Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-11149

JNLP slave fails to connect if Anonymous has not permission READ

    XMLWordPrintable

    Details

    • Similar Issues:

      Description

      Hi all,
      I do face a problem with JNLP based windows slaves in combination with restricted permissions of Anonymous.
      If user Anonymous doesn't has READ permission granted, the JNLP slave (converted to a windows service) fails to connect to the master.

      The jenkins-slave.xml contains
      ------------------------------------------------------------------------------------
      <arguments>-Xrs -jar "%BASE%\slave.jar" -jnlpUrl https://xxx:8443/hudson/computer/xxx/slave-agent.jnlp -jnlpCredentials abcd:efgh -auth abcd:efgh</arguments>
      ------------------------------------------------------------------------------------

      The tomcat-users.xml contains
      ------------------------------------------------------------------------------------
      <tomcat-users>
      <role rolename="admin"/>
      <role rolename="manager"/>
      <user username="abcd" password="efgh" roles="admin,manager"/>
      </tomcat-users>
      ------------------------------------------------------------------------------------

      The jenkins-slave.err.log contains
      ------------------------------------------------------------------------------------
      Failing to obtain https://xxx:8443/hudson/computer/xxx/slave-agent.jnlp
      java.io.IOException: Failed to load https://xxx:8443/hudson/computer/xxx/slave-agent.jnlp: 500 Internal Server Error
      at hudson.remoting.Launcher.parseJnlpArguments(Launcher.java:228)
      at hudson.remoting.Launcher.run(Launcher.java:190)
      at hudson.remoting.Launcher.main(Launcher.java:166)
      Waiting 10 seconds before retry
      ------------------------------------------------------------------------------------

      The tomcat's localhost.2011-xx-xx.log contains
      ------------------------------------------------------------------------------------
      SEVERE: Servlet.service() for servlet Stapler threw exception
      hudson.security.AccessDeniedException2: anonymous is missing the Read permission
      at hudson.security.ACL.checkPermission(ACL.java:53)
      at hudson.model.Node.checkPermission(Node.java:363)
      at hudson.model.Hudson.getTarget(Hudson.java:3538)
      ...
      ------------------------------------------------------------------------------------

      The setup is as follows:
      ------------------------------------------------------------------------------------
      OS: Windows 7
      Tomcat: 6.0.33
      Jenkins: 1.4.10 (also not working with 1.4.31)
      JDK: 1.6.27
      Security Realm: Matrix based Security is enabled
      Authorization: Delegate to servlet container

      permissions of user abcd: Overall Read, Overall Administer
      permissions of user Anonymous: none
      ------------------------------------------------------------------------------------

        Attachments

          Activity

          Hide
          rainerw Rainer Weinhold added a comment -

          This issue is still in the LTS 1.480.1 Version. Had to enable global read, because otherwise the "Jenkins controls this as windows service" doesn't work. Guess this also uses JNLP to start it. ( This can only be a temporarily workaround, there is a reason why anonymous doesn't have this right! )

          Since some versions Jenkins supports "api tokens", wouldn't that be a way to go?

          Show
          rainerw Rainer Weinhold added a comment - This issue is still in the LTS 1.480.1 Version. Had to enable global read, because otherwise the "Jenkins controls this as windows service" doesn't work. Guess this also uses JNLP to start it. ( This can only be a temporarily workaround, there is a reason why anonymous doesn't have this right! ) Since some versions Jenkins supports "api tokens", wouldn't that be a way to go?
          Hide
          rainerw Rainer Weinhold added a comment -

          @Waldek M :

          Yes, you cannot see something useful. But you also don't get the login dialog (per default). So users are not aware that they have to login to seen anything useful. So from the user perception, the ui seems to "work" but they can't see any projects.

          Show
          rainerw Rainer Weinhold added a comment - @Waldek M : Yes, you cannot see something useful. But you also don't get the login dialog (per default). So users are not aware that they have to login to seen anything useful. So from the user perception, the ui seems to "work" but they can't see any projects.
          Hide
          matthias_vach Matthias Vach added a comment -

          Correct, we enforce the login by not offering read permissions to anonymous.

          Show
          matthias_vach Matthias Vach added a comment - Correct, we enforce the login by not offering read permissions to anonymous.
          Hide
          oleg_nenashev Oleg Nenashev added a comment -

          Nothing to do in slave-setup

          Show
          oleg_nenashev Oleg Nenashev added a comment - Nothing to do in slave-setup
          Hide
          cliedeman Ciaran Liedeman added a comment -

          This issue can be closed

          In the latest version of jenkins (1.598) and I'm sure its been there for a while.

          You only have to enable slave connect permission for anonymous which will allow JNLP Slaves to connect without affecting the login screen.

          Ciaran

          Show
          cliedeman Ciaran Liedeman added a comment - This issue can be closed In the latest version of jenkins (1.598) and I'm sure its been there for a while. You only have to enable slave connect permission for anonymous which will allow JNLP Slaves to connect without affecting the login screen. Ciaran

            People

            Assignee:
            abayer Andrew Bayer
            Reporter:
            matthias_vach Matthias Vach
            Votes:
            14 Vote for this issue
            Watchers:
            18 Start watching this issue

              Dates

              Created:
              Updated:
              Resolved: