-
Bug
-
Resolution: Cannot Reproduce
-
Minor
-
Jenkins version : 2.46.2
Plugins installed:
docker-build-publish - 1.3.2
workflow-api - 2.12
structs - 1.6
multiple-scms - 0.6
github-api - 1.85
startup-trigger-plugin - 2.8
was-builder - 1.6.1
plain-credentials - 1.4
ws-cleanup - 0.32
ldap - 1.14
job-import-plugin - 1.6
workflow-multibranch - 2.9.2
emailext-template - 1.0
docker-plugin - 0.16.2
workflow-basic-steps - 2.4
token-macro - 2.0
bouncycastle-api - 2.16.0
jquery - 1.11.2-0
ssh-agent - 1.14
pipeline-build-step - 2.4
rad-builder - 1.1.4
workflow-support - 2.13
workflow-cps - 2.24
translation - 1.15
build-user-vars-plugin - 1.5
git - 3.0.1
mask-passwords - 2.8
gitlab-hook - 1.4.2
cobertura - 1.9.8
ivy - 1.27.1
git-client - 2.3.0
build-pipeline-plugin - 1.5.6
saferestart - 0.3
powershell - 1.3
git-server - 1.7
ruby-runtime - 0.13
conditional-buildstep - 1.3.5
pam-auth - 1.3
mail-watcher-plugin - 1.16
prometheus - 1.0.6
ownership - 0.9.1
yet-another-docker-plugin - 0.1.0-rc33
cloud-stats - 0.12
analysis-core - 1.86
kubernetes - 0.11
jacoco - 2.1.0
matrix-auth - 1.4
durable-task - 1.13
handlebars - 1.1.1
metrics - 3.1.2.9
pipeline-rest-api - 2.6
windows-slaves - 1.2
checkstyle - 3.48
mapdb-api - 1.0.9.0
docker-workflow - 1.9.1
workflow-durable-task-step - 2.10
credentials - 2.1.13
junit - 1.20
hidden-parameter - 0.0.4
throttle-concurrents - 1.9.0
momentjs - 1.1.1
email-ext - 2.57
config-autorefresh-plugin - 1.0
log-parser - 2.0
github-branch-source - 1.10.1
scm-api - 1.3
pipeline-stage-view - 2.6
lsf-cloud - 1.11
config-file-provider - 2.15.6
analysis-collector - 1.50
backup - 1.6.1
monitoring - 1.65.1
github - 1.25.1
mailer - 1.19
workflow-job - 2.10
last-changes - 1.0.5
audit-trail - 2.2
ant - 1.4
icon-shim - 2.0.3
run-condition - 1.0
nodejs - 1.1.2
ssh-credentials - 1.13
authentication-tokens - 1.3
artifactory - 2.9.2
ace-editor - 1.1
matrix-project - 1.8
antisamy-markup-formatter - 1.5
external-monitor-job - 1.7
job-restrictions - 0.6
docker-commons - 1.6
maven-plugin - 2.15.1
cvs - 2.13
jobConfigHistory - 2.15
exclusive-execution - 0.8
javadoc - 1.4
role-strategy - 2.3.2
resource-disposer - 0.6
pipeline-graph-analysis - 1.3
sitemonitor - 0.5
pipeline-stage-step - 2.2
copyartifact - 1.38.1
gradle - 1.26
ssh-slaves - 1.13
github-organization-folder - 1.5
workflow-aggregator - 2.4
parameterized-trigger - 2.33
workflow-scm-step - 2.4
managed-scripts - 1.3
branch-api - 1.11.1
jackson2-api - 2.7.3
workflow-step-api - 2.9
slack - 2.2
script-security - 1.27
cloudbees-folder - 6.0.2
copy-to-slave - 1.4.4
xcode-plugin - 1.4.11
groovy - 1.30
jquery-detached - 1.2.1
pipeline-input-step - 2.5
subversion - 2.7.1
display-url-api - 1.1.1
test-results-analyzer - 0.3.4
pipeline-milestone-step - 1.3
docker-custom-build-environment - 1.6.5
workflow-cps-global-lib - 2.5
OS: Ubuntu 14.04.3
Jenkins version : 2.46.2 Plugins installed: docker-build-publish - 1.3.2 workflow-api - 2.12 structs - 1.6 multiple-scms - 0.6 github-api - 1.85 startup-trigger-plugin - 2.8 was-builder - 1.6.1 plain-credentials - 1.4 ws-cleanup - 0.32 ldap - 1.14 job-import-plugin - 1.6 workflow-multibranch - 2.9.2 emailext-template - 1.0 docker-plugin - 0.16.2 workflow-basic-steps - 2.4 token-macro - 2.0 bouncycastle-api - 2.16.0 jquery - 1.11.2-0 ssh-agent - 1.14 pipeline-build-step - 2.4 rad-builder - 1.1.4 workflow-support - 2.13 workflow-cps - 2.24 translation - 1.15 build-user-vars-plugin - 1.5 git - 3.0.1 mask-passwords - 2.8 gitlab-hook - 1.4.2 cobertura - 1.9.8 ivy - 1.27.1 git-client - 2.3.0 build-pipeline-plugin - 1.5.6 saferestart - 0.3 powershell - 1.3 git-server - 1.7 ruby-runtime - 0.13 conditional-buildstep - 1.3.5 pam-auth - 1.3 mail-watcher-plugin - 1.16 prometheus - 1.0.6 ownership - 0.9.1 yet-another-docker-plugin - 0.1.0-rc33 cloud-stats - 0.12 analysis-core - 1.86 kubernetes - 0.11 jacoco - 2.1.0 matrix-auth - 1.4 durable-task - 1.13 handlebars - 1.1.1 metrics - 3.1.2.9 pipeline-rest-api - 2.6 windows-slaves - 1.2 checkstyle - 3.48 mapdb-api - 1.0.9.0 docker-workflow - 1.9.1 workflow-durable-task-step - 2.10 credentials - 2.1.13 junit - 1.20 hidden-parameter - 0.0.4 throttle-concurrents - 1.9.0 momentjs - 1.1.1 email-ext - 2.57 config-autorefresh-plugin - 1.0 log-parser - 2.0 github-branch-source - 1.10.1 scm-api - 1.3 pipeline-stage-view - 2.6 lsf-cloud - 1.11 config-file-provider - 2.15.6 analysis-collector - 1.50 backup - 1.6.1 monitoring - 1.65.1 github - 1.25.1 mailer - 1.19 workflow-job - 2.10 last-changes - 1.0.5 audit-trail - 2.2 ant - 1.4 icon-shim - 2.0.3 run-condition - 1.0 nodejs - 1.1.2 ssh-credentials - 1.13 authentication-tokens - 1.3 artifactory - 2.9.2 ace-editor - 1.1 matrix-project - 1.8 antisamy-markup-formatter - 1.5 external-monitor-job - 1.7 job-restrictions - 0.6 docker-commons - 1.6 maven-plugin - 2.15.1 cvs - 2.13 jobConfigHistory - 2.15 exclusive-execution - 0.8 javadoc - 1.4 role-strategy - 2.3.2 resource-disposer - 0.6 pipeline-graph-analysis - 1.3 sitemonitor - 0.5 pipeline-stage-step - 2.2 copyartifact - 1.38.1 gradle - 1.26 ssh-slaves - 1.13 github-organization-folder - 1.5 workflow-aggregator - 2.4 parameterized-trigger - 2.33 workflow-scm-step - 2.4 managed-scripts - 1.3 branch-api - 1.11.1 jackson2-api - 2.7.3 workflow-step-api - 2.9 slack - 2.2 script-security - 1.27 cloudbees-folder - 6.0.2 copy-to-slave - 1.4.4 xcode-plugin - 1.4.11 groovy - 1.30 jquery-detached - 1.2.1 pipeline-input-step - 2.5 subversion - 2.7.1 display-url-api - 1.1.1 test-results-analyzer - 0.3.4 pipeline-milestone-step - 1.3 docker-custom-build-environment - 1.6.5 workflow-cps-global-lib - 2.5 OS: Ubuntu 14.04.3
When using the Role Strategy plugin, a non-admin user (having only Overall/read permission) can't use his API Token to interact with the Jenkins instance. However, using the user's LDAP password works and if the user is given the Global Job/Read permission, it also works.
Detail:
I manage a lot of different projects in a multi-tenant Jenkins instance, using the RBAS plugin, by defining project roles for each Folder I create.
We received a request to download Maven artifacts via curl/wget from a certain project Folder.
All users of the Jenkins instance have the Overall/Read permission, as can be seen in Selection_477.jpg.
The users who have access to that folder DO have the Job/Read permission, as part of the Project Role, as can be seen in Selection_478.jpg .
However, when a person from that project tries to access the REST API with his token, he receives the following error:
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8"/>
<title>Error 404 Not Found</title>
</head>
<body><h2>HTTP ERROR 404</h2>
<p>Problem accessing /jenkins/job/DFP/job/DataFab/job/build/job/core/lastSuccessfulBuild/api/json/. Reason:
<pre> Not Found</pre></p><hr><i><small>Powered by Jetty://</small></i><hr/>
</body>
</html>
And if he tries the same with his LDAP password, the call succeeds.
When I added the Job/Read permission as a Global permission, it also succeeded.
Any ideas?
[JENKINS-45479] API tokens and Job/Read permission issue
Bhavic Patel
added a comment - We'd had a similar issue today - But slightly different I think, we assigned the user permissions, but using the token, it couldn't access anything using a curl call. We had to add the group the user is part of (from LDAP), and then it worked. Bit of an issue with this as we only wanted this specific account to have access and not a whole range of accounts in this group.
Would get the below error, giving global read permission didn't seem to work
Access Denied <accountname> is missing the Overall/Read permission"
Bhavic Patel
added a comment - We'd had a similar issue today - But slightly different I think, we assigned the user permissions, but using the token, it couldn't access anything using a curl call. We had to add the group the user is part of (from LDAP), and then it worked. Bit of an issue with this as we only wanted this specific account to have access and not a whole range of accounts in this group.
Would get the below error, giving global read permission didn't seem to work
Access Denied
<accountname> is missing the Overall/Read permission"
Could you please check it with another Authorization Strategy? I doubt it is a Role Strategy issue, but it may be an issue in the core