-
Bug
-
Resolution: Fixed
-
Minor
-
None
When using the GitHub Authentication plugin (which doesn't cache credentials) I'm unable to configure permission in such a way to allow users to run the `declarative-linter`.
Via ssh ... declarative-linter the error message is ERROR: joecool is missing the N/A/GenericRead permission
The jenkins-cli jar error is ERROR: Bad Credentials. Search the server log for <long-string> for more details.
From the logs:
Apr 21, 2017 7:56:19 AM hudson.cli.CLICommand main INFO: CLI login attempt failed: <long-string> hudson.security.UserMayOrMayNotExistException: Unexpected authentication type: org.acegisecurity.providers.UsernamePasswordAuthenticationToken@43274a68: Username: joecool; Password: [PROTECTED]; Authenticated: true; Details: null; Granted Authorities: authenticated at org.jenkinsci.plugins.GithubSecurityRealm.loadUserByUsername(GithubSecurityRealm.java:577) at hudson.cli.ClientAuthenticationCache.set(ClientAuthenticationCache.java:94) at hudson.cli.LoginCommand.run(LoginCommand.java:37) at hudson.cli.CLICommand.main(CLICommand.java:265) at hudson.cli.CliManagerImpl.main(CliManagerImpl.java:93) at sun.reflect.GeneratedMethodAccessor3429.invoke(Unknown Source) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.lang.reflect.Method.invoke(Method.java:498) at hudson.remoting.RemoteInvocationHandler$RPCRequest.perform(RemoteInvocationHandler.java:895) at hudson.remoting.RemoteInvocationHandler$RPCRequest.call(RemoteInvocationHandler.java:870) at hudson.remoting.RemoteInvocationHandler$RPCRequest.call(RemoteInvocationHandler.java:829) at hudson.remoting.UserRequest.perform(UserRequest.java:153) at hudson.remoting.UserRequest.perform(UserRequest.java:50) at hudson.remoting.Request$2.run(Request.java:336) at hudson.remoting.InterceptingExecutorService$1.call(InterceptingExecutorService.java:68) at hudson.cli.CliManagerImpl$1.call(CliManagerImpl.java:64) at hudson.remoting.CallableDecoratorAdapter.call(CallableDecoratorAdapter.java:18) at hudson.remoting.CallableDecoratorList$1.call(CallableDecoratorList.java:21) at jenkins.util.ContextResettingExecutorService$2.call(ContextResettingExecutorService.java:46) at java.util.concurrent.FutureTask.run(FutureTask.java:266) at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142) at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617) at java.lang.Thread.run(Thread.java:745)
Both Anonymous and authenticated users have "Overall" "Read" permissions.
I understand it doesn't cache credentials, so it can't figure out if joecool is in a specific GitHub Org or Org*Team; but I would expect permissions granted to Anonymous or authenticated would work.
- relates to
-
-
- Open
-
-
-
- Resolved
-
[JENKINS-43767] Can't use declarative-linter remotely when using GitHub Authentication
Sam Gleske
added a comment - This behavior should be recently fixed in release 0.27. As a user, generate a personal access token which has read:org and user:email scopes. These scopes are required in order for Jenkins to determine your authorizations from GitHub.
Try executing the following:
java -jar jenkins-cli.jar -s http://localhost:8080/ -noKeyAuth -http -auth samrocketman:[REDACTED personal access token] declarative-linter ...
Let me know how it goes.
Sam Gleske
added a comment - This behavior should be recently fixed in release 0.27. As a user, generate a personal access token which has read:org and user:email scopes. These scopes are required in order for Jenkins to determine your authorizations from GitHub.
Try executing the following:
java -jar jenkins-cli.jar -s http://localhost:8080/ -noKeyAuth -http -auth samrocketman:[REDACTED personal access token] declarative-linter ...
Let me know how it goes. 
I'll check it out once I can work around Sam Gleske
added a comment - Jenkins API tokens are now supported for granting authorities which is a new feature added by https://github.com/jenkinsci/github-oauth-plugin/pull/87. SSH will soon be supported as well but there's still a bug around it tracked by JENKINS-48423.
Sam Gleske
added a comment - Jenkins API tokens are now supported for granting authorities which is a new feature added by https://github.com/jenkinsci/github-oauth-plugin/pull/87 . SSH will soon be supported as well but there's still a bug around it tracked by JENKINS-48423 . Sam Gleske
added a comment - 0.29 has been released. Please try again since a lot of bug fixes were included related to authentication.
Sam Gleske
added a comment - 0.29 has been released. Please try again since a lot of bug fixes were included related to authentication. Sam Gleske
added a comment - Great to hear! Thanks so much for testing and confirming it was fixed for me. This was a big help.
Sam Gleske
added a comment - Great to hear! Thanks so much for testing and confirming it was fixed for me. This was a big help. 
I discovered I can work around it on our Jenkins via:
I found this via https://github.com/jenkinsci/pipeline-model-definition-plugin/wiki/Validating-(or-linting)-a-Declarative-Jenkinsfile-from-the-command-line
I don't know what the `-H` part is doing exactly (something about crumbs?) nor do I know why I don't need it.