[JIRA] (JENKINS-54115) Remote Invocation of Jenkins API when using Azure AD Plugin

[badal.kotecha@mindtree.com (JIRA)]

Badal Kotecha created an issue

Jenkins / JENKINS-54115 Remote Invocation of Jenkins API when using Azure AD Plugin Issue Type: Bug Assignee: Azure DevOps Components: azure-ad-plugin Created: 2018-10-17 03:40 Environment: Ubuntu 16.04 Labels: jenkins azure-ad remote-api Priority: Critical Reporter: Badal Kotecha I am facing multiple challenges with this plugin when invoking Jenkins API remotely when RBAC is configured with this plugin Is there a way to configure Jenkins user id as AD user id instead of object id? this is very inconvenient when I am trying to use Jenkins API to invoke jobs from some other application. Just granting permissions to Azure AD group (e.g. I created Azure AD group called Jenkins Admin), does not let the user of that group invoke API's remotely and throws forbidden error despite of using object ID as the user ID and API key as the password. Once I grant the permissions directly to the user (who is also part of the group), the API call works perfectly with 200 OK Are there ways to get around this? Badal Add Comment

This message was sent by Atlassian Jira (v7.11.2#711002-sha1:fdc329d)

[jieshe@microsoft.com (JIRA)]

Jie Shen assigned an issue to Jie Shen

Jenkins / JENKINS-54115 Remote Invocation of Jenkins API when using Azure AD Plugin

Change By: Jie Shen Assignee: Azure DevOps Jie Shen

Add Comment

[jieshe@microsoft.com (JIRA)]

Jie Shen commented on JENKINS-54115

Re: Remote Invocation of Jenkins API when using Azure AD Plugin Hi Badal Kotecha, The latest AD plugin should use the AD UPN for Jenkins user id. Make sure you upgrade the AD plugin and azure-commons plugin at the same time. But this version has some problems with Jenkins API now. You need to add a new role "username (UPN)" in the matrix to make it work around. The group feature seems not work now. I will investigate it.

Add Comment

[badal.kotecha@mindtree.com (JIRA)]

Badal Kotecha commented on JENKINS-54115

Re: Remote Invocation of Jenkins API when using Azure AD Plugin

Hi Jie Shen, even with adding specific user and granting overall read permissions, when i keep the user id as Azure AD user id (i.e. email address) I am not able to invoke the API. It gives me 403 forbidden - Access Denied error indicating <user> is missing the Overall/Read permission. Alternatively, When invoking the API with object id as the user id i get 500 Server error as indicated below java.lang.IllegalStateException: Unexpected authentication type: org.acegisecurity.providers.UsernamePasswordAuthenticationToken@95ed46cf: Username: <objectID>; Password: [PROTECTED]; Authenticated: false; Details: org.acegisecurity.ui.WebAuthenticationDetails@7798: RemoteIpAddress: 193.17.108.1; SessionId: null; Not granted any authorities Can you confirm it works for individual user at least? (not the group) and if I am missing anything?

Add Comment

[badal.kotecha@mindtree.com (JIRA)]

Badal Kotecha edited a comment on JENKINS-54115

Re: Remote Invocation of Jenkins API when using Azure AD Plugin

Hi [~jieshe], even with adding specific user and granting overall read permissions, when i keep the user id as Azure AD user id (i.e. email address) I am not able to invoke the API. It gives me 403 forbidden - Access Denied error indicating <user> is missing the Overall/Read permission.

Alternatively, When invoking the API with object id as the user id i get 500 Server error as indicated below java.lang.IllegalStateException: Unexpected authentication type: org.acegisecurity.providers.UsernamePasswordAuthenticationToken@95ed46cf: Username: <objectID>; Password: [PROTECTED]; Authenticated: false; Details: org.acegisecurity.ui.WebAuthenticationDetails@7798: RemoteIpAddress: 193.17.108.1; SessionId: null; Not granted any authorities Can you confirm it works for individual user at least? (not the group) and if I am missing anything?

This was working with Object ID as the user ID before I upgraded Azure AD plug-in but as per your suggestion when I updated the plugin and restarted the jenkins service (and even the VM), its not working either ways

Add Comment

[badal.kotecha@mindtree.com (JIRA)]

Interestingly, after further investigation the reason why it works is because anonymous user is granted an admin permission earlier. I realized this after removing Azure AD configuration from manage global security and re-configured everything from scratch. By default anonymous user is granted an admin permission, the moment I remove it, even of individual user the remote API call (despite of having overall read permissions), gives forbidden error. For sake of trying I turned on overall read permissions for Anonymous (not admin) and it started working again.. so granting permissions for individual users does not have any impact, you need to grant permissions to anonymous users to have overall read permissions. I think its a bug !!

Add Comment

[badal.kotecha@mindtree.com (JIRA)]

Badal Kotecha edited a comment on JENKINS-54115

Re: Remote Invocation of Jenkins API when using Azure AD Plugin

Hi [~jieshe], even with adding specific user and granting overall read permissions, when i keep the user id as Azure AD user id (i.e. email address) I am not able to invoke the API. It gives me 403 forbidden - Access Denied error indicating <user> is missing the Overall/Read permission. Alternatively, When invoking the API with object id as the user id i get 500 Server error as indicated below java.lang.IllegalStateException: Unexpected authentication type: org.acegisecurity.providers.UsernamePasswordAuthenticationToken@95ed46cf: Username: <objectID>; Password: [PROTECTED]; Authenticated: false; Details: org.acegisecurity.ui.WebAuthenticationDetails@7798: RemoteIpAddress: 193.17.108.1; SessionId: null; Not granted any authorities Can you confirm it works for individual user at least? (not the group) and if I am missing anything?

Note: I am using *Azure Active Directory Matrix-based security*

This was working with Object ID as the user ID before I upgraded Azure AD plug-in but as per your suggestion when I updated the plugin and restarted the jenkins service (and even the VM), its not working either ways Interestingly, after further investigation the reason why it works is because anonymous user is granted an admin permission earlier. I realized this after removing Azure AD configuration from manage global security and re-configured everything from scratch. By default anonymous user is granted an admin permission, the moment I remove it, even of individual user the remote API call (despite of having overall read permissions), gives forbidden error. For sake of trying I turned on overall read permissions for Anonymous (not admin) and it started working again.. so granting permissions for individual users does not have any impact, you need to grant permissions to anonymous users to have overall read permissions. I think its a bug !!

Add Comment

[jieshe@microsoft.com (JIRA)]

Jie Shen commented on JENKINS-54115

Re: Remote Invocation of Jenkins API when using Azure AD Plugin

Hi Badal Kotecha, Yes, there are some problems here. And I have created an issue on Github to entirely fix this. For now, there is a temporarily solution for you to work around here. In the Azure Active Directory Matrix-based security section, you need to have two users in the matrix to make it work for accessing Jenkins API. The auto-completion will provide you a user name like 'username (object id)'. Besides this, you need to add a user name like 'username (user ID)' and give it the reading permission. By that, the API things should work.

Add Comment

[ben@korayincki.com (JIRA)]

koray incki edited a comment on JENKINS-54115

Re: Remote Invocation of Jenkins API when using Azure AD Plugin

Hi [~jieshe], I am trying to access the Jenkins RESTApi from a command shell; and I adjusted the Jenkins Server to use Azure AD as the *Security Realm.* But I can't start a build job on Jenkins Server by using a *command shell* command such as *curl* or *Invoke-RestMethod on PoSh*. Do you have a suggestion on this?

Add Comment

[jieshe@microsoft.com (JIRA)]

Jie Shen started work on JENKINS-54115

Change By: Jie Shen Status: Open In Progress

Add Comment

[davegoodine@gmail.com (JIRA)]

dave goodine commented on JENKINS-54115

Re: Remote Invocation of Jenkins API when using Azure AD Plugin

Jie Shen - thank you for posting the workaround using the two users in the matrix.  This allows Jenkins Job Builder to authenticate and create/update jenkins jobs with our jenkins master using the Azure AD plugin.

Add Comment

[bikashkumars@gmail.com (JIRA)]

Bikash Sundaray commented on JENKINS-54115

Re: Remote Invocation of Jenkins API when using Azure AD Plugin

Jie Shen  I am facing issue while accessing issue. I have followed your comment on 'username (object id)' and 'username (user ID)'. But it didn't work for me. Can you please give one example how to add these to user. I can understand, this one "username (object id)" is based on autocomplete but what about 'username (user ID)', what will be user ID here. On which user, i should create API token

Add Comment

[bikashkumars@gmail.com (JIRA)]

Bikash Sundaray edited a comment on JENKINS-54115

Re: Remote Invocation of Jenkins API when using Azure AD Plugin

[~jieshe]  I am facing issue while accessing issue API . I have followed your comment on 'username (object id)' and 'username (user ID)'. But it didn't work for me. Can you please give one example how to add these to 2 user. I can understand, this one "username (object id)" is based on autocomplete but what about 'username (user ID)', what will be user ID here.

On which user, i should create API token

I am making GET API call to following URL on my server (Note i have jenkins prefix to access my jenkins instance) https://<domainName>/<prefix-jenkins>/api/json

Add Comment

[bikashkumars@gmail.com (JIRA)]

Bikash Sundaray commented on JENKINS-54115

Re: Remote Invocation of Jenkins API when using Azure AD Plugin

Now working !! I am able to fix this by adding my email id as user and assigning view permission. In the API call, i am using my email ID as username and Token as Password

Add Comment

[jieshe@microsoft.com (JIRA)]

Jie Shen resolved as Fixed

Jenkins / JENKINS-54115

Remote Invocation of Jenkins API when using Azure AD Plugin

Change By: Jie Shen Status: In Progress Resolved Resolution: Fixed

Add Comment