Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-47113

Accessing Jenkins using API token does not populate group memberships

    XMLWordPrintable

    Details

    • Similar Issues:

      Description

      I am using Project-based Matrix Authorization Strategy to manage user permission.

      I have an account under group A. I give this group Overall/Read permission. When I call rest API with user API token Jenkins rejects the request and says no overall/read permission. If I add this user to the matrix and grant appropriate permission, it works. 

      It seems API authorization doesn't work with Group.

      Please help me on this. THanks

       

        Attachments

          Issue Links

            Activity

            Hide
            danielbeck Daniel Beck added a comment -

            What's the output of https://yourjenkins/whoAmI/api/xml when accessed with the API token?

            My guess is, the group will not be among the authorities.

            Show
            danielbeck Daniel Beck added a comment - What's the output of https://yourjenkins/whoAmI/api/xml when accessed with the API token? My guess is, the group will not be among the authorities.
            Hide
            danielbeck Daniel Beck added a comment -

            What security realm is this? LDAP, Active Directory, etc.?

            Show
            danielbeck Daniel Beck added a comment - What security realm is this? LDAP, Active Directory, etc.?
            Hide
            lowry Lowry Tang added a comment -

            Daniel Beck Thanks for your response. I use Github Authentication Plugin. 

            here is what I got from api

            <whoAmI _class='hudson.security.WhoAmI'>
            <anonymous>false</anonymous>
            <authenticated>true</authenticated>
            <authority>authenticated</authority>
            <name>xxxxxxxx</name>
            <toString>org.acegisecurity.providers.UsernamePasswordAuthenticationToken@a3ffddb7: Username: xxxxxxxx; Password: [PROTECTED]; Authenticated: true; Details: null; Granted Authorities: authenticated</toString>
            </whoAmI>

            Show
            lowry Lowry Tang added a comment - Daniel Beck Thanks for your response. I use Github Authentication Plugin.  here is what I got from api <whoAmI _class='hudson.security.WhoAmI'> <anonymous>false</anonymous> <authenticated>true</authenticated> <authority>authenticated</authority> <name>xxxxxxxx</name> <toString>org.acegisecurity.providers.UsernamePasswordAuthenticationToken@a3ffddb7: Username: xxxxxxxx; Password: [PROTECTED] ; Authenticated: true; Details: null; Granted Authorities: authenticated</toString> </whoAmI>
            Hide
            danielbeck Daniel Beck added a comment -

            Yep, no group except authenticated pseudo-group among the output.

            Log in on the UI and access that URL interactively. What's the output then?

            Then try the above (with API token) again. Is the group visible then?

            Show
            danielbeck Daniel Beck added a comment - Yep, no group except authenticated pseudo-group among the output. Log in on the UI and access that URL interactively. What's the output then? Then try the above (with API token) again. Is the group visible then?
            Hide
            danielbeck Daniel Beck added a comment -

            Clearly not matrix-auth's fault.

            Show
            danielbeck Daniel Beck added a comment - Clearly not matrix-auth's fault.
            Hide
            danielbeck Daniel Beck added a comment -

            Group memberships not being correct before the first interactive login might be legitimate, not sure. Jenkins remembers them in that case (JENKINS-20064), which is why I'm asking whether it's different after an interactive login.

            Show
            danielbeck Daniel Beck added a comment - Group memberships not being correct before the first interactive login might be legitimate, not sure. Jenkins remembers them in that case ( JENKINS-20064 ), which is why I'm asking whether it's different after an interactive login.
            Hide
            lowry Lowry Tang added a comment -

            Daniel Beck Thanks.

            I tried the API in browser, I got more info than API request with API token.
            <whoAmI _class="hudson.security.WhoAmI">
            <anonymous>false</anonymous>
            <authenticated>true</authenticated>
            <authority>authenticated</authority>
             
            <authority>SystemTeam</authority>
            <authority>SystemTeam*Tools Team</authority>
            <name>xxx</name>
            <toString>
            org.jenkinsci.plugins.GithubAuthenticationToken@19f2abfd: Username: yun-long-tang; Password: [PROTECTED]; Authenticated: true; Details: null; Granted Authorities: authenticated, SystemTeam, SystemTeam*Tools Team
            </toString>
            </whoAmI>

            Show
            lowry Lowry Tang added a comment - Daniel Beck Thanks. I tried the API in browser, I got more info than API request with API token. <whoAmI _class="hudson.security.WhoAmI"> <anonymous>false</anonymous> <authenticated>true</authenticated> <authority>authenticated</authority>   <authority>SystemTeam</authority> <authority>SystemTeam*Tools Team</authority> <name>xxx</name> <toString> org.jenkinsci.plugins.GithubAuthenticationToken@19f2abfd: Username: yun-long-tang; Password: [PROTECTED] ; Authenticated: true; Details: null; Granted Authorities: authenticated, SystemTeam, SystemTeam*Tools Team </toString> </whoAmI>
            Hide
            lowry Lowry Tang added a comment -

            I know that you must login through UI first so that Jenkins can pull your groups from Github. After this, the API with token still didn't return user groups. I am not sure which plugin cause this problem, matrix-auth or github-oauth.

            Show
            lowry Lowry Tang added a comment - I know that you must login through UI first so that Jenkins can pull your groups from Github. After this, the API with token still didn't return user groups. I am not sure which plugin cause this problem, matrix-auth or github-oauth.
            Hide
            danielbeck Daniel Beck added a comment - - edited

            matrix-auth doesn't populate groups and is 100% unrelated. That's why I had you provide the whoAmI output.


            This is a bug in github-oauth, specifically around https://github.com/jenkinsci/github-oauth-plugin/blob/66ae724ef7bf5b0067447ac7e14a119067c0e631/src/main/java/org/jenkinsci/plugins/GithubSecurityRealm.java#L400

            It is also supposed to fireLoggedIn if logged in via the UI:

            http://javadoc.jenkins.io/jenkins/security/SecurityListener.html#loggedIn-java.lang.String-

            This is what SecurityListener listens for to populate LastGrantedAuthoritiesProperty (which is what you need for subsequent CLI use).

            Show
            danielbeck Daniel Beck added a comment - - edited matrix-auth doesn't populate groups and is 100% unrelated. That's why I had you provide the whoAmI output. This is a bug in github-oauth, specifically around https://github.com/jenkinsci/github-oauth-plugin/blob/66ae724ef7bf5b0067447ac7e14a119067c0e631/src/main/java/org/jenkinsci/plugins/GithubSecurityRealm.java#L400 It is also supposed to fireLoggedIn if logged in via the UI: http://javadoc.jenkins.io/jenkins/security/SecurityListener.html#loggedIn-java.lang.String- This is what SecurityListener listens for to populate LastGrantedAuthoritiesProperty (which is what you need for subsequent CLI use).
            Hide
            lowry Lowry Tang added a comment -

            Daniel Beck Thanks for your help. I found another issue https://issues.jenkins-ci.org/browse/JENKINS-43822. It talked about the same thing. The solution is using Github access token instead of Jenkin API token. I have tried it with Github token, the API whoAmI can return groups now. I guess it may be a problem related to API token. Thank you again. 

             

            Show
            lowry Lowry Tang added a comment - Daniel Beck  Thanks for your help. I found another issue https://issues.jenkins-ci.org/browse/JENKINS-43822 . It talked about the same thing. The solution is using Github access token instead of Jenkin API token. I have tried it with Github token, the API whoAmI can return groups now. I guess it may be a problem related to API token. Thank you again.   
            Hide
            danielbeck Daniel Beck added a comment -

            Lowry Tang The issue is real even if you found a workaround. A fix is in review.

            Show
            danielbeck Daniel Beck added a comment - Lowry Tang The issue is real even if you found a workaround. A fix is in review.
            Hide
            lowry Lowry Tang added a comment -

            Daniel Beck Sorry, I thought you must pass git access token so that it can pull the info from github. 

            Show
            lowry Lowry Tang added a comment - Daniel Beck  Sorry, I thought you must pass git access token so that it can pull the info from github. 
            Hide
            wfollonier Wadeck Follonier added a comment - - edited

            Lowry Tang Solution proposed: store the access token after a successful authentication to Github to populate correctly the future usage of API Token of that user.

            Show
            wfollonier Wadeck Follonier added a comment - - edited Lowry Tang Solution proposed: store the access token after a successful authentication to Github to populate correctly the future usage of API Token of that user.
            Hide
            scm_issue_link SCM/JIRA link daemon added a comment -

            Code changed in jenkins
            User: Wadeck Follonier
            Path:
            src/main/java/org/jenkinsci/plugins/GithubAccessTokenProperty.java
            src/main/java/org/jenkinsci/plugins/GithubAuthenticationToken.java
            src/main/java/org/jenkinsci/plugins/GithubSecretStorage.java
            src/main/java/org/jenkinsci/plugins/GithubSecurityRealm.java
            src/test/java/org/jenkinsci/plugins/GithubAccessTokenPropertyTest.java
            src/test/java/org/jenkinsci/plugins/GithubSecretStorageTest.java
            src/test/java/org/jenkinsci/plugins/api/GihubAPITest.java
            http://jenkins-ci.org/commit/github-oauth-plugin/7e13146c96ab607301ee1993c4183569a93da0f7
            Log:
            JENKINS-47113 Populate the authorities after a successful authentication to Github (#87)

            This change stores a GitHub token in a user property for reuse by other
            authorization method. Specifically, the token in which the user authorized for
            Jenkins to collect consenting through OAuth.

            Show
            scm_issue_link SCM/JIRA link daemon added a comment - Code changed in jenkins User: Wadeck Follonier Path: src/main/java/org/jenkinsci/plugins/GithubAccessTokenProperty.java src/main/java/org/jenkinsci/plugins/GithubAuthenticationToken.java src/main/java/org/jenkinsci/plugins/GithubSecretStorage.java src/main/java/org/jenkinsci/plugins/GithubSecurityRealm.java src/test/java/org/jenkinsci/plugins/GithubAccessTokenPropertyTest.java src/test/java/org/jenkinsci/plugins/GithubSecretStorageTest.java src/test/java/org/jenkinsci/plugins/api/GihubAPITest.java http://jenkins-ci.org/commit/github-oauth-plugin/7e13146c96ab607301ee1993c4183569a93da0f7 Log: JENKINS-47113 Populate the authorities after a successful authentication to Github (#87) This change stores a GitHub token in a user property for reuse by other authorization method. Specifically, the token in which the user authorized for Jenkins to collect consenting through OAuth.
            Hide
            sag47 Sam Gleske added a comment -

            This issue has been fixed and will be available in the next release.

            Show
            sag47 Sam Gleske added a comment - This issue has been fixed and will be available in the next release.
            Hide
            sag47 Sam Gleske added a comment -

            0.29 has been released.

            Show
            sag47 Sam Gleske added a comment - 0.29 has been released.

              People

              Assignee:
              wfollonier Wadeck Follonier
              Reporter:
              lowry Lowry Tang
              Votes:
              0 Vote for this issue
              Watchers:
              4 Start watching this issue

                Dates

                Created:
                Updated:
                Resolved: