Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-59105

Accessing Jenkins using API token does not work in group memberships

    XMLWordPrintable

Details

    • Bug
    • Status: Open (View Workflow)
    • Major
    • Resolution: Unresolved
    • None
    • Jenkins version : 2.174
      Role-based Authorization Strategy version : 2.10
      ---
      Jenkins: 2.332.3
      Folder-based Authorization Strategy: 1.4
      Folders: 6.722.v8165b_a_cf25e9

    Description

      I am using Role Based Strategy to manage user permission.

      I have an account under group A. I give this group Admin permission. When I call rest API with user API token Jenkins rejects the request with 403 Forbidden Error. If I add this user directly to the global roles and grant appropriate permission, it works. 

      It seems API authorization doesn't work with Group. Any idea on this?

      Attachments

        Issue Links

          Activity

            alexhraber Alex Raber added a comment - - edited

            More details:

             

            I added this to JENKINS_OPS in my jenkins.sh (I'm running in k8s via docker):

            jenkins_opts_array=('-Dhudson.security.csrf.CrumbFilter.UNPROCESSED_PATHINFO=true')

            ^ per: https://jenkins.io/doc/upgrade-guide/2.204/#upgrading-to-jenkins-lts-2-204-6

            I then generated a new token for my user, and set up my Github repo webhook as follows:
            url: https://dev-jenkins.url.gov/job/testjob/build
            secret: <user-token> (with admin/owner perms)
            application/json

            Then click apply and then click the test button from github. 403.

            I have also enabled and disabled the Enable proxy compatibility CSRF checkbox in Global Security.

            Note my testing is done in a sandbox, but the issue is impacting my production jenkins as well. I'd prefer not to roll back if possible.

            There are also these items in the 2.204.6 upgrade doc:

             

            - Remove Enable Security checkbox in the Global Security configuration. (issue 40228) 
            - Remove the ability to disable CSRF protection. Instances upgrading from older versions of Jenkins will have CSRF protection enabled and the default issuer set if they currently have it disabled. (pull 4509)
            

             

            These are not options in the UI in 2.222.1

            alexhraber Alex Raber added a comment - - edited More details:   I added this to JENKINS_OPS in my jenkins.sh (I'm running in k8s via docker): jenkins_opts_array=('-Dhudson.security.csrf.CrumbFilter.UNPROCESSED_PATHINFO=true') ^ per:  https://jenkins.io/doc/upgrade-guide/2.204/#upgrading-to-jenkins-lts-2-204-6 I then generated a new token for my user, and set up my Github repo webhook as follows: url:  https://dev-jenkins.url.gov/job/testjob/build secret: <user-token> (with admin/owner perms) application/json Then click apply and then click the test button from github. 403. I have also enabled and disabled the Enable proxy compatibility CSRF checkbox in Global Security. Note my testing is done in a sandbox, but the issue is impacting my production jenkins as well. I'd prefer not to roll back if possible. There are also these items in the 2.204.6 upgrade doc:   - Remove Enable Security checkbox in the Global Security configuration. (issue 40228) - Remove the ability to disable CSRF protection. Instances upgrading from older versions of Jenkins will have CSRF protection enabled and the default issuer set if they currently have it disabled. (pull 4509)   These are not options in the UI in 2.222.1
            danielbeck Daniel Beck added a comment - alexhraber Try https://jenkins.io/doc/upgrade-guide/2.222/#always-enabled-csrf-protection

            Any news on this? It happens also in Jenkins version 2.249.1.

            bollohz Federico Bollotta added a comment - Any news on this? It happens also in  Jenkins version 2.249.1 .
            leonidlee Leonid Lee added a comment -

            Any updates?

            2.263.4 is also affected.

            leonidlee Leonid Lee added a comment - Any updates? 2.263.4 is also affected.

            Still reproducing on:

            • Jenkins: 2.332.3
            • Folder-based Authorization Strategy: 1.4  
            • Folders: 6.722.v8165b_a_cf25e9 
            dshiryaev_plesk Dmitrii Shiriaev added a comment - Still reproducing on: Jenkins: 2.332.3 Folder-based Authorization Strategy: 1.4   Folders: 6.722.v8165b_a_cf25e9 

            People

              Unassigned Unassigned
              hmr5kor Harish Kumar
              Votes:
              3 Vote for this issue
              Watchers:
              12 Start watching this issue

              Dates

                Created:
                Updated: