[JENKINS-47113] Accessing Jenkins using API token does not populate group memberships

Type: Bug
Resolution: Fixed
Priority: Critical
Component/s: github-oauth-plugin
Labels:
None

Similar Issues:
Powered by SuggestiMate

Show

I am using Project-based Matrix Authorization Strategy to manage user permission.

I have an account under group A. I give this group Overall/Read permission. When I call rest API with user API token Jenkins rejects the request and says no overall/read permission. If I add this user to the matrix and grant appropriate permission, it works.

It seems API authorization doesn't work with Group.

Please help me on this. THanks

relates to

JENKINS-48423 Jenkins CLI SSH auth does not return GitHub authorities

Open

links to

#87 (github-oauth)

Lowry Tang added a comment - 2017-09-27 05:51

danielbeck Thanks.

I tried the API in browser, I got more info than API request with API token.
<whoAmI _class="hudson.security.WhoAmI">
<anonymous>false</anonymous>
<authenticated>true</authenticated>
<authority>authenticated</authority>

<authority>SystemTeam</authority>
<authority>SystemTeam*Tools Team</authority>
<name>xxx</name>
<toString>
org.jenkinsci.plugins.GithubAuthenticationToken@19f2abfd: Username: yun-long-tang; Password: [PROTECTED]; Authenticated: true; Details: null; Granted Authorities: authenticated, SystemTeam, SystemTeam*Tools Team
</toString>
</whoAmI>

Lowry Tang added a comment - 2017-09-27 05:51 danielbeck Thanks. I tried the API in browser, I got more info than API request with API token. <whoAmI _class="hudson.security.WhoAmI"> <anonymous>false</anonymous> <authenticated>true</authenticated> <authority>authenticated</authority> <authority>SystemTeam</authority> <authority>SystemTeam*Tools Team</authority> <name>xxx</name> <toString> org.jenkinsci.plugins.GithubAuthenticationToken@19f2abfd: Username: yun-long-tang; Password: [PROTECTED] ; Authenticated: true; Details: null; Granted Authorities: authenticated, SystemTeam, SystemTeam*Tools Team </toString> </whoAmI>

Lowry Tang added a comment - 2017-09-27 05:57

I know that you must login through UI first so that Jenkins can pull your groups from Github. After this, the API with token still didn't return user groups. I am not sure which plugin cause this problem, matrix-auth or github-oauth.

Lowry Tang added a comment - 2017-09-27 05:57 I know that you must login through UI first so that Jenkins can pull your groups from Github. After this, the API with token still didn't return user groups. I am not sure which plugin cause this problem, matrix-auth or github-oauth.

Daniel Beck added a comment - 2017-09-27 06:13 - edited

matrix-auth doesn't populate groups and is 100% unrelated. That's why I had you provide the whoAmI output.

This is a bug in github-oauth, specifically around https://github.com/jenkinsci/github-oauth-plugin/blob/66ae724ef7bf5b0067447ac7e14a119067c0e631/src/main/java/org/jenkinsci/plugins/GithubSecurityRealm.java#L400

It is also supposed to fireLoggedIn if logged in via the UI:

http://javadoc.jenkins.io/jenkins/security/SecurityListener.html#loggedIn-java.lang.String-

This is what SecurityListener listens for to populate LastGrantedAuthoritiesProperty (which is what you need for subsequent CLI use).

Daniel Beck added a comment - 2017-09-27 06:13 - edited matrix-auth doesn't populate groups and is 100% unrelated. That's why I had you provide the whoAmI output. This is a bug in github-oauth, specifically around https://github.com/jenkinsci/github-oauth-plugin/blob/66ae724ef7bf5b0067447ac7e14a119067c0e631/src/main/java/org/jenkinsci/plugins/GithubSecurityRealm.java#L400 It is also supposed to fireLoggedIn if logged in via the UI: http://javadoc.jenkins.io/jenkins/security/SecurityListener.html#loggedIn-java.lang.String- This is what SecurityListener listens for to populate LastGrantedAuthoritiesProperty (which is what you need for subsequent CLI use).

Lowry Tang added a comment - 2017-09-27 14:49

danielbeck Thanks for your help. I found another issue https://issues.jenkins-ci.org/browse/JENKINS-43822. It talked about the same thing. The solution is using Github access token instead of Jenkin API token. I have tried it with Github token, the API whoAmI can return groups now. I guess it may be a problem related to API token. Thank you again.

Lowry Tang added a comment - 2017-09-27 14:49 danielbeck Thanks for your help. I found another issue https://issues.jenkins-ci.org/browse/JENKINS-43822 . It talked about the same thing. The solution is using Github access token instead of Jenkin API token. I have tried it with Github token, the API whoAmI can return groups now. I guess it may be a problem related to API token. Thank you again.

Daniel Beck added a comment - 2017-11-02 17:54

lowry The issue is real even if you found a workaround. A fix is in review.

Daniel Beck added a comment - 2017-11-02 17:54 lowry The issue is real even if you found a workaround. A fix is in review.

Lowry Tang added a comment - 2017-11-02 18:01

danielbeck Sorry, I thought you must pass git access token so that it can pull the info from github.

Lowry Tang added a comment - 2017-11-02 18:01 danielbeck Sorry, I thought you must pass git access token so that it can pull the info from github.

Wadeck Follonier added a comment - 2017-11-14 14:08 - edited

lowry Solution proposed: store the access token after a successful authentication to Github to populate correctly the future usage of API Token of that user.

Wadeck Follonier added a comment - 2017-11-14 14:08 - edited lowry Solution proposed: store the access token after a successful authentication to Github to populate correctly the future usage of API Token of that user.

SCM/JIRA link daemon added a comment - 2017-12-07 01:46

Code changed in jenkins
User: Wadeck Follonier
Path:
src/main/java/org/jenkinsci/plugins/GithubAccessTokenProperty.java
src/main/java/org/jenkinsci/plugins/GithubAuthenticationToken.java
src/main/java/org/jenkinsci/plugins/GithubSecretStorage.java
src/main/java/org/jenkinsci/plugins/GithubSecurityRealm.java
src/test/java/org/jenkinsci/plugins/GithubAccessTokenPropertyTest.java
src/test/java/org/jenkinsci/plugins/GithubSecretStorageTest.java
src/test/java/org/jenkinsci/plugins/api/GihubAPITest.java
http://jenkins-ci.org/commit/github-oauth-plugin/7e13146c96ab607301ee1993c4183569a93da0f7
Log:
~~JENKINS-47113~~ Populate the authorities after a successful authentication to Github (#87)

This change stores a GitHub token in a user property for reuse by other
authorization method. Specifically, the token in which the user authorized for
Jenkins to collect consenting through OAuth.

SCM/JIRA link daemon added a comment - 2017-12-07 01:46 Code changed in jenkins User: Wadeck Follonier Path: src/main/java/org/jenkinsci/plugins/GithubAccessTokenProperty.java src/main/java/org/jenkinsci/plugins/GithubAuthenticationToken.java src/main/java/org/jenkinsci/plugins/GithubSecretStorage.java src/main/java/org/jenkinsci/plugins/GithubSecurityRealm.java src/test/java/org/jenkinsci/plugins/GithubAccessTokenPropertyTest.java src/test/java/org/jenkinsci/plugins/GithubSecretStorageTest.java src/test/java/org/jenkinsci/plugins/api/GihubAPITest.java http://jenkins-ci.org/commit/github-oauth-plugin/7e13146c96ab607301ee1993c4183569a93da0f7 Log: JENKINS-47113 Populate the authorities after a successful authentication to Github (#87) This change stores a GitHub token in a user property for reuse by other authorization method. Specifically, the token in which the user authorized for Jenkins to collect consenting through OAuth.

Sam Gleske added a comment - 2017-12-07 05:15

This issue has been fixed and will be available in the next release.

Sam Gleske added a comment - 2017-12-07 05:15 This issue has been fixed and will be available in the next release.

Sam Gleske added a comment - 2018-01-23 06:51

0.29 has been released.

Sam Gleske added a comment - 2018-01-23 06:51 0.29 has been released.

Assignee:: Wadeck Follonier

Reporter:: Lowry Tang

Votes:: 0 Vote for this issue

Watchers:: 4 Start watching this issue

Created:: 2017-09-26 01:16

Updated:: 2018-01-23 06:51

Resolved:: 2017-11-02 17:40

Jenkins

Details

Description

Attachments

Issue Links

Activity

Collapse comment: Lowry Tang added a comment - 2017-09-27 05:51

Expand comment: Lowry Tang added a comment - 2017-09-27 05:51

Collapse comment: Lowry Tang added a comment - 2017-09-27 05:57

Expand comment: Lowry Tang added a comment - 2017-09-27 05:57

Collapse comment: Daniel Beck added a comment - 2017-09-27 06:13, Edited by Daniel Beck - 2017-09-27 06:13

Expand comment: Daniel Beck added a comment - 2017-09-27 06:13, Edited by Daniel Beck - 2017-09-27 06:13

Collapse comment: Lowry Tang added a comment - 2017-09-27 14:49

Expand comment: Lowry Tang added a comment - 2017-09-27 14:49

Collapse comment: Daniel Beck added a comment - 2017-11-02 17:54

Expand comment: Daniel Beck added a comment - 2017-11-02 17:54

Collapse comment: Lowry Tang added a comment - 2017-11-02 18:01

Expand comment: Lowry Tang added a comment - 2017-11-02 18:01

Collapse comment: Wadeck Follonier added a comment - 2017-11-14 14:08, Edited by Wadeck Follonier - 2017-11-14 14:08

Expand comment: Wadeck Follonier added a comment - 2017-11-14 14:08, Edited by Wadeck Follonier - 2017-11-14 14:08

Collapse comment: SCM/JIRA link daemon added a comment - 2017-12-07 01:46

Expand comment: SCM/JIRA link daemon added a comment - 2017-12-07 01:46

Collapse comment: Sam Gleske added a comment - 2017-12-07 05:15

Expand comment: Sam Gleske added a comment - 2017-12-07 05:15

Collapse comment: Sam Gleske added a comment - 2018-01-23 06:51

Expand comment: Sam Gleske added a comment - 2018-01-23 06:51

People

Dates