Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-54115

Remote Invocation of Jenkins API when using Azure AD Plugin

    Details

    • Similar Issues:

      Description

      I am facing multiple challenges with this plugin when invoking Jenkins API remotely when RBAC is configured with this plugin

      1. Is there a way to configure Jenkins user id as AD user id instead of object id? this is very inconvenient when I am trying to use Jenkins API to invoke jobs from some other application.
      2. Just granting permissions to Azure AD group (e.g. I created Azure AD group called Jenkins Admin), does not let the user of that group invoke API's remotely and throws forbidden error despite of using object ID as the user ID and API key as the password. Once I grant the permissions directly to the user (who is also part of the group), the API call works perfectly with 200 OK

      Are there ways to get around this?

      Badal

        Attachments

          Activity

          Hide
          jieshe Jie Shen added a comment -

          Hi Badal Kotecha,

          1. The latest AD plugin should use the AD UPN for Jenkins user id. Make sure you upgrade the AD plugin and azure-commons plugin at the same time. But this version has some problems with Jenkins API now. You need to add a new role "username (UPN)" in the matrix to make it work around.
          2. The group feature seems not work now. I will investigate it.
          Show
          jieshe Jie Shen added a comment - Hi Badal Kotecha , The latest AD plugin should use the AD UPN for Jenkins user id. Make sure you upgrade the AD plugin and azure-commons plugin at the same time. But this version has some problems with Jenkins API now. You need to add a new role "username (UPN)" in the matrix to make it work around. The group feature seems not work now. I will investigate it.
          Hide
          badalk Badal Kotecha added a comment - - edited

          Hi Jie Shen, even with adding specific user and granting overall read permissions, when i keep the user id as Azure AD user id (i.e. email address) I am not able to invoke the API. It gives me 403 forbidden - Access Denied error indicating <user> is missing the Overall/Read permission.

          Alternatively, When invoking the API with object id as the user id i get 500 Server error as indicated below

          java.lang.IllegalStateException: Unexpected authentication type: org.acegisecurity.providers.UsernamePasswordAuthenticationToken@95ed46cf: Username: <objectID>; Password: [PROTECTED]; Authenticated: false; Details: org.acegisecurity.ui.WebAuthenticationDetails@7798: RemoteIpAddress: 193.17.108.1; SessionId: null; Not granted any authorities

          Can you confirm it works for individual user at least? (not the group) and if I am missing anything? 

          Note: I am using Azure Active Directory Matrix-based security

          This was working with Object ID as the user ID before I upgraded Azure AD plug-in but as per your suggestion when I updated the plugin and restarted the jenkins service (and even the VM), its not working either ways

          Interestingly, after further investigation the reason why it works is because anonymous user is granted an admin permission earlier. I realized this after removing Azure AD configuration from manage global security and re-configured everything from scratch. By default anonymous user is granted an admin permission, the moment I remove it, even of individual user the remote API call (despite of having overall read permissions), gives forbidden error. For sake of trying I turned on overall read permissions for Anonymous (not admin) and it started working again.. so granting permissions for individual users does not have any impact, you need to grant permissions to anonymous users to have overall read permissions. I think its a bug !!

          Show
          badalk Badal Kotecha added a comment - - edited Hi Jie Shen , even with adding specific user and granting overall read permissions, when i keep the user id as Azure AD user id (i.e. email address) I am not able to invoke the API. It gives me 403 forbidden - Access Denied error indicating <user> is missing the Overall/Read permission. Alternatively, When invoking the API with object id as the user id i get 500 Server error as indicated below java.lang.IllegalStateException: Unexpected authentication type: org.acegisecurity.providers.UsernamePasswordAuthenticationToken@95ed46cf: Username: <objectID>; Password: [PROTECTED] ; Authenticated: false; Details: org.acegisecurity.ui.WebAuthenticationDetails@7798: RemoteIpAddress: 193.17.108.1; SessionId: null; Not granted any authorities Can you confirm it works for individual user at least? (not the group) and if I am missing anything?  Note: I am using  Azure Active Directory Matrix-based security This was working with Object ID as the user ID before I upgraded Azure AD plug-in but as per your suggestion when I updated the plugin and restarted the jenkins service (and even the VM), its not working either ways Interestingly, after further investigation the reason why it works is because anonymous user is granted an admin permission earlier. I realized this after removing Azure AD configuration from manage global security and re-configured everything from scratch. By default anonymous user is granted an admin permission, the moment I remove it, even of individual user the remote API call (despite of having overall read permissions), gives forbidden error. For sake of trying I turned on overall read permissions for Anonymous (not admin) and it started working again.. so granting permissions for individual users does not have any impact, you need to grant permissions to anonymous users to have overall read permissions. I think its a bug !!
          Hide
          jieshe Jie Shen added a comment -

          Hi Badal Kotecha,

          Yes, there are some problems here. And I have created an issue on Github to entirely fix this. For now, there is a temporarily solution for you to work around here.

          In the Azure Active Directory Matrix-based security section, you need to have two users in the matrix to make it work for accessing Jenkins API. The auto-completion will provide you a user name like 'username (object id)'. Besides this, you need to add a user name like 'username (user ID)' and give it the reading permission. By that, the API things should work.

          Show
          jieshe Jie Shen added a comment - Hi Badal Kotecha , Yes, there are some problems here. And I have created an issue  on Github to entirely fix this. For now, there is a temporarily solution for you to work around here. In the Azure Active Directory Matrix-based security section, you need to have two users in the matrix to make it work for accessing Jenkins API. The auto-completion will provide you a user name like 'username (object id)'. Besides this, you need to add a user name like 'username (user ID)' and give it the reading permission. By that, the API things should work.
          Hide
          kincki koray incki added a comment - - edited

          Hi Jie Shen,

          I am trying to access the Jenkins RESTApi from a command shell; and I adjusted the Jenkins Server to use Azure AD as the Security Realm.

          But I can't start a build job on Jenkins Server by using a command shell command such as curl or Invoke-RestMethod on PoSh. Do you have a suggestion on this?

           

          Show
          kincki koray incki added a comment - - edited Hi Jie Shen , I am trying to access the Jenkins RESTApi from a command shell; and I adjusted the Jenkins Server to use Azure AD as the Security Realm. But I can't start a build job on Jenkins Server by using a command shell command such as curl or Invoke-RestMethod on PoSh . Do you have a suggestion on this?  
          Hide
          davegoodine dave goodine added a comment -

          Jie Shen - thank you for posting the workaround using the two users in the matrix.  This allows Jenkins Job Builder to authenticate and create/update jenkins jobs with our jenkins master using the Azure AD plugin.

          Show
          davegoodine dave goodine added a comment - Jie Shen - thank you for posting the workaround using the two users in the matrix.  This allows Jenkins Job Builder to authenticate and create/update jenkins jobs with our jenkins master using the Azure AD plugin.
          Hide
          bikashkumars Bikash Sundaray added a comment - - edited

          Jie Shen 

          I am facing issue while accessing API. I have followed your comment on 'username (object id)' and 'username (user ID)'. But it didn't work for me.

          Can you please give one example how to add these 2 user. I can understand, this one "username (object id)" is based on autocomplete but what about 'username (user ID)', what will be user ID here.

          On which user, i should create API token

          I am making GET API call to following URL on my server (Note i have jenkins prefix to access my jenkins instance)

          https://<domainName>/<prefix-jenkins>/api/json

          Show
          bikashkumars Bikash Sundaray added a comment - - edited Jie Shen   I am facing issue while accessing API. I have followed your comment on 'username (object id)' and 'username (user ID)'. But it didn't work for me. Can you please give one example how to add these 2 user. I can understand, this one "username (object id)" is based on autocomplete but what about 'username (user ID)', what will be user ID here. On which user, i should create API token I am making GET API call to following URL on my server (Note i have jenkins prefix to access my jenkins instance) https://<domainName>/<prefix-jenkins>/api/json
          Hide
          bikashkumars Bikash Sundaray added a comment -

          Now working !!

          I am able to fix this by adding my email id as user and assigning view permission. In the API call, i am using my email ID as username and Token as Password

          Show
          bikashkumars Bikash Sundaray added a comment - Now working !! I am able to fix this by adding my email id as user and assigning view permission. In the API call, i am using my email ID as username and Token as Password

            People

            • Assignee:
              jieshe Jie Shen
              Reporter:
              badalk Badal Kotecha
            • Votes:
              1 Vote for this issue
              Watchers:
              6 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved: