Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-47113

Accessing Jenkins using API token does not populate group memberships

XMLWordPrintable

      I am using Project-based Matrix Authorization Strategy to manage user permission.

      I have an account under group A. I give this group Overall/Read permission. When I call rest API with user API token Jenkins rejects the request and says no overall/read permission. If I add this user to the matrix and grant appropriate permission, it works. 

      It seems API authorization doesn't work with Group.

      Please help me on this. THanks

       

          [JENKINS-47113] Accessing Jenkins using API token does not populate group memberships

          Lowry Tang created issue -
          Daniel Beck made changes -
          Component/s Original: matrix-project-plugin [ 18765 ]

          Daniel Beck added a comment -

          What's the output of https://yourjenkins/whoAmI/api/xml when accessed with the API token?

          My guess is, the group will not be among the authorities.

          Daniel Beck added a comment - What's the output of https://yourjenkins/whoAmI/api/xml when accessed with the API token? My guess is, the group will not be among the authorities.

          Daniel Beck added a comment -

          What security realm is this? LDAP, Active Directory, etc.?

          Daniel Beck added a comment - What security realm is this? LDAP, Active Directory, etc.?

          Lowry Tang added a comment -

          danielbeck Thanks for your response. I use Github Authentication Plugin. 

          here is what I got from api

          <whoAmI _class='hudson.security.WhoAmI'>
          <anonymous>false</anonymous>
          <authenticated>true</authenticated>
          <authority>authenticated</authority>
          <name>xxxxxxxx</name>
          <toString>org.acegisecurity.providers.UsernamePasswordAuthenticationToken@a3ffddb7: Username: xxxxxxxx; Password: [PROTECTED]; Authenticated: true; Details: null; Granted Authorities: authenticated</toString>
          </whoAmI>

          Lowry Tang added a comment - danielbeck Thanks for your response. I use Github Authentication Plugin.  here is what I got from api <whoAmI _class='hudson.security.WhoAmI'> <anonymous>false</anonymous> <authenticated>true</authenticated> <authority>authenticated</authority> <name>xxxxxxxx</name> <toString>org.acegisecurity.providers.UsernamePasswordAuthenticationToken@a3ffddb7: Username: xxxxxxxx; Password: [PROTECTED] ; Authenticated: true; Details: null; Granted Authorities: authenticated</toString> </whoAmI>

          Daniel Beck added a comment -

          Yep, no group except authenticated pseudo-group among the output.

          Log in on the UI and access that URL interactively. What's the output then?

          Then try the above (with API token) again. Is the group visible then?

          Daniel Beck added a comment - Yep, no group except authenticated pseudo-group among the output. Log in on the UI and access that URL interactively. What's the output then? Then try the above (with API token) again. Is the group visible then?
          Daniel Beck made changes -
          Component/s New: github-oauth-plugin [ 15900 ]
          Component/s Original: matrix-auth-plugin [ 18131 ]
          Daniel Beck made changes -
          Assignee Original: Daniel Beck [ danielbeck ] New: Sam Gleske [ sag47 ]

          Daniel Beck added a comment -

          Clearly not matrix-auth's fault.

          Daniel Beck added a comment - Clearly not matrix-auth's fault.
          Daniel Beck made changes -
          Summary Original: API token doesn't work with Jenkins API when using group permission New: Accessing Jenkins using API token does not populate group memberships

            wfollonier Wadeck Follonier
            lowry Lowry Tang
            Votes:
            0 Vote for this issue
            Watchers:
            4 Start watching this issue

              Created:
              Updated:
              Resolved: