-
Bug
-
Resolution: Cannot Reproduce
-
Minor
-
None
-
Jenkins 2.121.1
GitHub OAuth Plugin 0.29
We use the Github Oauth authentication plugin, which allows the cli to authenticate with a Github personal access token (passed in --password).
This used to work in some previous plugin combinations, but now connect-node (and probably similar commands) stop requiring Overall/Read on anonymous.
jenkins@prod--alfred:~$ java -jar /usr/local/bin/jenkins-cli.jar -logger FINE -s http://localhost:8080 -noKeyAuth connect-node containers-medium --username elife-alfred-user --password ... Jun 21, 2018 9:52:35 AM hudson.cli.CLI _main FINE: using connection mode HTTP Jun 21, 2018 9:52:36 AM hudson.cli.CLI plainHttpConnection FINE: Trying to connect to http://localhost:8080/ via plain protocol over HTTP Jun 21, 2018 9:52:36 AM hudson.cli.FullDuplexHttpStream tryToResolveRedirects FINE: Failed to resolve potential redirects java.io.IOException: Server returned HTTP response code: 403 for URL: http://localhost:8080/ at sun.net.www.protocol.http.HttpURLConnection.getInputStream0(HttpURLConnection.java:1894) at sun.net.www.protocol.http.HttpURLConnection.getInputStream(HttpURLConnection.java:1492) at hudson.cli.FullDuplexHttpStream.tryToResolveRedirects(FullDuplexHttpStream.java:131) at hudson.cli.FullDuplexHttpStream.<init>(FullDuplexHttpStream.java:83) at hudson.cli.CLI.plainHttpConnection(CLI.java:652) at hudson.cli.CLI._main(CLI.java:612) at hudson.cli.CLI.main(CLI.java:426) Jun 21, 2018 9:52:36 AM hudson.cli.FullDuplexHttpStream <init> FINE: establishing download side Jun 21, 2018 9:52:36 AM hudson.cli.FullDuplexHttpStream <init> FINE: established download side Jun 21, 2018 9:52:36 AM hudson.cli.FullDuplexHttpStream <init> FINE: establishing upload side Jun 21, 2018 9:52:36 AM hudson.cli.FullDuplexHttpStream <init> FINE: established upload side ERROR: anonymous is missing the Overall/Read permission
However, the user is correctly authenticated
jenkins@prod--alfred:~$ java -jar /usr/local/bin/jenkins-cli.jar -logger FINE -s http://localhost:8080 -noKeyAuth who-am-i --username elife-alfred-user --password ... Jun 21, 2018 10:00:04 AM hudson.cli.CLI _main FINE: using connection mode HTTP Jun 21, 2018 10:00:04 AM hudson.cli.CLI plainHttpConnection FINE: Trying to connect to http://localhost:8080/ via plain protocol over HTTP Jun 21, 2018 10:00:04 AM hudson.cli.FullDuplexHttpStream <init> FINE: establishing download side Jun 21, 2018 10:00:04 AM hudson.cli.FullDuplexHttpStream <init> FINE: established download side Jun 21, 2018 10:00:04 AM hudson.cli.FullDuplexHttpStream <init> FINE: establishing upload side Jun 21, 2018 10:00:04 AM hudson.cli.FullDuplexHttpStream <init> FINE: established upload side Authenticated as: elife-alfred-user Authorities: authenticated elifesciences elifesciences*Butlers
So it shouldn't require permissions on anonymous?
Seen similar issues like https://issues.jenkins-ci.org/browse/JENKINS-21086 before, but they are very old.
