg Nenashev added a comment - No response from the reporter
          Hide
          bhavicp Bhavic Patel added a comment -

          We'd had a similar issue today - But slightly different I think, we assigned the user permissions, but using the token, it couldn't access anything using a curl call. We had to add the group the user is part of (from LDAP), and then it worked. Bit of an issue with this as we only wanted this specific account to have access and not a whole range of accounts in this group.

           

          Would get the below error, giving global read permission didn't seem to work

           

          Access Denied
          <accountname> is missing the Overall/Read permission"
          

           

          Show
          bhavicp Bhavic Patel added a comment - We'd had a similar issue today - But slightly different I think, we assigned the user permissions, but using the token, it couldn't access anything using a curl call. We had to add the group the user is part of (from LDAP), and then it worked. Bit of an issue with this as we only wanted this specific account to have access and not a whole range of accounts in this group.   Would get the below error, giving global read permission didn't seem to work   Access Denied <accountname> is missing the Overall/Read permission"  

            People

            • Assignee:
              oleg_nenashev Oleg Nenashev
              Reporter:
              bienstock Gad Maor
            • Votes:
              0 Vote for this issue
              Watchers:
              3 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved: