I am using Jenkins 1.448, with 'Jenkins own user database' and 'Project-
based Matrix Authorization Strategy'. I am able to get CLI to work as
anonymous with permissions Overall build, Job read, and Job build enabled using
the following command:
java -jar jenkins-cli.jar -s http://my.domain.com:8080/ build -c
myJobName
However, when I try to do this as an authenticated user:
java -jar jenkins-cli.jar -s http://my.domain.com:8080/ build -c
myJobName --username myUsername --password myPassword
I get the following error:
No such job 'myJobName'
If I however have Build read for anonymous checked, it works even though I have it
checked for my other username also.
- is blocking
-
JENKINS-14745 CLI is not parsing arguments with remote user authentication set
-
- Resolved
-
- is duplicated by
-
-
- Resolved
-
-
-
- Resolved
-
-
-
- Resolved
-
- is related to
-
-
- Resolved
-
- relates to
-
JENKINS-41745 Remoting-free CLI
-
- Resolved
-
- links to
[JENKINS-12543] CliAuthenticator (username/password) called too late to parse arguments (like job names)
Matt Fair
created issue -
Richard Scorer
added a comment - I am still encountering this in Jenkins 1.515
TGF
added a comment - I would reccommend to raise the priority, as this compromises security - it does noe make much sense to use the Authorization stragegy when we must have still enable the read job access to anonymous.
TGF
added a comment - I would reccommend to raise the priority, as this compromises security - it does noe make much sense to use the Authorization stragegy when we must have still enable the read job access to anonymous. TGF
made changes -
| Priority | Original: Minor [ 4 ] | New: Major [ 3 ] |
Richard Scorer
added a comment - All available access is given to the user, in order to run anything from command line I have to give specific access to the anonymous user.
Richard Scorer
added a comment - All available access is given to the user, in order to run anything from command line I have to give specific access to the anonymous user. JENKINS-14745 fixed a bug whereby no authentication was available, ever, while parsing CLI arguments such as job names. That fix worked for SSH authentication (-i …), which sets a transport authentication, but did not help with a CLIAuthenticator like --username … --password …. Meaning that unless the anonymous user can see your jobs (or computers, etc.), the command cannot be run.
This is because CLICommand.main first sets the transport authentication, if any; then parses arguments, including both authenticator arguments like --username and specific command arguments; then asks the authenticator for its authentication, if any (also uses stored authentication from login here); then checks Overall/Read; and finally runs the command. But the parsing of regular command arguments (for e.g. get-job) often needs to be done while authenticated.
The situation with CLIRegisterer, used by commands defined implicitly with @CLIMethod (like disable-job), is different, because the MethodBinder list is called after using the authenticator. So SSH authentication worked fine without any special help from JENKINS-14745. Unfortunately this code creates an authenticator but never configures it! So it always falls back to using transport authentication—and thus suffers from identical symptoms as regular CLI commands, though for a completely different reason.
| Component/s | New: core [ 15593 ] | |
| Component/s | Original: cli [ 15624 ] | |
| Labels | New: cli security | |
| Priority | Original: Major [ 3 ] | New: Critical [ 2 ] |
| Summary | Original: CLI permissions | New: CliAuthenticator (username/password) called too late to parse arguments (like job names) |
| Link |
New:
This issue is blocking |
Is it reproduced with a recent Jenkins version?