Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-10890

public key authentication leads to authorization as "anonymous"

    XMLWordPrintable

Details

    Description

      Trying to put the cli-channel-demo [1] to use.
      It works alone, but in conjunction with the Role Strategy Plugin [2] I got a problem:

      Exception in thread "main" java.lang.SecurityException: hudson.security.AccessDeniedException2: anonymous is missing the Administer permission
      at hudson.security.ACL.checkPermission(ACL.java:53)
      at hudson.model.Node.checkPermission(Node.java:381)
      at hudson.cli.GroovyCommand.run(GroovyCommand.java:73)
      at hudson.cli.CLICommand.main(CLICommand.java:184)
      at hudson.cli.CliManagerImpl.main(CliManagerImpl.java:82)
      at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
      at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
      at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
      at java.lang.reflect.Method.invoke(Method.java:597)
      at hudson.remoting.RemoteInvocationHandler$RPCRequest.perform(RemoteInvocationHandler.java:274)
      at hudson.remoting.RemoteInvocationHandler$RPCRequest.call(RemoteInvocationHandler.java:255)
      at hudson.remoting.RemoteInvocationHandler$RPCRequest.call(RemoteInvocationHandler.java:215)
      at hudson.remoting.UserRequest.perform(UserRequest.java:118)
      at hudson.remoting.UserRequest.perform(UserRequest.java:48)
      at hudson.remoting.Request$2.run(Request.java:287)
      at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:441)
      at java.util.concurrent.FutureTask$Sync.innerRun(FutureTask.java:303)
      at java.util.concurrent.FutureTask.run(FutureTask.java:138)
      at java.util.concurrent.ThreadPoolExecutor$Worker.runTask(ThreadPoolExecutor.java:886)
      at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:908)
      at java.lang.Thread.run(Thread.java:662)
      at hudson.cli.CLI.upgrade(CLI.java:195)
      at org.jenkinsci.demo.cli.App.main(App.java:42)

      Why is it assuming userid "anonymous" instead of the userid to which I have assigned the public key?

      [1] https://github.com/jenkinsci/cli-channel-demo
      [2] https://wiki.jenkins-ci.org/display/JENKINS/Role+Strategy+Plugin

      Attachments

        Issue Links

          Activity

            m2spring Max Spring added a comment -

            Hi Kohsuke,
            I've added a project to easily reproduce the bug.
            Would be great if you could take a look.
            Thanks!
            -Max

            m2spring Max Spring added a comment - Hi Kohsuke, I've added a project to easily reproduce the bug. Would be great if you could take a look. Thanks! -Max
            m2spring Max Spring added a comment -

            After some deep dive into the core code I figured out the problem:
            The Callable's security context has a null authentication.
            Which leads to "anonymous".

            I found a workaround by explicitly setting the authentcation in the callable:

            public String call() throws IOException {
                SecurityContext sc = SecurityContextHolder.getContext();
                if (sc.getAuthentication() == null){
                    sc.setAuthentication(Channel.current().getProperty(CLICommand.TRANSPORT_AUTHENTICATION));
                }
                
                // ... actual callable operation
            }
            

            This leads me to a potential fix in remoting.UserRequest by adding this right before the callable gets invoked:

            SecurityContext sc = SecurityContextHolder.getContext();
            if (sc != null && sc.getAuthentication() == null){
                Authentication auth = channel.getProperty(CLICommand.TRANSPORT_AUTHENTICATION);
                if (auth != null && !"anonymous".equals(auth.getPrincipal())){
                    sc.setAuthentication(auth);
                }
            }
            

            It appears to me there's probably a better solution by setting the security context's authentication at the time where the channel property is set?

            m2spring Max Spring added a comment - After some deep dive into the core code I figured out the problem: The Callable's security context has a null authentication. Which leads to "anonymous". I found a workaround by explicitly setting the authentcation in the callable: public String call() throws IOException { SecurityContext sc = SecurityContextHolder.getContext(); if (sc.getAuthentication() == null ){ sc.setAuthentication(Channel.current().getProperty(CLICommand.TRANSPORT_AUTHENTICATION)); } // ... actual callable operation } This leads me to a potential fix in remoting.UserRequest by adding this right before the callable gets invoked : SecurityContext sc = SecurityContextHolder.getContext(); if (sc != null && sc.getAuthentication() == null ){ Authentication auth = channel.getProperty(CLICommand.TRANSPORT_AUTHENTICATION); if (auth != null && ! "anonymous" .equals(auth.getPrincipal())){ sc.setAuthentication(auth); } } It appears to me there's probably a better solution by setting the security context's authentication at the time where the channel property is set?

            Code changed in jenkins
            User: Kohsuke Kawaguchi
            Path:
            changelog.html
            core/src/main/java/hudson/cli/CliManagerImpl.java
            pom.xml
            http://jenkins-ci.org/commit/jenkins/86319ad5393117a90d0674281d7e792148139de1
            Log:
            [FIXED JENKINS-10890]

            The closures sent from the CLI client should carry over its
            authentication. Test is written in the SSH cli auth module.

            Compare: https://github.com/jenkinsci/jenkins/compare/5c0b36d...86319ad

            scm_issue_link SCM/JIRA link daemon added a comment - Code changed in jenkins User: Kohsuke Kawaguchi Path: changelog.html core/src/main/java/hudson/cli/CliManagerImpl.java pom.xml http://jenkins-ci.org/commit/jenkins/86319ad5393117a90d0674281d7e792148139de1 Log: [FIXED JENKINS-10890] The closures sent from the CLI client should carry over its authentication. Test is written in the SSH cli auth module. Compare: https://github.com/jenkinsci/jenkins/compare/5c0b36d...86319ad

            Code changed in jenkins
            User: Kohsuke Kawaguchi
            Path:
            pom.xml
            src/test/java/org/jenkinsci/main/modules/cli/auth/ssh/TheTest.java
            http://jenkins-ci.org/commit/ssh-cli-auth-module/167fbc09355b5a3223c0b5a9e144165d1bba4923
            Log:
            JENKINS-10890

            added a test.

            scm_issue_link SCM/JIRA link daemon added a comment - Code changed in jenkins User: Kohsuke Kawaguchi Path: pom.xml src/test/java/org/jenkinsci/main/modules/cli/auth/ssh/TheTest.java http://jenkins-ci.org/commit/ssh-cli-auth-module/167fbc09355b5a3223c0b5a9e144165d1bba4923 Log: JENKINS-10890 added a test.
            dogfood dogfood added a comment -
            dogfood dogfood added a comment - Integrated in jenkins_main_trunk #1456

            People

              kohsuke Kohsuke Kawaguchi
              m2spring Max Spring
              Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: