Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-12543

CliAuthenticator (username/password) called too late to parse arguments (like job names)

    • Icon: Bug Bug
    • Resolution: Won't Fix
    • Icon: Minor Minor
    • core
    • Linux AWS, 64 bit

      I am using Jenkins 1.448, with 'Jenkins own user database' and 'Project-
      based Matrix Authorization Strategy'. I am able to get CLI to work as
      anonymous with permissions Overall build, Job read, and Job build enabled using
      the following command:

      java -jar jenkins-cli.jar -s http://my.domain.com:8080/ build -c
      myJobName

      However, when I try to do this as an authenticated user:

      java -jar jenkins-cli.jar -s http://my.domain.com:8080/ build -c
      myJobName --username myUsername --password myPassword

      I get the following error:

      No such job 'myJobName'

      If I however have Build read for anonymous checked, it works even though I have it
      checked for my other username also.

          [JENKINS-12543] CliAuthenticator (username/password) called too late to parse arguments (like job names)

          Daniel Beck added a comment -

          owood FWIW that is not the supported way to trigger a build with parameters. That one's documented on /job/foo/api.

          Daniel Beck added a comment - owood FWIW that is not the supported way to trigger a build with parameters. That one's documented on /job/foo/api.

          Jay Atwork added a comment - - edited

          This issue has broken CLI operation for me. I am using Windows and can not use anonymous read access on Jobs nor curl due to organizational restrictions in our prod environment and we need to be able to run builds via the CLI. I am on Jenkins 1.646, perhaps would updating to a newer version of Jenkins resolve this issue? I doubt it as this issue is still open. Is there a way to get the name of the jobs that the build method needs, since it is not what is provided from list-jobs?

          Jay Atwork added a comment - - edited This issue has broken CLI operation for me. I am using Windows and can not use anonymous read access on Jobs nor curl due to organizational restrictions in our prod environment and we need to be able to run builds via the CLI. I am on Jenkins 1.646, perhaps would updating to a newer version of Jenkins resolve this issue? I doubt it as this issue is still open. Is there a way to get the name of the jobs that the build method needs, since it is not what is provided from list-jobs?

          Heiko Nardmann added a comment - - edited

          I've come across this issue when migrating jobs from one Jenkins (test setup) to another:

          java -jar /opt/jenkins-cli.jar -s http://somehost:8080 list-jobs --username admin --password ...
          

          This works fine and gives e.g.

          JobA
          JobB
          JobC
          

          Now

          java -jar /opt/jenkins-cli.jar -s http://frsgtcshare01:8080 get-job JobA --username admin --password ...
          

          gives

          ERROR: No such job 'JobA'
          

          Or is this issue unrelated? The Jenkins involved is v2.13.

          With anonymous read access enabled get-job works.

          Heiko Nardmann added a comment - - edited I've come across this issue when migrating jobs from one Jenkins (test setup) to another: java -jar /opt/jenkins-cli.jar -s http://somehost:8080 list-jobs --username admin --password ... This works fine and gives e.g. JobA JobB JobC Now java -jar /opt/jenkins-cli.jar -s http://frsgtcshare01:8080 get-job JobA --username admin --password ... gives ERROR: No such job 'JobA' Or is this issue unrelated? The Jenkins involved is v2.13. With anonymous read access enabled get-job works.

          Matthias T added a comment - - edited

          I ran into this issue with Jenkins 2.19.2. Calling aforementioned

          java -jar /opt/jenkins-cli.jar -s http://jenkins-url.com get-job JobA --username admin --password ...
          

          gives the same "No such job" error.

          My workaround was:

          • Install the Extended Read Permission Plugin
          • Global security option "Matrix based security" has to be active
          • Right "Job - Extended Read" has to be activated for user anonymous
          • For "authenticated" users all rights can be activated
          • Use java -jar /opt/jenkins-cli.jar -s http://jenkins-url.com get-job JobA without credentials

          Matthias T added a comment - - edited I ran into this issue with Jenkins 2.19.2. Calling aforementioned java -jar /opt/jenkins-cli.jar -s http: //jenkins-url.com get-job JobA --username admin --password ... gives the same "No such job" error. My workaround was: Install the Extended Read Permission Plugin Global security option "Matrix based security" has to be active Right "Job - Extended Read" has to be activated for user anonymous For "authenticated" users all rights can be activated Use java -jar /opt/jenkins-cli.jar -s http://jenkins-url.com get-job JobA without credentials

          Jesse Glick added a comment -

          Right "Job - Extended Read" has to be activated for user anonymous

          Generally this is dangerous. Do not do this on a public-facing server.

          Jesse Glick added a comment - Right "Job - Extended Read" has to be activated for user anonymous Generally this is dangerous. Do not do this on a public-facing server.

