Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-59105

Accessing Jenkins using API token does not work in group memberships

    • Icon: Bug Bug
    • Resolution: Unresolved
    • Icon: Major Major
    • None
    • Jenkins version : 2.174
      Role-based Authorization Strategy version : 2.10
      ---
      Jenkins: 2.332.3
      Folder-based Authorization Strategy: 1.4
      Folders: 6.722.v8165b_a_cf25e9

      I am using Role Based Strategy to manage user permission.

      I have an account under group A. I give this group Admin permission. When I call rest API with user API token Jenkins rejects the request with 403 Forbidden Error. If I add this user directly to the global roles and grant appropriate permission, it works. 

      It seems API authorization doesn't work with Group. Any idea on this?

          [JENKINS-59105] Accessing Jenkins using API token does not work in group memberships

          Alex Raber added a comment - - edited

          More details:

           

          I added this to JENKINS_OPS in my jenkins.sh (I'm running in k8s via docker):

          jenkins_opts_array=('-Dhudson.security.csrf.CrumbFilter.UNPROCESSED_PATHINFO=true')

          ^ per: https://jenkins.io/doc/upgrade-guide/2.204/#upgrading-to-jenkins-lts-2-204-6

          I then generated a new token for my user, and set up my Github repo webhook as follows:
          url: https://dev-jenkins.url.gov/job/testjob/build
          secret: <user-token> (with admin/owner perms)
          application/json

          Then click apply and then click the test button from github. 403.

          I have also enabled and disabled the Enable proxy compatibility CSRF checkbox in Global Security.

          Note my testing is done in a sandbox, but the issue is impacting my production jenkins as well. I'd prefer not to roll back if possible.

          There are also these items in the 2.204.6 upgrade doc:

           

          - Remove Enable Security checkbox in the Global Security configuration. (issue 40228) 
          - Remove the ability to disable CSRF protection. Instances upgrading from older versions of Jenkins will have CSRF protection enabled and the default issuer set if they currently have it disabled. (pull 4509)
          

           

          These are not options in the UI in 2.222.1

          Alex Raber added a comment - - edited More details:   I added this to JENKINS_OPS in my jenkins.sh (I'm running in k8s via docker): jenkins_opts_array=('-Dhudson.security.csrf.CrumbFilter.UNPROCESSED_PATHINFO=true') ^ per:  https://jenkins.io/doc/upgrade-guide/2.204/#upgrading-to-jenkins-lts-2-204-6 I then generated a new token for my user, and set up my Github repo webhook as follows: url:  https://dev-jenkins.url.gov/job/testjob/build secret: <user-token> (with admin/owner perms) application/json Then click apply and then click the test button from github. 403. I have also enabled and disabled the Enable proxy compatibility CSRF checkbox in Global Security. Note my testing is done in a sandbox, but the issue is impacting my production jenkins as well. I'd prefer not to roll back if possible. There are also these items in the 2.204.6 upgrade doc:   - Remove Enable Security checkbox in the Global Security configuration. (issue 40228) - Remove the ability to disable CSRF protection. Instances upgrading from older versions of Jenkins will have CSRF protection enabled and the default issuer set if they currently have it disabled. (pull 4509)   These are not options in the UI in 2.222.1

          Daniel Beck added a comment -

          Daniel Beck added a comment - alexhraber Try https://jenkins.io/doc/upgrade-guide/2.222/#always-enabled-csrf-protection

          Any news on this? It happens also in Jenkins version 2.249.1.

          Federico Bollotta added a comment - Any news on this? It happens also in  Jenkins version 2.249.1 .

          Leonid Lee added a comment -

          Any updates?

          2.263.4 is also affected.

          Leonid Lee added a comment - Any updates? 2.263.4 is also affected.

          Still reproducing on:

          • Jenkins: 2.332.3
          • Folder-based Authorization Strategy: 1.4  
          • Folders: 6.722.v8165b_a_cf25e9 

          Dmitrii Shiriaev added a comment - Still reproducing on: Jenkins: 2.332.3 Folder-based Authorization Strategy: 1.4   Folders: 6.722.v8165b_a_cf25e9 

          We are affected as well:

          • Jenkins 2.332.3
          • Role-based Authorization Strategy Version 562.v44e9a_e828d0e

          Daniel Dietsch added a comment - We are affected as well: Jenkins 2.332.3 Role-based Authorization Strategy Version 562.v44e9a_e828d0e

          Daniel Beck added a comment -

          What security realms are you using?

          Daniel Beck added a comment - What security realms are you using?

          I am using Keycloak Authentication Plugin 2.3.0

          Daniel Dietsch added a comment - I am using Keycloak Authentication Plugin 2.3.0

          Markus Winter added a comment -

          I'm unable to reproduce this problem locally using the latest version of role-based strategy.

          Possible causes for problems:

          • role strategy is case sensitive currently, so if the user or group name used doesn't match what is configured access will fail
          • The security realm is not properly filling the groups

          Check with .../whoAmI which groups the user belongs to

          Can the user login to Jenkins in the UI with only being granted access via a group membership?

          Markus Winter added a comment - I'm unable to reproduce this problem locally using the latest version of role-based strategy. Possible causes for problems: role strategy is case sensitive currently, so if the user or group name used doesn't match what is configured access will fail The security realm is not properly filling the groups Check with .../whoAmI which groups the user belongs to Can the user login to Jenkins in the UI with only being granted access via a group membership?

          Daniel Beck added a comment - - edited
          • The security realm is not properly filling the groups

          This is likely it. Some security realms are unable to provide group memberships when using login methods that do not involve the security realm directly (such as API tokens which are stored as user metadata in Jenkins, so no contact to the SR is needed).

          Daniel Beck added a comment - - edited The security realm is not properly filling the groups This is likely it. Some security realms are unable to provide group memberships when using login methods that do not involve the security realm directly (such as API tokens which are stored as user metadata in Jenkins, so no contact to the SR is needed).

            Unassigned Unassigned
            hmr5kor Harish Kumar
            Votes:
            4 Vote for this issue
            Watchers:
            14 Start watching this issue

              Created:
              Updated: