[JIRA] (JENKINS-61785) REST API requires Task/Build permission

[juanpablo.santos@gmail.com (JIRA)]

Juan Pablo Santos Rodríguez created an issue

Jenkins / JENKINS-61785 REST API requires Task/Build permission Issue Type: Bug Assignee: Oleg Nenashev Components: role-strategy-plugin Created: 2020-04-02 14:54 Environment: Jenkins LTS 2.222.1 role-strategy-plugin 2.16 Priority: Major Reporter: Juan Pablo Santos Rodríguez After upgrading to Jenkins LTS 2.222.1 + role-strategy-plugin 2.16, REST API calls have stopped working. On the Log we can see   2020-04-02 14:42:46.468+0000 [id=20318] INFO o.e.j.s.h.ContextHandler$Context#log: While serving http://XXXXXXXXXXX/jenkins/job/YYYYYY-pipeline/buildWithParameters: hudson.security.AccessDeniedException2: inetic is missing the Job/Build permission which is exactly what we get through the REST API inetic has Admin permissions set throuch role-strategy-plugin and is able to execute any jobs through the UI. We're using user+token for auth, which should not need Jenkins-Crumb header. Nevertheless, we've also tried user+password+crumb and user+token+crumb and we get the same results. We've also tried setting hudson.security.csrf.GlobalCrumbIssuerConfiguration.DISABLE_CSRF_PROTECTION to either true or false, but again, it makes no difference. May be the security hardening done on 2.222.1 / 2.204.6 affects the role-strategy-plugin? Only workaround found so far is to set global Read + Build permissions, however that allows every user to execute everything without being logged which is not so funny. Add Comment

This message was sent by Atlassian Jira (v7.13.12#713012-sha1:6e07c38)

[juanpablo.santos@gmail.com (JIRA)]

Juan Pablo Santos Rodríguez updated an issue

Jenkins / JENKINS-61785 REST API requires Task/Build permission

Change By: Juan Pablo Santos Rodríguez

After upgrading to Jenkins LTS 2.222.1 + role-strategy-plugin 2.16, REST API calls have stopped working. On the Log we can see

{code}2020-04-02 14:42:46.468+0000 [id=20318] INFO o.e.j.s.h.ContextHandler$Context#log: While serving http://XXXXXXXXXXX/jenkins/job/YYYYYY-pipeline/buildWithParameters: hudson.security.AccessDeniedException2: inetic is missing the Job/Build permission {code}

which is exactly what we get through the REST API inetic has Admin permissions set throuch role-strategy-plugin and is able to execute any jobs through the UI.

We're using user+token for auth, which should not need Jenkins-Crumb header. Nevertheless, we've also tried user+password+crumb and user+token+crumb and we get the same results. We've also tried setting {{hudson.security.csrf.GlobalCrumbIssuerConfiguration.DISABLE_CSRF_PROTECTION}} to either {{true}} or {{false}}, but again, it makes no difference.

May be the security hardening done on 2.222.1 / 2.204.6 affects the role-strategy-plugin? Only workaround found so far is to set global Read + Build permissions, however that allows every user to execute everything without being logged which is not so funny.

EDIT: forgot to add, $JENKINS/whoAmI for user yields: {code} Name: INETIC IsAuthenticated?: true Authorities: * "authenticated" {code}

Add Comment

[juanpablo.santos@gmail.com (JIRA)]

Juan Pablo Santos Rodríguez updated an issue

Jenkins / JENKINS-61785 REST API requires Task/Build permission Change By: Juan Pablo Santos Rodríguez

After upgrading to Jenkins LTS 2.222.1 + role-strategy-plugin 2.16, REST API calls have stopped working. On the Log we can see   {code}2020-04-02 14:42:46.468+0000 [id=20318] INFO o.e.j.s.h.ContextHandler$Context#log: While serving http://XXXXXXXXXXX/jenkins/job/YYYYYY-pipeline/buildWithParameters: hudson.security.AccessDeniedException2: inetic is missing the Job/Build permission {code} which is exactly what we get through the REST API

inetic has Admin permissions granted to a role, set throuch role-strategy-plugin and is able to execute any jobs through the UI.

We're using user+token for auth, which should not need Jenkins-Crumb header. Nevertheless, we've also tried user+password+crumb and user+token+crumb and we get the same results. We've also tried setting {{hudson.security.csrf.GlobalCrumbIssuerConfiguration.DISABLE_CSRF_PROTECTION}} to either {{true}} or {{false}}, but again, it makes no difference. May be the security hardening done on 2.222.1 / 2.204.6 affects the role-strategy-plugin? Only workaround found so far is to set global Read + Build permissions, however that allows every user to execute everything without being logged which is not so funny. EDIT: forgot to add, $JENKINS/whoAmI for user yields: {code} Name: INETIC IsAuthenticated?: true Authorities: * "authenticated" {code}

Add Comment