          Jesse Glick added a comment -

          Again: the recommended workaround is to use SSH authentication.

          Jesse Glick added a comment - Again: the recommended workaround is to use SSH authentication.

          Jesse Glick added a comment -

          The situation with CLIRegisterer […] is different, because the MethodBinder list is called after using the authenticator. […] Unfortunately this code creates an authenticator but never configures it!

          FTR this was fixed in JENKINS-23988.

          Jesse Glick added a comment - The situation with CLIRegisterer […] is different, because the MethodBinder list is called after using the authenticator. […] Unfortunately this code creates an authenticator but never configures it! FTR this was fixed in JENKINS-23988 .

          Code changed in jenkins
          User: Jesse Glick
          Path:
          test/src/test/java/hudson/cli/CLIActionTest.java
          http://jenkins-ci.org/commit/jenkins/c2a5d8512356aca5532be83a5444b2f941e72510
          Log:
          Establishing baseline behavior of JENKINS-12543: no workaround when using Remoting transport other than SSH authentication.
          (Verifying that this affects only @Argument in CLICommand, not @CLIMethod.)
          With the new HTTP protocol in JENKINS-41745, API tokens may be used to set a transport authentication.

          SCM/JIRA link daemon added a comment - Code changed in jenkins User: Jesse Glick Path: test/src/test/java/hudson/cli/CLIActionTest.java http://jenkins-ci.org/commit/jenkins/c2a5d8512356aca5532be83a5444b2f941e72510 Log: Establishing baseline behavior of JENKINS-12543 : no workaround when using Remoting transport other than SSH authentication. (Verifying that this affects only @Argument in CLICommand, not @CLIMethod.) With the new HTTP protocol in JENKINS-41745 , API tokens may be used to set a transport authentication.

          Code changed in jenkins
          User: Jesse Glick
          Path:
          cli/src/main/java/hudson/cli/CLI.java
          cli/src/main/java/hudson/cli/CLIConnectionFactory.java
          cli/src/main/resources/hudson/cli/client/Messages.properties
          core/src/main/java/hudson/cli/CLICommand.java
          core/src/main/java/hudson/cli/ClientAuthenticationCache.java
          core/src/main/java/hudson/cli/LoginCommand.java
          core/src/main/java/hudson/cli/LogoutCommand.java
          core/src/main/java/hudson/security/AbstractPasswordBasedSecurityRealm.java
          core/src/main/java/hudson/security/CliAuthenticator.java
          core/src/main/java/hudson/security/SecurityRealm.java
          core/src/main/resources/hudson/cli/Messages.properties
          test/src/test/java/hudson/cli/CLIActionTest.java
          http://jenkins-ci.org/commit/jenkins/12ae48ebb491b4f45ccb40ca8394bca8426f4e64
          Log:
          Deprecating -username/-password and login/logout in favor of new -auth option passing BASIC authentication to /cli endpoint.
          Simpler, does not rely on Remoting, allows use of API tokens, and bypasses JENKINS-12543.
          (You could actually do this before but only by embedding userinfo in the -s URL, especially awkward for usernames containing @.)

          SCM/JIRA link daemon added a comment - Code changed in jenkins User: Jesse Glick Path: cli/src/main/java/hudson/cli/CLI.java cli/src/main/java/hudson/cli/CLIConnectionFactory.java cli/src/main/resources/hudson/cli/client/Messages.properties core/src/main/java/hudson/cli/CLICommand.java core/src/main/java/hudson/cli/ClientAuthenticationCache.java core/src/main/java/hudson/cli/LoginCommand.java core/src/main/java/hudson/cli/LogoutCommand.java core/src/main/java/hudson/security/AbstractPasswordBasedSecurityRealm.java core/src/main/java/hudson/security/CliAuthenticator.java core/src/main/java/hudson/security/SecurityRealm.java core/src/main/resources/hudson/cli/Messages.properties test/src/test/java/hudson/cli/CLIActionTest.java http://jenkins-ci.org/commit/jenkins/12ae48ebb491b4f45ccb40ca8394bca8426f4e64 Log: Deprecating - username/ -password and login/logout in favor of new -auth option passing BASIC authentication to /cli endpoint. Simpler, does not rely on Remoting, allows use of API tokens, and bypasses JENKINS-12543 . (You could actually do this before but only by embedding userinfo in the -s URL, especially awkward for usernames containing @.)

          Jesse Glick added a comment -

          Only affects deprecated Remoting-based CLI.

          Jesse Glick added a comment - Only affects deprecated Remoting-based CLI.

            Unassigned Unassigned
            mattfair Matt Fair
            Votes:
            15 Vote for this issue
            Watchers:
            31 Start watching this issue

              Created:
              Updated:
              Resolved: