Major Hi all,
I do face a problem with JNLP based windows slaves in combination with restricted permissions of Anonymous.
If user Anonymous doesn't has READ permission granted, the JNLP slave (converted to a windows service) fails to connect to the master.
The jenkins-slave.xml contains
------------------------------------------------------------------------------------
<arguments>-Xrs -jar "%BASE%\slave.jar" -jnlpUrl https://xxx:8443/hudson/computer/xxx/slave-agent.jnlp -jnlpCredentials abcd:efgh -auth abcd:efgh</arguments>
------------------------------------------------------------------------------------
The tomcat-users.xml contains
------------------------------------------------------------------------------------
<tomcat-users>
<role rolename="admin"/>
<role rolename="manager"/>
<user username="abcd" password="efgh" roles="admin,manager"/>
</tomcat-users>
------------------------------------------------------------------------------------
The jenkins-slave.err.log contains
------------------------------------------------------------------------------------
Failing to obtain https://xxx:8443/hudson/computer/xxx/slave-agent.jnlp
java.io.IOException: Failed to load https://xxx:8443/hudson/computer/xxx/slave-agent.jnlp: 500 Internal Server Error
at hudson.remoting.Launcher.parseJnlpArguments(Launcher.java:228)
at hudson.remoting.Launcher.run(Launcher.java:190)
at hudson.remoting.Launcher.main(Launcher.java:166)
Waiting 10 seconds before retry
------------------------------------------------------------------------------------
The tomcat's localhost.2011-xx-xx.log contains
------------------------------------------------------------------------------------
SEVERE: Servlet.service() for servlet Stapler threw exception
hudson.security.AccessDeniedException2: anonymous is missing the Read permission
at hudson.security.ACL.checkPermission(ACL.java:53)
at hudson.model.Node.checkPermission(Node.java:363)
at hudson.model.Hudson.getTarget(Hudson.java:3538)
...
------------------------------------------------------------------------------------
The setup is as follows:
------------------------------------------------------------------------------------
OS: Windows 7
Tomcat: 6.0.33
Jenkins: 1.4.10 (also not working with 1.4.31)
JDK: 1.6.27
Security Realm: Matrix based Security is enabled
Authorization: Delegate to servlet container
permissions of user abcd: Overall Read, Overall Administer
permissions of user Anonymous: none
------------------------------------------------------------------------------------
[JENKINS-11149] JNLP slave fails to connect if Anonymous has not permission READ
Matthias Vach
added a comment - The problem still exists in Jenkins 1.4.40 
Thomas Fields
added a comment - I am also now hitting this problem. This issue is very old, will it ever get fixed?
Thanks
Tom
Thomas Fields
added a comment - I am also now hitting this problem. This issue is very old, will it ever get fixed?
Thanks
Tom 
Frederik Fromm
added a comment - moved to master-slave component Seems to me like the ideal here would be to move to using a private key approach like the CLI does (see https://wiki.jenkins-ci.org/display/JENKINS/Jenkins+CLI, e.g.). But if that's not viable for now...Hrm. Not sure. Lemme dig more.
Thomas Fields
added a comment - Has there been any update on this issue at all? Thomas Fields
added a comment - This issue is fairly old and has quite a few votes. Will this ever get fixed?
Thomas Fields
added a comment - This issue is fairly old and has quite a few votes. Will this ever get fixed? Thomas Fields
added a comment - Are we any closer to a fix for this issue? It seems that after some latest changes to permissions of Jenkins, giving just Read access prevents from seeing anything useful. If this is so, enabling the "General Read" permissions for Anonymous should be fine. Can anyone confirm that?
Rainer Weinhold
added a comment - This issue is still in the LTS 1.480.1 Version. Had to enable global read, because otherwise the "Jenkins controls this as windows service" doesn't work. Guess this also uses JNLP to start it. ( This can only be a temporarily workaround, there is a reason why anonymous doesn't have this right! )
Since some versions Jenkins supports "api tokens", wouldn't that be a way to go?
Rainer Weinhold
added a comment - This issue is still in the LTS 1.480.1 Version. Had to enable global read, because otherwise the "Jenkins controls this as windows service" doesn't work. Guess this also uses JNLP to start it. ( This can only be a temporarily workaround, there is a reason why anonymous doesn't have this right! )
Since some versions Jenkins supports "api tokens", wouldn't that be a way to go? Rainer Weinhold
added a comment - @Waldek M :
Yes, you cannot see something useful. But you also don't get the login dialog (per default). So users are not aware that they have to login to seen anything useful. So from the user perception, the ui seems to "work" but they can't see any projects.
Rainer Weinhold
added a comment - @Waldek M :
Yes, you cannot see something useful. But you also don't get the login dialog (per default). So users are not aware that they have to login to seen anything useful. So from the user perception, the ui seems to "work" but they can't see any projects. Matthias Vach
added a comment - Correct, we enforce the login by not offering read permissions to anonymous.
Matthias Vach
added a comment - Correct, we enforce the login by not offering read permissions to anonymous. 
Ciaran Liedeman
added a comment - This issue can be closed
In the latest version of jenkins (1.598) and I'm sure its been there for a while.
You only have to enable slave connect permission for anonymous which will allow JNLP Slaves to connect without affecting the login screen.
Ciaran
Ciaran Liedeman
added a comment - This issue can be closed
In the latest version of jenkins (1.598) and I'm sure its been there for a while.
You only have to enable slave connect permission for anonymous which will allow JNLP Slaves to connect without affecting the login screen.
Ciaran 
Ran into this issue by accidentally removing read permission for Anonymous user. Jenkins access control is managed using Active Directory settings. Windows (Windows Server 2008) slave service wasn't able to load slave-agent.jnlp - same case as stated above, while service itself runs as a privileged user. Expected behavior would be to permit slave service running as a privileged user to connect to master even if anonymous does not have Overall/Read permissions.