Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-10890

public key authentication leads to authorization as "anonymous"

      Trying to put the cli-channel-demo [1] to use.
      It works alone, but in conjunction with the Role Strategy Plugin [2] I got a problem:

      Exception in thread "main" java.lang.SecurityException: hudson.security.AccessDeniedException2: anonymous is missing the Administer permission
      at hudson.security.ACL.checkPermission(ACL.java:53)
      at hudson.model.Node.checkPermission(Node.java:381)
      at hudson.cli.GroovyCommand.run(GroovyCommand.java:73)
      at hudson.cli.CLICommand.main(CLICommand.java:184)
      at hudson.cli.CliManagerImpl.main(CliManagerImpl.java:82)
      at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
      at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
      at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
      at java.lang.reflect.Method.invoke(Method.java:597)
      at hudson.remoting.RemoteInvocationHandler$RPCRequest.perform(RemoteInvocationHandler.java:274)
      at hudson.remoting.RemoteInvocationHandler$RPCRequest.call(RemoteInvocationHandler.java:255)
      at hudson.remoting.RemoteInvocationHandler$RPCRequest.call(RemoteInvocationHandler.java:215)
      at hudson.remoting.UserRequest.perform(UserRequest.java:118)
      at hudson.remoting.UserRequest.perform(UserRequest.java:48)
      at hudson.remoting.Request$2.run(Request.java:287)
      at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:441)
      at java.util.concurrent.FutureTask$Sync.innerRun(FutureTask.java:303)
      at java.util.concurrent.FutureTask.run(FutureTask.java:138)
      at java.util.concurrent.ThreadPoolExecutor$Worker.runTask(ThreadPoolExecutor.java:886)
      at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:908)
      at java.lang.Thread.run(Thread.java:662)
      at hudson.cli.CLI.upgrade(CLI.java:195)
      at org.jenkinsci.demo.cli.App.main(App.java:42)

      Why is it assuming userid "anonymous" instead of the userid to which I have assigned the public key?

      [1] https://github.com/jenkinsci/cli-channel-demo
      [2] https://wiki.jenkins-ci.org/display/JENKINS/Role+Strategy+Plugin

          [JENKINS-10890] public key authentication leads to authorization as "anonymous"

          Any chance this is the issue fixed in JENKINS-10647?

          Please report the Jenkins server version.

          Kohsuke Kawaguchi added a comment - Any chance this is the issue fixed in JENKINS-10647 ? Please report the Jenkins server version.

          This is with LDAP.

          Kohsuke Kawaguchi added a comment - This is with LDAP.

          Max Spring added a comment -

          This is with Jenkins 1.429.
          I will try out without the Role Strategy Plugin & with built-in matrix authorization.
          I will also provide a sandbox image to reproduce this bug.

          Max Spring added a comment - This is with Jenkins 1.429. I will try out without the Role Strategy Plugin & with built-in matrix authorization. I will also provide a sandbox image to reproduce this bug.

          Max Spring added a comment -

          This problem happens also with latest (1.1.2) Role Strategy Plugin as well as by just using the built-in matrix authorization.

          Max Spring added a comment - This problem happens also with latest (1.1.2) Role Strategy Plugin as well as by just using the built-in matrix authorization.

          Max Spring added a comment -

          Contains plugin project to reproduce the bug.
          See included readme.

          Max Spring added a comment - Contains plugin project to reproduce the bug. See included readme.

          Max Spring added a comment -

          Hi Kohsuke,
          I've added a project to easily reproduce the bug.
          Would be great if you could take a look.
          Thanks!
          -Max

          Max Spring added a comment - Hi Kohsuke, I've added a project to easily reproduce the bug. Would be great if you could take a look. Thanks! -Max

          Max Spring added a comment -

          After some deep dive into the core code I figured out the problem:
          The Callable's security context has a null authentication.
          Which leads to "anonymous".

          I found a workaround by explicitly setting the authentcation in the callable:

          public String call() throws IOException {
              SecurityContext sc = SecurityContextHolder.getContext();
              if (sc.getAuthentication() == null){
                  sc.setAuthentication(Channel.current().getProperty(CLICommand.TRANSPORT_AUTHENTICATION));
              }
              
              // ... actual callable operation
          }
          

          This leads me to a potential fix in remoting.UserRequest by adding this right before the callable gets invoked:

          SecurityContext sc = SecurityContextHolder.getContext();
          if (sc != null && sc.getAuthentication() == null){
              Authentication auth = channel.getProperty(CLICommand.TRANSPORT_AUTHENTICATION);
              if (auth != null && !"anonymous".equals(auth.getPrincipal())){
                  sc.setAuthentication(auth);
              }
          }
          

          It appears to me there's probably a better solution by setting the security context's authentication at the time where the channel property is set?

          Max Spring added a comment - After some deep dive into the core code I figured out the problem: The Callable's security context has a null authentication. Which leads to "anonymous". I found a workaround by explicitly setting the authentcation in the callable: public String call() throws IOException { SecurityContext sc = SecurityContextHolder.getContext(); if (sc.getAuthentication() == null ){ sc.setAuthentication(Channel.current().getProperty(CLICommand.TRANSPORT_AUTHENTICATION)); } // ... actual callable operation } This leads me to a potential fix in remoting.UserRequest by adding this right before the callable gets invoked : SecurityContext sc = SecurityContextHolder.getContext(); if (sc != null && sc.getAuthentication() == null ){ Authentication auth = channel.getProperty(CLICommand.TRANSPORT_AUTHENTICATION); if (auth != null && ! "anonymous" .equals(auth.getPrincipal())){ sc.setAuthentication(auth); } } It appears to me there's probably a better solution by setting the security context's authentication at the time where the channel property is set?

          Code changed in jenkins
          User: Kohsuke Kawaguchi
          Path:
          changelog.html
          core/src/main/java/hudson/cli/CliManagerImpl.java
          pom.xml
          http://jenkins-ci.org/commit/jenkins/86319ad5393117a90d0674281d7e792148139de1
          Log:
          [FIXED JENKINS-10890]

          The closures sent from the CLI client should carry over its
          authentication. Test is written in the SSH cli auth module.

          Compare: https://github.com/jenkinsci/jenkins/compare/5c0b36d...86319ad

          SCM/JIRA link daemon added a comment - Code changed in jenkins User: Kohsuke Kawaguchi Path: changelog.html core/src/main/java/hudson/cli/CliManagerImpl.java pom.xml http://jenkins-ci.org/commit/jenkins/86319ad5393117a90d0674281d7e792148139de1 Log: [FIXED JENKINS-10890] The closures sent from the CLI client should carry over its authentication. Test is written in the SSH cli auth module. Compare: https://github.com/jenkinsci/jenkins/compare/5c0b36d...86319ad

          Code changed in jenkins
          User: Kohsuke Kawaguchi
          Path:
          pom.xml
          src/test/java/org/jenkinsci/main/modules/cli/auth/ssh/TheTest.java
          http://jenkins-ci.org/commit/ssh-cli-auth-module/167fbc09355b5a3223c0b5a9e144165d1bba4923
          Log:
          JENKINS-10890

          added a test.

          SCM/JIRA link daemon added a comment - Code changed in jenkins User: Kohsuke Kawaguchi Path: pom.xml src/test/java/org/jenkinsci/main/modules/cli/auth/ssh/TheTest.java http://jenkins-ci.org/commit/ssh-cli-auth-module/167fbc09355b5a3223c0b5a9e144165d1bba4923 Log: JENKINS-10890 added a test.

          dogfood added a comment -

          dogfood added a comment - Integrated in jenkins_main_trunk #1456

            kohsuke Kohsuke Kawaguchi
            m2spring Max Spring
            Votes:
            0 Vote for this issue
            Watchers:
            1 Start watching this issue

              Created:
              Updated:
              Resolved: