jenkins-cli requires Overall/Read permission on anonymous user

This issue is archived. You can view it, but you can't modify it. Learn more

XMLWordPrintable

      We use the Github Oauth authentication plugin, which allows the cli to authenticate with a Github personal access token (passed in --password).

      This used to work in some previous plugin combinations, but now connect-node (and probably similar commands) stop requiring Overall/Read on anonymous.

      jenkins@prod--alfred:~$ java -jar /usr/local/bin/jenkins-cli.jar -logger FINE -s http://localhost:8080 -noKeyAuth connect-node containers-medium --username elife-alfred-user --password ...
Jun 21, 2018 9:52:35 AM hudson.cli.CLI _main
FINE: using connection mode HTTP
Jun 21, 2018 9:52:36 AM hudson.cli.CLI plainHttpConnection
FINE: Trying to connect to http://localhost:8080/ via plain protocol over HTTP
Jun 21, 2018 9:52:36 AM hudson.cli.FullDuplexHttpStream tryToResolveRedirects
FINE: Failed to resolve potential redirects
java.io.IOException: Server returned HTTP response code: 403 for URL: http://localhost:8080/
        at sun.net.www.protocol.http.HttpURLConnection.getInputStream0(HttpURLConnection.java:1894)
        at sun.net.www.protocol.http.HttpURLConnection.getInputStream(HttpURLConnection.java:1492)
        at hudson.cli.FullDuplexHttpStream.tryToResolveRedirects(FullDuplexHttpStream.java:131)
        at hudson.cli.FullDuplexHttpStream.<init>(FullDuplexHttpStream.java:83)
        at hudson.cli.CLI.plainHttpConnection(CLI.java:652)
        at hudson.cli.CLI._main(CLI.java:612)
        at hudson.cli.CLI.main(CLI.java:426)

Jun 21, 2018 9:52:36 AM hudson.cli.FullDuplexHttpStream <init>
FINE: establishing download side
Jun 21, 2018 9:52:36 AM hudson.cli.FullDuplexHttpStream <init>
FINE: established download side
Jun 21, 2018 9:52:36 AM hudson.cli.FullDuplexHttpStream <init>
FINE: establishing upload side
Jun 21, 2018 9:52:36 AM hudson.cli.FullDuplexHttpStream <init>
FINE: established upload side

ERROR: anonymous is missing the Overall/Read permission

      However, the user is correctly authenticated

      jenkins@prod--alfred:~$ java -jar /usr/local/bin/jenkins-cli.jar -logger FINE -s http://localhost:8080 -noKeyAuth who-am-i --username elife-alfred-user --password ...
Jun 21, 2018 10:00:04 AM hudson.cli.CLI _main
FINE: using connection mode HTTP
Jun 21, 2018 10:00:04 AM hudson.cli.CLI plainHttpConnection
FINE: Trying to connect to http://localhost:8080/ via plain protocol over HTTP
Jun 21, 2018 10:00:04 AM hudson.cli.FullDuplexHttpStream <init>
FINE: establishing download side
Jun 21, 2018 10:00:04 AM hudson.cli.FullDuplexHttpStream <init>
FINE: established download side
Jun 21, 2018 10:00:04 AM hudson.cli.FullDuplexHttpStream <init>
FINE: establishing upload side
Jun 21, 2018 10:00:04 AM hudson.cli.FullDuplexHttpStream <init>
FINE: established upload side
Authenticated as: elife-alfred-user
Authorities:
  authenticated
  elifesciences
  elifesciences*Butlers

      So it shouldn't require permissions on anonymous?
      Seen similar issues like https://issues.jenkins-ci.org/browse/JENKINS-21086 before, but they are very old.

            Assignee:
            Sam Gleske
            Reporter:
            Giorgio Sironi
            Archiver:
            Jenkins Service Account

              Created:
              Updated:
              Resolved:
              Archived: