-
Bug
-
Resolution: Cannot Reproduce
-
Minor
-
Jenkins version : 2.46.2
Plugins installed:
docker-build-publish - 1.3.2
workflow-api - 2.12
structs - 1.6
multiple-scms - 0.6
github-api - 1.85
startup-trigger-plugin - 2.8
was-builder - 1.6.1
plain-credentials - 1.4
ws-cleanup - 0.32
ldap - 1.14
job-import-plugin - 1.6
workflow-multibranch - 2.9.2
emailext-template - 1.0
docker-plugin - 0.16.2
workflow-basic-steps - 2.4
token-macro - 2.0
bouncycastle-api - 2.16.0
jquery - 1.11.2-0
ssh-agent - 1.14
pipeline-build-step - 2.4
rad-builder - 1.1.4
workflow-support - 2.13
workflow-cps - 2.24
translation - 1.15
build-user-vars-plugin - 1.5
git - 3.0.1
mask-passwords - 2.8
gitlab-hook - 1.4.2
cobertura - 1.9.8
ivy - 1.27.1
git-client - 2.3.0
build-pipeline-plugin - 1.5.6
saferestart - 0.3
powershell - 1.3
git-server - 1.7
ruby-runtime - 0.13
conditional-buildstep - 1.3.5
pam-auth - 1.3
mail-watcher-plugin - 1.16
prometheus - 1.0.6
ownership - 0.9.1
yet-another-docker-plugin - 0.1.0-rc33
cloud-stats - 0.12
analysis-core - 1.86
kubernetes - 0.11
jacoco - 2.1.0
matrix-auth - 1.4
durable-task - 1.13
handlebars - 1.1.1
metrics - 3.1.2.9
pipeline-rest-api - 2.6
windows-slaves - 1.2
checkstyle - 3.48
mapdb-api - 1.0.9.0
docker-workflow - 1.9.1
workflow-durable-task-step - 2.10
credentials - 2.1.13
junit - 1.20
hidden-parameter - 0.0.4
throttle-concurrents - 1.9.0
momentjs - 1.1.1
email-ext - 2.57
config-autorefresh-plugin - 1.0
log-parser - 2.0
github-branch-source - 1.10.1
scm-api - 1.3
pipeline-stage-view - 2.6
lsf-cloud - 1.11
config-file-provider - 2.15.6
analysis-collector - 1.50
backup - 1.6.1
monitoring - 1.65.1
github - 1.25.1
mailer - 1.19
workflow-job - 2.10
last-changes - 1.0.5
audit-trail - 2.2
ant - 1.4
icon-shim - 2.0.3
run-condition - 1.0
nodejs - 1.1.2
ssh-credentials - 1.13
authentication-tokens - 1.3
artifactory - 2.9.2
ace-editor - 1.1
matrix-project - 1.8
antisamy-markup-formatter - 1.5
external-monitor-job - 1.7
job-restrictions - 0.6
docker-commons - 1.6
maven-plugin - 2.15.1
cvs - 2.13
jobConfigHistory - 2.15
exclusive-execution - 0.8
javadoc - 1.4
role-strategy - 2.3.2
resource-disposer - 0.6
pipeline-graph-analysis - 1.3
sitemonitor - 0.5
pipeline-stage-step - 2.2
copyartifact - 1.38.1
gradle - 1.26
ssh-slaves - 1.13
github-organization-folder - 1.5
workflow-aggregator - 2.4
parameterized-trigger - 2.33
workflow-scm-step - 2.4
managed-scripts - 1.3
branch-api - 1.11.1
jackson2-api - 2.7.3
workflow-step-api - 2.9
slack - 2.2
script-security - 1.27
cloudbees-folder - 6.0.2
copy-to-slave - 1.4.4
xcode-plugin - 1.4.11
groovy - 1.30
jquery-detached - 1.2.1
pipeline-input-step - 2.5
subversion - 2.7.1
display-url-api - 1.1.1
test-results-analyzer - 0.3.4
pipeline-milestone-step - 1.3
docker-custom-build-environment - 1.6.5
workflow-cps-global-lib - 2.5
OS: Ubuntu 14.04.3
Jenkins version : 2.46.2 Plugins installed: docker-build-publish - 1.3.2 workflow-api - 2.12 structs - 1.6 multiple-scms - 0.6 github-api - 1.85 startup-trigger-plugin - 2.8 was-builder - 1.6.1 plain-credentials - 1.4 ws-cleanup - 0.32 ldap - 1.14 job-import-plugin - 1.6 workflow-multibranch - 2.9.2 emailext-template - 1.0 docker-plugin - 0.16.2 workflow-basic-steps - 2.4 token-macro - 2.0 bouncycastle-api - 2.16.0 jquery - 1.11.2-0 ssh-agent - 1.14 pipeline-build-step - 2.4 rad-builder - 1.1.4 workflow-support - 2.13 workflow-cps - 2.24 translation - 1.15 build-user-vars-plugin - 1.5 git - 3.0.1 mask-passwords - 2.8 gitlab-hook - 1.4.2 cobertura - 1.9.8 ivy - 1.27.1 git-client - 2.3.0 build-pipeline-plugin - 1.5.6 saferestart - 0.3 powershell - 1.3 git-server - 1.7 ruby-runtime - 0.13 conditional-buildstep - 1.3.5 pam-auth - 1.3 mail-watcher-plugin - 1.16 prometheus - 1.0.6 ownership - 0.9.1 yet-another-docker-plugin - 0.1.0-rc33 cloud-stats - 0.12 analysis-core - 1.86 kubernetes - 0.11 jacoco - 2.1.0 matrix-auth - 1.4 durable-task - 1.13 handlebars - 1.1.1 metrics - 3.1.2.9 pipeline-rest-api - 2.6 windows-slaves - 1.2 checkstyle - 3.48 mapdb-api - 1.0.9.0 docker-workflow - 1.9.1 workflow-durable-task-step - 2.10 credentials - 2.1.13 junit - 1.20 hidden-parameter - 0.0.4 throttle-concurrents - 1.9.0 momentjs - 1.1.1 email-ext - 2.57 config-autorefresh-plugin - 1.0 log-parser - 2.0 github-branch-source - 1.10.1 scm-api - 1.3 pipeline-stage-view - 2.6 lsf-cloud - 1.11 config-file-provider - 2.15.6 analysis-collector - 1.50 backup - 1.6.1 monitoring - 1.65.1 github - 1.25.1 mailer - 1.19 workflow-job - 2.10 last-changes - 1.0.5 audit-trail - 2.2 ant - 1.4 icon-shim - 2.0.3 run-condition - 1.0 nodejs - 1.1.2 ssh-credentials - 1.13 authentication-tokens - 1.3 artifactory - 2.9.2 ace-editor - 1.1 matrix-project - 1.8 antisamy-markup-formatter - 1.5 external-monitor-job - 1.7 job-restrictions - 0.6 docker-commons - 1.6 maven-plugin - 2.15.1 cvs - 2.13 jobConfigHistory - 2.15 exclusive-execution - 0.8 javadoc - 1.4 role-strategy - 2.3.2 resource-disposer - 0.6 pipeline-graph-analysis - 1.3 sitemonitor - 0.5 pipeline-stage-step - 2.2 copyartifact - 1.38.1 gradle - 1.26 ssh-slaves - 1.13 github-organization-folder - 1.5 workflow-aggregator - 2.4 parameterized-trigger - 2.33 workflow-scm-step - 2.4 managed-scripts - 1.3 branch-api - 1.11.1 jackson2-api - 2.7.3 workflow-step-api - 2.9 slack - 2.2 script-security - 1.27 cloudbees-folder - 6.0.2 copy-to-slave - 1.4.4 xcode-plugin - 1.4.11 groovy - 1.30 jquery-detached - 1.2.1 pipeline-input-step - 2.5 subversion - 2.7.1 display-url-api - 1.1.1 test-results-analyzer - 0.3.4 pipeline-milestone-step - 1.3 docker-custom-build-environment - 1.6.5 workflow-cps-global-lib - 2.5 OS: Ubuntu 14.04.3
When using the Role Strategy plugin, a non-admin user (having only Overall/read permission) can't use his API Token to interact with the Jenkins instance. However, using the user's LDAP password works and if the user is given the Global Job/Read permission, it also works.
Detail:
I manage a lot of different projects in a multi-tenant Jenkins instance, using the RBAS plugin, by defining project roles for each Folder I create.
We received a request to download Maven artifacts via curl/wget from a certain project Folder.
All users of the Jenkins instance have the Overall/Read permission, as can be seen in Selection_477.jpg.
The users who have access to that folder DO have the Job/Read permission, as part of the Project Role, as can be seen in Selection_478.jpg .
However, when a person from that project tries to access the REST API with his token, he receives the following error:
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8"/>
<title>Error 404 Not Found</title>
</head>
<body><h2>HTTP ERROR 404</h2>
<p>Problem accessing /jenkins/job/DFP/job/DataFab/job/build/job/core/lastSuccessfulBuild/api/json/. Reason:
<pre> Not Found</pre></p><hr><i><small>Powered by Jetty://</small></i><hr/>
</body>
</html>
And if he tries the same with his LDAP password, the call succeeds.
When I added the Job/Read permission as a Global permission, it also succeeded.
Any ideas?
[JENKINS-45479] API tokens and Job/Read permission issue
| Description |
Original:
When using the Role Strategy plugin, a non-admin user (having only Overall/read permission) can't use his API Token to interact with the Jenkins instance. However, using the user's LDAP password works and if the user is given the Global Job/Read permission, it also works. Detail: I manage a lot of different projects in a multi-tenant Jenkins instance, using the RBAS plugin, by defining project roles for each Folder I create. We received a request to download Maven artifacts via curl/wget from a certain project Folder. All users of the Jenkins instance have the Overall/Read permission, as can be seen in the attached image. The users who have access to that folder DO have the Job/Read permission, as part of the Project Role, as can be seen in Selection_478.jpg . However, when a person from that project tries to access the REST API with his token, he receives the following error: <html> <head> <meta http-equiv="Content-Type" content="text/html; charset=UTF-8"/> <title>Error 404 Not Found</title> </head> <body><h2>HTTP ERROR 404</h2> <p>Problem accessing /jenkins/job/DFP/job/DataFab/job/build/job/core/lastSuccessfulBuild/api/json/. Reason: <pre> Not Found</pre></p><hr><i><small>Powered by Jetty://</small></i><hr/> </body> </html> And if he tries the same with his LDAP password, the call succeeds. When I added the Job/Read as a Global permission, it also succeeded. Any ideas? |
New:
When using the Role Strategy plugin, a non-admin user (having only Overall/read permission) can't use his API Token to interact with the Jenkins instance. However, using the user's LDAP password works and if the user is given the Global Job/Read permission, it also works. Detail: I manage a lot of different projects in a multi-tenant Jenkins instance, using the RBAS plugin, by defining project roles for each Folder I create. We received a request to download Maven artifacts via curl/wget from a certain project Folder. All users of the Jenkins instance have the Overall/Read permission, as can be seen in Selection_477.jpg. The users who have access to that folder DO have the Job/Read permission, as part of the Project Role, as can be seen in Selection_478.jpg . However, when a person from that project tries to access the REST API with his token, he receives the following error: <html> <head> <meta http-equiv="Content-Type" content="text/html; charset=UTF-8"/> <title>Error 404 Not Found</title> </head> <body><h2>HTTP ERROR 404</h2> <p>Problem accessing /jenkins/job/DFP/job/DataFab/job/build/job/core/lastSuccessfulBuild/api/json/. Reason: <pre> Not Found</pre></p><hr><i><small>Powered by Jetty://</small></i><hr/> </body> </html> And if he tries the same with his LDAP password, the call succeeds. When I added the Job/Read as a Global permission, it also succeeded. Any ideas? |
| Description |
Original:
When using the Role Strategy plugin, a non-admin user (having only Overall/read permission) can't use his API Token to interact with the Jenkins instance. However, using the user's LDAP password works and if the user is given the Global Job/Read permission, it also works. Detail: I manage a lot of different projects in a multi-tenant Jenkins instance, using the RBAS plugin, by defining project roles for each Folder I create. We received a request to download Maven artifacts via curl/wget from a certain project Folder. All users of the Jenkins instance have the Overall/Read permission, as can be seen in Selection_477.jpg. The users who have access to that folder DO have the Job/Read permission, as part of the Project Role, as can be seen in Selection_478.jpg . However, when a person from that project tries to access the REST API with his token, he receives the following error: <html> <head> <meta http-equiv="Content-Type" content="text/html; charset=UTF-8"/> <title>Error 404 Not Found</title> </head> <body><h2>HTTP ERROR 404</h2> <p>Problem accessing /jenkins/job/DFP/job/DataFab/job/build/job/core/lastSuccessfulBuild/api/json/. Reason: <pre> Not Found</pre></p><hr><i><small>Powered by Jetty://</small></i><hr/> </body> </html> And if he tries the same with his LDAP password, the call succeeds. When I added the Job/Read as a Global permission, it also succeeded. Any ideas? |
New:
When using the Role Strategy plugin, a non-admin user (having only Overall/read permission) can't use his API Token to interact with the Jenkins instance. However, using the user's LDAP password works and if the user is given the Global Job/Read permission, it also works. Detail: I manage a lot of different projects in a multi-tenant Jenkins instance, using the RBAS plugin, by defining project roles for each Folder I create. We received a request to download Maven artifacts via curl/wget from a certain project Folder. All users of the Jenkins instance have the Overall/Read permission, as can be seen in Selection_477.jpg. The users who have access to that folder DO have the Job/Read permission, as part of the Project Role, as can be seen in Selection_478.jpg . However, when a person from that project tries to access the REST API with his token, he receives the following error: <html> <head> <meta http-equiv="Content-Type" content="text/html; charset=UTF-8"/> <title>Error 404 Not Found</title> </head> <body><h2>HTTP ERROR 404</h2> <p>Problem accessing /jenkins/job/DFP/job/DataFab/job/build/job/core/lastSuccessfulBuild/api/json/. Reason: <pre> Not Found</pre></p><hr><i><small>Powered by Jetty://</small></i><hr/> </body> </html> And if he tries the same with his LDAP password, the call succeeds. When I added the Job/Read permission as a Global permission, it also succeeded. Any ideas? |
Lasse Faarbæk
made changes -
| Attachment | New: image-2018-08-15-09-18-56-709.png [ 43752 ] |
Lasse Faarbæk
made changes -
| Attachment | New: image-2018-08-15-09-21-58-235.png [ 43753 ] |
Lasse Faarbæk
made changes -
| Attachment | New: image-2018-08-15-09-22-36-837.png [ 43754 ] |
| Resolution | New: Cannot Reproduce [ 5 ] | |
| Status | Original: Open [ 1 ] | New: Fixed but Unreleased [ 10203 ] |
Could you please check it with another Authorization Strategy? I doubt it is a Role Strategy issue, but it may be an issue in the core