Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-52099

jenkins-cli requires Overall/Read permission on anonymous user

    Details

    • Type: Bug
    • Status: Closed (View Workflow)
    • Priority: Minor
    • Resolution: Cannot Reproduce
    • Component/s: cli, github-oauth-plugin
    • Labels:
      None
    • Environment:
      Jenkins 2.121.1
      GitHub OAuth Plugin 0.29
    • Similar Issues:

      Description

      We use the Github Oauth authentication plugin, which allows the cli to authenticate with a Github personal access token (passed in --password).

      This used to work in some previous plugin combinations, but now connect-node (and probably similar commands) stop requiring Overall/Read on anonymous.

      jenkins@prod--alfred:~$ java -jar /usr/local/bin/jenkins-cli.jar -logger FINE -s http://localhost:8080 -noKeyAuth connect-node containers-medium --username elife-alfred-user --password ...
      Jun 21, 2018 9:52:35 AM hudson.cli.CLI _main
      FINE: using connection mode HTTP
      Jun 21, 2018 9:52:36 AM hudson.cli.CLI plainHttpConnection
      FINE: Trying to connect to http://localhost:8080/ via plain protocol over HTTP
      Jun 21, 2018 9:52:36 AM hudson.cli.FullDuplexHttpStream tryToResolveRedirects
      FINE: Failed to resolve potential redirects
      java.io.IOException: Server returned HTTP response code: 403 for URL: http://localhost:8080/
              at sun.net.www.protocol.http.HttpURLConnection.getInputStream0(HttpURLConnection.java:1894)
              at sun.net.www.protocol.http.HttpURLConnection.getInputStream(HttpURLConnection.java:1492)
              at hudson.cli.FullDuplexHttpStream.tryToResolveRedirects(FullDuplexHttpStream.java:131)
              at hudson.cli.FullDuplexHttpStream.<init>(FullDuplexHttpStream.java:83)
              at hudson.cli.CLI.plainHttpConnection(CLI.java:652)
              at hudson.cli.CLI._main(CLI.java:612)
              at hudson.cli.CLI.main(CLI.java:426)
      
      Jun 21, 2018 9:52:36 AM hudson.cli.FullDuplexHttpStream <init>
      FINE: establishing download side
      Jun 21, 2018 9:52:36 AM hudson.cli.FullDuplexHttpStream <init>
      FINE: established download side
      Jun 21, 2018 9:52:36 AM hudson.cli.FullDuplexHttpStream <init>
      FINE: establishing upload side
      Jun 21, 2018 9:52:36 AM hudson.cli.FullDuplexHttpStream <init>
      FINE: established upload side
      
      ERROR: anonymous is missing the Overall/Read permission
      

      However, the user is correctly authenticated

      jenkins@prod--alfred:~$ java -jar /usr/local/bin/jenkins-cli.jar -logger FINE -s http://localhost:8080 -noKeyAuth who-am-i --username elife-alfred-user --password ...
      Jun 21, 2018 10:00:04 AM hudson.cli.CLI _main
      FINE: using connection mode HTTP
      Jun 21, 2018 10:00:04 AM hudson.cli.CLI plainHttpConnection
      FINE: Trying to connect to http://localhost:8080/ via plain protocol over HTTP
      Jun 21, 2018 10:00:04 AM hudson.cli.FullDuplexHttpStream <init>
      FINE: establishing download side
      Jun 21, 2018 10:00:04 AM hudson.cli.FullDuplexHttpStream <init>
      FINE: established download side
      Jun 21, 2018 10:00:04 AM hudson.cli.FullDuplexHttpStream <init>
      FINE: establishing upload side
      Jun 21, 2018 10:00:04 AM hudson.cli.FullDuplexHttpStream <init>
      FINE: established upload side
      Authenticated as: elife-alfred-user
      Authorities:
        authenticated
        elifesciences
        elifesciences*Butlers
      

      So it shouldn't require permissions on anonymous?
      Seen similar issues like https://issues.jenkins-ci.org/browse/JENKINS-21086 before, but they are very old.

        Attachments

          Activity

          Hide
          jaybocc2 jay bendon added a comment - - edited

          Also seeing this issue with jenkins 2.121.1. 

