[JIRA] (JENKINS-52099) jenkins-cli requires Overall/Read permission on anonymous user

[g.sironi@elifesciences.org (JIRA)]

Giorgio Sironi created an issue

Jenkins / JENKINS-52099 jenkins-cli requires Overall/Read permission on anonymous user Issue Type: Bug Assignee: Sam Gleske Components: cli, github-oauth-plugin Created: 2018-06-21 10:01 Environment: Jenkins 2.121.1 GitHub OAuth Plugin 0.29 Priority: Minor Reporter: Giorgio Sironi We use the Github Oauth authentication plugin, which allows the cli to authenticate with a Github personal access token (passed in --password). This used to work in some previous plugin combinations, but now connect-node (and probably similar commands) stop requiring Overall/Read on anonymous. jenkins@prod--alfred:~$ java -jar /usr/local/bin/jenkins-cli.jar -logger FINE -s http://localhost:8080 -noKeyAuth connect-node containers-medium --username elife-alfred-user --password ... Jun 21, 2018 9:52:35 AM hudson.cli.CLI _main FINE: using connection mode HTTP Jun 21, 2018 9:52:36 AM hudson.cli.CLI plainHttpConnection FINE: Trying to connect to http://localhost:8080/ via plain protocol over HTTP Jun 21, 2018 9:52:36 AM hudson.cli.FullDuplexHttpStream tryToResolveRedirects FINE: Failed to resolve potential redirects java.io.IOException: Server returned HTTP response code: 403 for URL: http://localhost:8080/ at sun.net.www.protocol.http.HttpURLConnection.getInputStream0(HttpURLConnection.java:1894) at sun.net.www.protocol.http.HttpURLConnection.getInputStream(HttpURLConnection.java:1492) at hudson.cli.FullDuplexHttpStream.tryToResolveRedirects(FullDuplexHttpStream.java:131) at hudson.cli.FullDuplexHttpStream.<init>(FullDuplexHttpStream.java:83) at hudson.cli.CLI.plainHttpConnection(CLI.java:652) at hudson.cli.CLI._main(CLI.java:612) at hudson.cli.CLI.main(CLI.java:426) Jun 21, 2018 9:52:36 AM hudson.cli.FullDuplexHttpStream <init> FINE: establishing download side Jun 21, 2018 9:52:36 AM hudson.cli.FullDuplexHttpStream <init> FINE: established download side Jun 21, 2018 9:52:36 AM hudson.cli.FullDuplexHttpStream <init> FINE: establishing upload side Jun 21, 2018 9:52:36 AM hudson.cli.FullDuplexHttpStream <init> FINE: established upload side ERROR: anonymous is missing the Overall/Read permission However, the user is correctly authenticated jenkins@prod--alfred:~$ java -jar /usr/local/bin/jenkins-cli.jar -logger FINE -s http://localhost:8080 -noKeyAuth who-am-i --username elife-alfred-user --password ... Jun 21, 2018 10:00:04 AM hudson.cli.CLI _main FINE: using connection mode HTTP Jun 21, 2018 10:00:04 AM hudson.cli.CLI plainHttpConnection FINE: Trying to connect to http://localhost:8080/ via plain protocol over HTTP Jun 21, 2018 10:00:04 AM hudson.cli.FullDuplexHttpStream <init> FINE: establishing download side Jun 21, 2018 10:00:04 AM hudson.cli.FullDuplexHttpStream <init> FINE: established download side Jun 21, 2018 10:00:04 AM hudson.cli.FullDuplexHttpStream <init> FINE: establishing upload side Jun 21, 2018 10:00:04 AM hudson.cli.FullDuplexHttpStream <init> FINE: established upload side Authenticated as: elife-alfred-user Authorities: authenticated elifesciences elifesciences*Butlers So it shouldn't require permissions on anonymous? Seen similar issues like https://issues.jenkins-ci.org/browse/JENKINS-21086 before, but they are very old. Add Comment

This message was sent by Atlassian JIRA (v7.3.0#73011-sha1:3c73d0e)

[jaybocc2@gmail.com (JIRA)]

jay bendon commented on JENKINS-52099

Re: jenkins-cli requires Overall/Read permission on anonymous user Also seeing this issue with jenkins 2.121.1.  This seems to be some type of regression similar to https://issues.jenkins-ci.org/browse/JENKINS-8815 This has broken a large amount of our jenkins automation.

Add Comment

This message was sent by Atlassian JIRA (v7.10.1#710002-sha1:6efc396)

[jaybocc2@gmail.com (JIRA)]

jay bendon edited a comment on JENKINS-52099

Re: jenkins-cli requires Overall/Read permission on anonymous user

Also seeing this issue with jenkins 2.121.1.  This seems to be some type of regression similar to https://issues.jenkins-ci.org/browse/JENKINS-8815 This has broken a large amount of our jenkins automation.

Workaround is to grant anonymous read access to jenkins, which is highly undesirable for us.

Add Comment

[jaybocc2@gmail.com (JIRA)]

jay bendon commented on JENKINS-52099

Re: jenkins-cli requires Overall/Read permission on anonymous user

Bump - any update on this issue?

Add Comment

[fooodmail@gmail.com (JIRA)]

Uriy B updated an issue

Jenkins / JENKINS-52099

jenkins-cli requires Overall/Read permission on anonymous user

Change By: Uriy B Priority: Minor Major

Add Comment

This message was sent by Atlassian Jira (v7.11.2#711002-sha1:fdc329d)

[fooodmail@gmail.com (JIRA)]

Uriy B updated an issue

Jenkins / JENKINS-52099 jenkins-cli requires Overall/Read permission on anonymous user

Change By: Uriy B Priority: Major Minor

Add Comment

[eric.blackburn@mattersight.com (JIRA)]

Eric Blackburn commented on JENKINS-52099

Re: jenkins-cli requires Overall/Read permission on anonymous user I had a similar issue with an error message stating "ERROR: anonymous is missing the Overall/Read permission" when trying to create a slave or perform any cli cmds.  Turns out I needed to update to use a different authentication process that the CLI offers.  For example, change the command  java -jar /usr/local/bin/jenkins-cli.jar -logger FINE -s http://localhost:8080 -noKeyAuth connect-node containers-medium --username exampleuser --password examplepass to use the auth parameter -auth username:password So that your command ends up being java -jar /usr/local/bin/jenkins-cli.jar -logger FINE -s http://localhost:8080 -auth exampleuser:examplepass connect-node containers-medium I don't think the -noKeyAuth parameter is needed, but I could be wrong about that.

Add Comment

[eric.blackburn@mattersight.com (JIRA)]

Eric Blackburn edited a comment on JENKINS-52099

Re: jenkins-cli requires Overall/Read permission on anonymous user

I had a similar issue with an error message stating "ERROR: anonymous is missing the Overall/Read permission" when trying to create a slave or perform any cli cmds.  Turns out I needed to update to use a different authentication process that the CLI offers.  For example, change the command

{code:java}

java -jar /usr/local/bin/jenkins-cli.jar -logger FINE -s http://localhost:8080 -noKeyAuth connect-node containers-medium --username exampleuser --password examplepass

{code}

to use the auth parameter

{code:java} -auth username:password {code}

So that your command ends up being

{code:java}

java -jar /usr/local/bin/jenkins-cli.jar -logger FINE -s http://localhost:8080 -auth exampleuser:examplepass connect-node containers-medium

{code}

I don't think the -noKeyAuth parameter is needed, but I could be wrong about that.

Add Comment

[g.sironi@elifesciences.org (JIRA)]

Giorgio Sironi commented on JENKINS-52099

Re: jenkins-cli requires Overall/Read permission on anonymous user

I found no way of getting the Github token authentication method to work when Overall/Read is switched off for Anonymous users; so I switched to SSH authentication which has no such limitations: https://github.com/elifesciences/elife-alfred-formula/blob/master/salt/elife-alfred/config/usr-local-bin-jenkins-cli#L3 The public key has to be added at https://your-jenkins/me/configure

Add Comment

[sam.mxracer@gmail.com (JIRA)]

Sam Gleske commented on JENKINS-52099

Re: jenkins-cli requires Overall/Read permission on anonymous user

I can't reproduce this issue. GitHub personal access tokens work in all tests I perform with Jenkins CLI. In all of my testing platforms Anonymous Read access is always revoked so I've tested this scenario several times without issue.

Add Comment

[sam.mxracer@gmail.com (JIRA)]

Sam Gleske closed an issue as Cannot Reproduce

Closing as can't reproduce. If you give me steps to reproduce the issue I can look into it further. Feel free to re-open if you give reproduction steps.

Jenkins / JENKINS-52099

jenkins-cli requires Overall/Read permission on anonymous user

Change By: Sam Gleske Status: Open Closed Resolution: Cannot Reproduce

Add Comment