[JENKINS-11149] JNLP slave fails to connect if Anonymous has not permission READ - Jenkins Jira

XML

Word

Printable

Details

Type: Bug
Status: Resolved (View Workflow)
Priority: Major
Resolution: Fixed
Component/s: core, remoting
Labels:
- security
- slaves

Similar Issues:

Show

Description

Hi all,
I do face a problem with JNLP based windows slaves in combination with restricted permissions of Anonymous.
If user Anonymous doesn't has READ permission granted, the JNLP slave (converted to a windows service) fails to connect to the master.

The jenkins-slave.xml contains
------------------------------------------------------------------------------------
<arguments>-Xrs -jar "%BASE%\slave.jar" -jnlpUrl https://xxx:8443/hudson/computer/xxx/slave-agent.jnlp -jnlpCredentials abcd:efgh -auth abcd:efgh</arguments>
------------------------------------------------------------------------------------

The tomcat-users.xml contains
------------------------------------------------------------------------------------
<tomcat-users>
<role rolename="admin"/>
<role rolename="manager"/>
<user username="abcd" password="efgh" roles="admin,manager"/>
</tomcat-users>
------------------------------------------------------------------------------------

The jenkins-slave.err.log contains
------------------------------------------------------------------------------------
Failing to obtain https://xxx:8443/hudson/computer/xxx/slave-agent.jnlp
java.io.IOException: Failed to load https://xxx:8443/hudson/computer/xxx/slave-agent.jnlp: 500 Internal Server Error
at hudson.remoting.Launcher.parseJnlpArguments(Launcher.java:228)
at hudson.remoting.Launcher.run(Launcher.java:190)
at hudson.remoting.Launcher.main(Launcher.java:166)
Waiting 10 seconds before retry
------------------------------------------------------------------------------------

The tomcat's localhost.2011-xx-xx.log contains
------------------------------------------------------------------------------------
SEVERE: Servlet.service() for servlet Stapler threw exception
hudson.security.AccessDeniedException2: anonymous is missing the Read permission
at hudson.security.ACL.checkPermission(ACL.java:53)
at hudson.model.Node.checkPermission(Node.java:363)
at hudson.model.Hudson.getTarget(Hudson.java:3538)
...
------------------------------------------------------------------------------------

The setup is as follows:
------------------------------------------------------------------------------------
OS: Windows 7
Tomcat: 6.0.33
Jenkins: 1.4.10 (also not working with 1.4.31)
JDK: 1.6.27
Security Realm: Matrix based Security is enabled
Authorization: Delegate to servlet container

permissions of user abcd: Overall Read, Overall Administer
permissions of user Anonymous: none
------------------------------------------------------------------------------------

Attachments

Activity

Ascending order - Click to sort in descending order

View 10 older comments

Rainer Weinhold added a comment - 2012-12-11 08:46

This issue is still in the LTS 1.480.1 Version. Had to enable global read, because otherwise the "Jenkins controls this as windows service" doesn't work. Guess this also uses JNLP to start it. ( This can only be a temporarily workaround, there is a reason why anonymous doesn't have this right! )

Since some versions Jenkins supports "api tokens", wouldn't that be a way to go?

Rainer Weinhold added a comment - 2012-12-11 08:46 This issue is still in the LTS 1.480.1 Version. Had to enable global read, because otherwise the "Jenkins controls this as windows service" doesn't work. Guess this also uses JNLP to start it. ( This can only be a temporarily workaround, there is a reason why anonymous doesn't have this right! ) Since some versions Jenkins supports "api tokens", wouldn't that be a way to go?

Rainer Weinhold added a comment - 2012-12-11 09:08

@Waldek M :

Yes, you cannot see something useful. But you also don't get the login dialog (per default). So users are not aware that they have to login to seen anything useful. So from the user perception, the ui seems to "work" but they can't see any projects.

Rainer Weinhold added a comment - 2012-12-11 09:08 @Waldek M : Yes, you cannot see something useful. But you also don't get the login dialog (per default). So users are not aware that they have to login to seen anything useful. So from the user perception, the ui seems to "work" but they can't see any projects.

Matthias Vach added a comment - 2012-12-11 14:28

Correct, we enforce the login by not offering read permissions to anonymous.

Matthias Vach added a comment - 2012-12-11 14:28 Correct, we enforce the login by not offering read permissions to anonymous.

Oleg Nenashev added a comment - 2014-10-14 20:14

Nothing to do in slave-setup

Oleg Nenashev added a comment - 2014-10-14 20:14 Nothing to do in slave-setup

Ciaran Liedeman added a comment - 2015-02-11 08:37

This issue can be closed

In the latest version of jenkins (1.598) and I'm sure its been there for a while.

You only have to enable slave connect permission for anonymous which will allow JNLP Slaves to connect without affecting the login screen.

Ciaran

Ciaran Liedeman added a comment - 2015-02-11 08:37 This issue can be closed In the latest version of jenkins (1.598) and I'm sure its been there for a while. You only have to enable slave connect permission for anonymous which will allow JNLP Slaves to connect without affecting the login screen. Ciaran

People

Assignee:: Andrew Bayer

Reporter:: Matthias Vach

Votes:: 14 Vote for this issue

Watchers:: 18 Start watching this issue

Dates

Created:: 2011-09-28 08:02

Updated:: 2016-01-27 17:30

Resolved:: 2016-01-27 17:30