[JIRA] (JENKINS-61344) Api call with a token lead to a 403 but the user has "overall read" via "authenticated user" group

[gregoire.waymel@decathlon.com (JIRA)]

greg oire created an issue

Jenkins / JENKINS-61344 Api call with a token lead to a 403 but the user has "overall read" via "authenticated user" group Issue Type: Bug Assignee: Daniel Beck Components: matrix-auth-plugin Created: 2020-03-05 11:43 Environment: Jenkins 2.204.2 JDK Oracle 8 (202) Labels: jenkins api matrix-auth Priority: Minor Reporter: greg oire I use "Project-based Matrix Authorization Strategy ". I set the group "Authenticated Users" with permission overall read, job read, credential view, view read. If a user try to call an api with a token like: `curl -u myuser:123456 -v -H 'Accept: application/json' https://jenkins/api/json` then the response is 403 with a HTML body in which I have "myuser is missing the Overall/Read permission" If I add a "overall read" permission on the "myuser" itself, then the api is working (200 + data) Does this mean that authenticating via a token do not add the 'authenticated' group ? Is this wanted? if so why not a "tokens" group ? Add Comment

This message was sent by Atlassian Jira (v7.13.12#713012-sha1:6e07c38)

[dbeck@cloudbees.com (JIRA)]

Daniel Beck closed an issue as Not A Defect

Overall/Read grants basic access to Jenkins. Nothing more. Users without that basically cannot do anything, except in very limited circumstances. Users have a group or don't, the method of authentication doesn't change what they're authorized to do.

Jenkins / JENKINS-61344 Api call with a token lead to a 403 but the user has "overall read" via "authenticated user" group

Change By: Daniel Beck Status: Open Closed Resolution: Not A Defect

Add Comment

[gregoire.waymel@decathlon.com (JIRA)]

greg oire commented on JENKINS-61344

Re: Api call with a token lead to a 403 but the user has "overall read" via "authenticated user" group From your answer, Jenkins do have a bug. If I set Overall/Read to "authenticated" user, then I expect even with a token, such policy is executed hence a user without other permission would be able to call jenkins api. It is not the case.

Add Comment

[dbeck@cloudbees.com (JIRA)]

Daniel Beck commented on JENKINS-61344

Re: Api call with a token lead to a 403 but the user has "overall read" via "authenticated user" group

greg oire Adding the authenticated pseudo-group is the responsibility of the plugin providing authentication (i.e. security realm). So there seems to be a bug here, I agree, but not in matrix-auth.

Add Comment

[gregoire.waymel@decathlon.com (JIRA)]

greg oire commented on JENKINS-61344

Re: Api call with a token lead to a 403 but the user has "overall read" via "authenticated user" group

Is there a generic specific handler for token somewhere or each authentication handler duplicate the token authentication management ?

Add Comment

[gregoire.waymel@decathlon.com (JIRA)]

greg oire commented on JENKINS-61344

Re: Api call with a token lead to a 403 but the user has "overall read" via "authenticated user" group

OK, I found the code, but will need to debug as at first sight it seems correct... Thank you.

Add Comment