          This seems to be some type of regression similar to https://issues.jenkins-ci.org/browse/JENKINS-8815

          This has broken a large amount of our jenkins automation.

          Workaround is to grant anonymous read access to jenkins, which is highly undesirable for us.

          Show
          jaybocc2 jay bendon added a comment - - edited Also seeing this issue with jenkins 2.121.1.  This seems to be some type of regression similar to https://issues.jenkins-ci.org/browse/JENKINS-8815 This has broken a large amount of our jenkins automation. Workaround is to grant anonymous read access to jenkins, which is highly undesirable for us.
          Hide
          jaybocc2 jay bendon added a comment -

          Bump - any update on this issue?

          Show
          jaybocc2 jay bendon added a comment - Bump - any update on this issue?
          Hide
          ericblackburn Eric Blackburn added a comment - - edited

          I had a similar issue with an error message stating "ERROR: anonymous is missing the Overall/Read permission" when trying to create a slave or perform any cli cmds.  Turns out I needed to update to use a different authentication process that the CLI offers. 

          For example, change the command 

          java -jar /usr/local/bin/jenkins-cli.jar -logger FINE -s http://localhost:8080 -noKeyAuth connect-node containers-medium --username exampleuser --password examplepass
          

          to use the auth parameter

          -auth username:password
          

          So that your command ends up being

          java -jar /usr/local/bin/jenkins-cli.jar -logger FINE -s http://localhost:8080 -auth exampleuser:examplepass connect-node containers-medium
          

          I don't think the -noKeyAuth parameter is needed, but I could be wrong about that.

          Show
          ericblackburn Eric Blackburn added a comment - - edited I had a similar issue with an error message stating "ERROR: anonymous is missing the Overall/Read permission" when trying to create a slave or perform any cli cmds.  Turns out I needed to update to use a different authentication process that the CLI offers.  For example, change the command  java -jar /usr/local/bin/jenkins-cli.jar -logger FINE -s http: //localhost:8080 -noKeyAuth connect-node containers-medium --username exampleuser --password examplepass to use the auth parameter -auth username:password So that your command ends up being java -jar /usr/local/bin/jenkins-cli.jar -logger FINE -s http: //localhost:8080 -auth exampleuser:examplepass connect-node containers-medium I don't think the -noKeyAuth parameter is needed, but I could be wrong about that.
          Hide
          giorgiosironi Giorgio Sironi added a comment -

          I found no way of getting the Github token authentication method to work when Overall/Read is switched off for Anonymous users; so I switched to SSH authentication which has no such limitations:

          https://github.com/elifesciences/elife-alfred-formula/blob/master/salt/elife-alfred/config/usr-local-bin-jenkins-cli#L3

          The public key has to be added at https://your-jenkins/me/configure

           

          Show
          giorgiosironi Giorgio Sironi added a comment - I found no way of getting the Github token authentication method to work when Overall/Read is switched off for Anonymous users; so I switched to SSH authentication which has no such limitations: https://github.com/elifesciences/elife-alfred-formula/blob/master/salt/elife-alfred/config/usr-local-bin-jenkins-cli#L3 The public key has to be added at https://your-jenkins /me/configure  
          Hide
          sag47 Sam Gleske added a comment -

          I can't reproduce this issue. GitHub personal access tokens work in all tests I perform with Jenkins CLI.

          In all of my testing platforms Anonymous Read access is always revoked so I've tested this scenario several times without issue.

          Show
          sag47 Sam Gleske added a comment - I can't reproduce this issue. GitHub personal access tokens work in all tests I perform with Jenkins CLI. In all of my testing platforms Anonymous Read access is always revoked so I've tested this scenario several times without issue.
          Hide
          sag47 Sam Gleske added a comment -

          Closing as can't reproduce. If you give me steps to reproduce the issue I can look into it further. Feel free to re-open if you give reproduction steps.

          Show
          sag47 Sam Gleske added a comment - Closing as can't reproduce. If you give me steps to reproduce the issue I can look into it further. Feel free to re-open if you give reproduction steps.

            People

            • Assignee:
              sag47 Sam Gleske
              Reporter:
              giorgiosironi Giorgio Sironi
            • Votes:
              2 Vote for this issue
              Watchers:
              5 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved: