[JENKINS-43822] Jenkins-cli seems to not support anything different from Github token

Type: Bug
Resolution: Fixed
Priority: Major
Component/s: github-oauth-plugin
Labels:
None
Environment:
github-oauth-plugin 0.26
matrix-auth-plugin 1.5

Similar Issues:
Powered by SuggestiMate

Show

Documentation at https://wiki.jenkins-ci.org/display/JENKINS/GitHub+OAuth+Plugin#GitHubOAuthPlugin-CallingJenkinsAPIusingGitHubPersonalAccessTokens says:

One can still call the Jenkins API by using Jenkins tokens or use the Jenkins CLI with an SSH key for authentication. However, the GitHub OAuth plugin provides another way to call the Jenkins API by allowing the use of a GitHub Personal Access Token.

However, I cannot make SSH authentication work (by adding SSH keys to the users being created by the extension) nor Jenkins tokens work (by using the tokens from their profiles).
The only authentication option seems to be:

java -jar /usr/local/bin/jenkins-cli.jar -s https://jenkins -noKeyAuth who-am-i --username elife-alfred-user --password my_github_token

Is the documentation outdated or is it a regression?

is related to

JENKINS-27045 Cannot use jenkins-cli with github oauth plugin

Resolved

relates to

JENKINS-44020 non-github accounts can't be used via jenkins-cli or REST APIs

Resolved

JENKINS-43767 Can't use declarative-linter remotely when using GitHub Authentication

Resolved

Aaron Bull Schaefer added a comment - 2017-04-28 14:29

If you're running Jenkins v2.54+, the easiest test would be to generate an API token on any user (https://jenkins.example.com/me/configure) and run the who-am-i command. Let's say that user is elasticdog and the token is 9654e454df796c020800492838f2c823. Then (if you adjust the paths to java and jenkins-cli.jar and the server address accordingly):

java -jar jenkins-cli.jar -s https://jenkins.example.com/ -http -auth elasticdog:9654e454df796c020800492838f2c823 who-am-i

...you would expect to see the proper auth output:

Authenticated as: elasticdog
Authorities:
authenticated

However, if you're running the latest version of the plugin (v0.26), you'll always see this:

Authenticated as: anonymous
Authorities:
anonymous

Revert back to v0.25 and you do get the expected output. Does that help?

Aaron Bull Schaefer added a comment - 2017-04-28 14:29 If you're running Jenkins v2.54+, the easiest test would be to generate an API token on any user ( https://jenkins.example.com/me/configure ) and run the who-am-i command. Let's say that user is elasticdog and the token is 9654e454df796c020800492838f2c823 . Then (if you adjust the paths to java and jenkins-cli.jar and the server address accordingly): java -jar jenkins-cli.jar -s https://jenkins.example.com/ -http -auth elasticdog:9654e454df796c020800492838f2c823 who-am-i ...you would expect to see the proper auth output: Authenticated as: elasticdog Authorities: authenticated However, if you're running the latest version of the plugin (v0.26), you'll always see this: Authenticated as: anonymous Authorities: anonymous Revert back to v0.25 and you do get the expected output. Does that help?

Jake Gage added a comment - 2017-04-28 15:45 - edited

Similar to the above with the -i flag

java -jar jenkins-cli.jar -s http://localhost:8080 -i /etc/jenkins/admin/id_rsa who-am-i

Where the id_rsa file is a public key for a local (not GHE) admin user.

Jake Gage added a comment - 2017-04-28 15:45 - edited Similar to the above with the -i flag java -jar jenkins-cli.jar -s http://localhost:8080 -i /etc/jenkins/admin/id_rsa who-am-i Where the id_rsa file is a public key for a local (not GHE) admin user.

Aaron Bull Schaefer added a comment - 2017-04-28 17:04

The -i flag like Jake shows is what we used prior to Jenkins v2.54, which changed a few things. I think that command will still work if you explicitly use the deprecated -remoting auth method, but the newer syntax is slightly different. Also, Jenkins no longer enables the internal Apache SSH server by default, so if you want to test that, you have to manually enable it, and then use the newer ssh syntax:

java -jar jenkins-cli.jar -s http://localhost:8080 -i /etc/jenkins/admin/id_rsa -ssh -user elasticdog who-am-i

...so the username is no longer inferred (you must be explicit) and you also have to say you're using the ssh client authentication method. That should show the same behavior as long as you're defined an SSH public key on the user's configuration (similar to what you do to set an API token).

Aaron Bull Schaefer added a comment - 2017-04-28 17:04 The -i flag like Jake shows is what we used prior to Jenkins v2.54, which changed a few things. I think that command will still work if you explicitly use the deprecated -remoting auth method, but the newer syntax is slightly different. Also, Jenkins no longer enables the internal Apache SSH server by default, so if you want to test that, you have to manually enable it, and then use the newer ssh syntax: java -jar jenkins-cli.jar -s http://localhost:8080 -i /etc/jenkins/admin/id_rsa -ssh -user elasticdog who-am-i ...so the username is no longer inferred (you must be explicit) and you also have to say you're using the ssh client authentication method. That should show the same behavior as long as you're defined an SSH public key on the user's configuration (similar to what you do to set an API token).

Sam Gleske added a comment - 2017-04-29 00:08

Thanks for the feedback. I'll see if I can resolve it.

FWIW here's using -username and -pasword options:

$ java -jar jenkins-cli.jar -s http://localhost:8080/ -noKeyAuth who-am-i --username samrocketman --password [REDACTED personal access token]
Authenticated as: samrocketman
Authorities:
  authenticated
  jenkinsci
  jenkinsci*Everyone
  sandscape
  kata-seeds
  kata-seeds*Groovy
  Gitorious-backup
  Gitorious-backup*Owners
  gimp-ci
  gimp-ci*developers

Sam Gleske added a comment - 2017-04-29 00:08 Thanks for the feedback. I'll see if I can resolve it. FWIW here's using - username and -pasword options: $ java -jar jenkins-cli.jar -s http://localhost:8080/ -noKeyAuth who-am-i --username samrocketman --password [REDACTED personal access token] Authenticated as: samrocketman Authorities: authenticated jenkinsci jenkinsci*Everyone sandscape kata-seeds kata-seeds*Groovy Gitorious-backup Gitorious-backup*Owners gimp-ci gimp-ci*developers

Sam Gleske added a comment - 2017-04-29 00:20

I understand the fix. Patch incoming.

Sam Gleske added a comment - 2017-04-29 00:20 I understand the fix. Patch incoming.

SCM/JIRA link daemon added a comment - 2017-04-29 00:21

Code changed in jenkins
User: Sam Gleske
Path:
src/main/java/org/jenkinsci/plugins/GithubSecurityRealm.java
http://jenkins-ci.org/commit/github-oauth-plugin/4690bfb6ce3989c940f5dd5f93dfc1ef315ea5de
Log:
~~JENKINS-43822~~ Fix Jenkins CLI transport auth

This fixes using authentication in the following ways using HTTP
transport auth and SSH authentication.

SCM/JIRA link daemon added a comment - 2017-04-29 00:21 Code changed in jenkins User: Sam Gleske Path: src/main/java/org/jenkinsci/plugins/GithubSecurityRealm.java http://jenkins-ci.org/commit/github-oauth-plugin/4690bfb6ce3989c940f5dd5f93dfc1ef315ea5de Log: JENKINS-43822 Fix Jenkins CLI transport auth This fixes using authentication in the following ways using HTTP transport auth and SSH authentication.

Sam Gleske added a comment - 2017-04-29 00:26

Please review my PR.

https://github.com/jenkinsci/github-oauth-plugin/pull/83

I tested it locally and it resolved the issue for both cases presented.

Sam Gleske added a comment - 2017-04-29 00:26 Please review my PR. https://github.com/jenkinsci/github-oauth-plugin/pull/83 I tested it locally and it resolved the issue for both cases presented.

SCM/JIRA link daemon added a comment - 2017-04-29 00:53

Code changed in jenkins
User: Sam Gleske
Path:
src/main/java/org/jenkinsci/plugins/GithubSecurityRealm.java
http://jenkins-ci.org/commit/github-oauth-plugin/8d7c27e2f4808d54aaaa4f8f5f3b732bb634ffba
Log:
~~JENKINS-43822~~ Fix Jenkins CLI transport auth

This fixes using authentication in the following ways using HTTP
transport auth and SSH authentication.

SCM/JIRA link daemon added a comment - 2017-04-29 00:53 Code changed in jenkins User: Sam Gleske Path: src/main/java/org/jenkinsci/plugins/GithubSecurityRealm.java http://jenkins-ci.org/commit/github-oauth-plugin/8d7c27e2f4808d54aaaa4f8f5f3b732bb634ffba Log: JENKINS-43822 Fix Jenkins CLI transport auth This fixes using authentication in the following ways using HTTP transport auth and SSH authentication.

SCM/JIRA link daemon added a comment - 2017-05-02 03:53

Code changed in jenkins
User: Sam Gleske
Path:
src/main/java/org/jenkinsci/plugins/GithubSecurityRealm.java
http://jenkins-ci.org/commit/github-oauth-plugin/72075ba852186552e2779e59fa65e34d5a93edd4
Log:
Merge pull request #83 from jenkinsci/fix-transport-auth

~~JENKINS-43822~~ Fix Jenkins CLI transport auth

Compare: https://github.com/jenkinsci/github-oauth-plugin/compare/05313d07327f...72075ba85218

SCM/JIRA link daemon added a comment - 2017-05-02 03:53 Code changed in jenkins User: Sam Gleske Path: src/main/java/org/jenkinsci/plugins/GithubSecurityRealm.java http://jenkins-ci.org/commit/github-oauth-plugin/72075ba852186552e2779e59fa65e34d5a93edd4 Log: Merge pull request #83 from jenkinsci/fix-transport-auth JENKINS-43822 Fix Jenkins CLI transport auth Compare: https://github.com/jenkinsci/github-oauth-plugin/compare/05313d07327f...72075ba85218

Sam Gleske added a comment - 2017-05-02 04:35

0.27 released https://repo.jenkins-ci.org/releases/org/jenkins-ci/plugins/github-oauth/0.27/github-oauth-0.27.hpi

Sam Gleske added a comment - 2017-05-02 04:35 0.27 released https://repo.jenkins-ci.org/releases/org/jenkins-ci/plugins/github-oauth/0.27/github-oauth-0.27.hpi

Assignee:: Sam Gleske

Reporter:: Giorgio Sironi

Votes:: 3 Vote for this issue

Watchers:: 6 Start watching this issue

Created:: 2017-04-25 12:58

Updated:: 2017-07-08 16:42

Resolved:: 2017-05-02 04:35

Jenkins

Details

Description

Attachments

Issue Links

Activity

Collapse comment: Aaron Bull Schaefer added a comment - 2017-04-28 14:29

Expand comment: Aaron Bull Schaefer added a comment - 2017-04-28 14:29

Collapse comment: Jake Gage added a comment - 2017-04-28 15:45, Edited by Jake Gage - 2017-04-28 15:48

Expand comment: Jake Gage added a comment - 2017-04-28 15:45, Edited by Jake Gage - 2017-04-28 15:48

Collapse comment: Aaron Bull Schaefer added a comment - 2017-04-28 17:04

Expand comment: Aaron Bull Schaefer added a comment - 2017-04-28 17:04

Collapse comment: Sam Gleske added a comment - 2017-04-29 00:08

Expand comment: Sam Gleske added a comment - 2017-04-29 00:08

Collapse comment: Sam Gleske added a comment - 2017-04-29 00:20

Expand comment: Sam Gleske added a comment - 2017-04-29 00:20

Collapse comment: SCM/JIRA link daemon added a comment - 2017-04-29 00:21

Expand comment: SCM/JIRA link daemon added a comment - 2017-04-29 00:21

Collapse comment: Sam Gleske added a comment - 2017-04-29 00:26

Expand comment: Sam Gleske added a comment - 2017-04-29 00:26

Collapse comment: SCM/JIRA link daemon added a comment - 2017-04-29 00:53

Expand comment: SCM/JIRA link daemon added a comment - 2017-04-29 00:53

Collapse comment: SCM/JIRA link daemon added a comment - 2017-05-02 03:53

Expand comment: SCM/JIRA link daemon added a comment - 2017-05-02 03:53

Collapse comment: Sam Gleske added a comment - 2017-05-02 04:35

Expand comment: Sam Gleske added a comment - 2017-05-02 04:35

People

Dates