[JIRA] (JENKINS-59105) Accessing Jenkins using API token does not work in group memberships

[harishbito@gmail.com (JIRA)]

Harish Kumar created an issue

Jenkins / JENKINS-59105 Accessing Jenkins using API token does not work in group memberships Issue Type: Bug Assignee: Oleg Nenashev Components: role-strategy-plugin Created: 2019-08-27 16:09 Environment: Jenkins version : 2.174 Role-based Authorization Strategy version : 2.10 Priority: Major Reporter: Harish Kumar I am using Role Based Strategy to manage user permission. I have an account under group A. I give this group Admin permission. When I call rest API with user API token Jenkins rejects the request with 403 Forbidden Error. If I add this user directly to the global roles and grant appropriate permission, it works.  It seems API authorization doesn't work with Group. Any idea on this? Add Comment

This message was sent by Atlassian Jira (v7.11.2#711002-sha1:fdc329d)

[o.v.nenashev@gmail.com (JIRA)]

Oleg Nenashev commented on JENKINS-59105

Re: Accessing Jenkins using API token does not work in group memberships Are you sure you have set up the CSRF Token correctly? Please also provide the REST API request you are invoking

Add Comment

[harishbito@gmail.com (JIRA)]

Harish Kumar updated an issue

Jenkins / JENKINS-59105

Accessing Jenkins using API token does not work in group memberships

Change By: Harish Kumar Attachment: CSFR_Config.PNG

Add Comment

[harishbito@gmail.com (JIRA)]

Harish Kumar commented on JENKINS-59105

Re: Accessing Jenkins using API token does not work in group memberships It fails in the very first request made and it is the crumb request : "https://jenkinsurl/crumbIssuer/api/json"

Add Comment

[harishbito@gmail.com (JIRA)]

Harish Kumar updated an issue

Jenkins / JENKINS-59105

Accessing Jenkins using API token does not work in group memberships

Change By: Harish Kumar Attachment: CSFR_Config.PNG

Add Comment

[harishbito@gmail.com (JIRA)]

Harish Kumar edited a comment on JENKINS-59105

Re: Accessing Jenkins using API token does not work in group memberships It fails in Yes as far I can tell the very first request made and it set up seems valid. Its is the crumb request which is failing : "https://jenkinsurl/crumbIssuer/api/json"

Add Comment

[harishbito@gmail.com (JIRA)]

Harish Kumar edited a comment on JENKINS-59105

Re: Accessing Jenkins using API token does not work in group memberships

Yes as far I can tell the set up seems valid.

Its is the crumb request which is failing : "https://jenkinsurl/crumbIssuer/api/json"

Error : someuser is missing the Overall/Read permission

Add Comment

[alexhraber@gmail.com (JIRA)]

Alex Raber commented on JENKINS-59105

Re: Accessing Jenkins using API token does not work in group memberships

This is something I've noticed as well. Github webhooks are failing with 403, which were previously succeeding without any issues.

Add Comment

This message was sent by Atlassian Jira (v7.13.12#713012-sha1:6e07c38)

[alexhraber@gmail.com (JIRA)]

Alex Raber edited a comment on JENKINS-59105

Re: Accessing Jenkins using API token does not work in group memberships

This is something I've noticed as well. Github webhooks are failing with 403, which were previously succeeding without any issues after upgrading LTS from `2 . 204.5` to `2.222.1`.

Add Comment

[zburton@ancestry.com (JIRA)]

Zane Burton edited a comment on JENKINS-59105

Re: Accessing Jenkins using API token does not work in group memberships

I have replicated this bug. This command fails with the error "Access Denied user is missing the Agent/Create permission" {color:#000000}curl --location --user {color}{color:#a31515}'username:APIKEY'{color}{color:#000000} --header {color}{color:#a31515}"Content-Type:application/x-www-form-urlencoded"{color}{color:#000000} --request POST {color}{color:#a31515}"https://jenkins.example.com/computer/doCreateItem?name=I-00A223022A4B270A6.example.com&type=hudson.slaves.DumbSlave"{color}

Add Comment

[zburton@ancestry.com (JIRA)]

Zane Burton commented on JENKINS-59105

Re: Accessing Jenkins using API token does not work in group memberships

I have replicated this bug. This command fails with the error "Access Denied user is missing the Agent/Create permission"

curl --location --user 'username:APIKEY' --header "Content-Type:application/x-www-form-urlencoded" --request POST "https://jenkins.example.com/computer/doCreateItem?name=I-00A223022A4B270A6.example.com&type=hudson.slaves.DumbSlave"

Add Comment

[o.v.nenashev@gmail.com (JIRA)]

Oleg Nenashev started work on JENKINS-59105

Change By: Oleg Nenashev Status: Open In Progress

Add Comment

[alexhraber@gmail.com (JIRA)]

Alex Raber commented on JENKINS-59105

Re: Accessing Jenkins using API token does not work in group memberships

More details:   I added this to JENKINS_OPS in my jenkins.sh (I'm running in k8s via docker): jenkins_opts_array=('-Dhudson.security.csrf.CrumbFilter.UNPROCESSED_PATHINFO=true') I then generated a new token for my user, and set up my Github repo webhook as follows: url: https://dev-jenkins.url.gov/job/testjob/build secret: <user-token> (with admin/owner perms) application/json Then click apply and then click the test button from github. 403. I have also enabled and disabled the Enable proxy compatibility CSRF checkbox in Global Security. Note my testing is done in a sandbox, but the issue is impacting my production jenkins as well. I'd prefer not to roll back if possible.

Add Comment

[alexhraber@gmail.com (JIRA)]

Alex Raber edited a comment on JENKINS-59105

[alexhraber@gmail.com (JIRA)]

[alexhraber@gmail.com (JIRA)]

Alex Raber edited a comment on JENKINS-59105

Re: Accessing Jenkins using API token does not work in group memberships

More details:   I added this to JENKINS_OPS in my jenkins.sh (I'm running in k8s via docker): {{jenkins_opts_array=('-Dhudson.security.csrf.CrumbFilter.UNPROCESSED_PATHINFO=true')}}

^ per: [https://jenkins.io/doc/upgrade-guide/2.204/#upgrading-to-jenkins-lts-2-204-6]

I then generated a new token for my user, and set up my Github repo webhook as follows: url: [https://dev-jenkins.url.gov/job/testjob/build] secret: <user-token> (with admin/owner perms) application/json Then click apply and then click the test button from github. 403. I have also enabled and disabled the Enable proxy compatibility CSRF checkbox in Global Security. Note my testing is done in a sandbox, but the issue is impacting my production jenkins as well. I'd prefer not to roll back if possible.

Add Comment

[alexhraber@gmail.com (JIRA)]

Alex Raber edited a comment on JENKINS-59105

Re: Accessing Jenkins using API token does not work in group memberships

More details:   I added this to JENKINS_OPS in my jenkins.sh (I'm running in k8s via docker):

` {{ jenkins_opts_array=('-Dhudson.security.csrf.CrumbFilter.UNPROCESSED_PATHINFO=true') ` }}

I then generated a new token for my user, and set up my Github repo webhook as follows: url: [https://dev-jenkins.url.gov/job/testjob/build] secret: <user-token> (with admin/owner perms) application/json Then click apply and then click the test button from github. 403. I have also enabled and disabled the Enable proxy compatibility CSRF checkbox in Global Security. Note my testing is done in a sandbox, but the issue is impacting my production jenkins as well. I'd prefer not to roll back if possible.

Add Comment

[alexhraber@gmail.com (JIRA)]

Alex Raber edited a comment on JENKINS-59105

Re: Accessing Jenkins using API token does not work in group memberships

More details:   I added this to JENKINS_OPS in my jenkins.sh (I'm running in k8s via docker): {{jenkins_opts_array=('-Dhudson.security.csrf.CrumbFilter.UNPROCESSED_PATHINFO=true')}}

^ per: [https://jenkins.io/doc/upgrade-guide/2.204/#upgrading-to-jenkins-lts-2-204-6]

I then generated a new token for my user, and set up my Github repo webhook as follows: url: [https://dev-jenkins.url.gov/job/testjob/build] secret: <user-token> (with admin/owner perms) application/json Then click apply and then click the test button from github. 403. I have also enabled and disabled the Enable proxy compatibility CSRF checkbox in Global Security. Note my testing is done in a sandbox, but the issue is impacting my production jenkins as well. I'd prefer not to roll back if possible.

There are also these items in the 2.204.6 upgrade doc:   {code:java} - Remove Enable Security checkbox in the Global Security configuration. (issue 40228) - Remove the ability to disable CSRF protection. Instances upgrading from older versions of Jenkins will have CSRF protection enabled and the default issuer set if they currently have it disabled. (pull 4509) {code}   These are not options in the UI in 2.222.1

Add Comment

[dbeck@cloudbees.com (JIRA)]

Daniel Beck commented on JENKINS-59105

Re: Accessing Jenkins using API token does not work in group memberships

Alex Raber Try https://jenkins.io/doc/upgrade-guide/2.222/#always-enabled-csrf-protection

Add Comment