Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-59105

Accessing Jenkins using API token does not work in group memberships

    XMLWordPrintable

    Details

    • Type: Bug
    • Status: Open (View Workflow)
    • Priority: Major
    • Resolution: Unresolved
    • Component/s: role-strategy-plugin
    • Labels:
      None
    • Environment:
      Jenkins version : 2.174
      Role-based Authorization Strategy version : 2.10
    • Similar Issues:

      Description

      I am using Role Based Strategy to manage user permission.

      I have an account under group A. I give this group Admin permission. When I call rest API with user API token Jenkins rejects the request with 403 Forbidden Error. If I add this user directly to the global roles and grant appropriate permission, it works. 

      It seems API authorization doesn't work with Group. Any idea on this?

        Attachments

          Issue Links

            Activity

            Hide
            oleg_nenashev Oleg Nenashev added a comment -

            Are you sure you have set up the CSRF Token correctly? Please also provide the REST API request you are invoking

            Show
            oleg_nenashev Oleg Nenashev added a comment - Are you sure you have set up the CSRF Token correctly? Please also provide the REST API request you are invoking
            Hide
            hmr5kor Harish Kumar added a comment - - edited

            Yes as far I can tell the set up seems valid.

            Its is the crumb request which is failing : "https://jenkinsurl/crumbIssuer/api/json"

            Error : someuser is missing the Overall/Read permission

            Show
            hmr5kor Harish Kumar added a comment - - edited Yes as far I can tell the set up seems valid. Its is the crumb request which is failing : "https://jenkinsurl/crumbIssuer/api/json" Error : someuser is missing the Overall/Read permission
            Hide
            alexhraber Alex Raber added a comment - - edited

            This is something I've noticed as well. Github webhooks are failing with 403, which were previously succeeding without any issues after upgrading LTS from `2.204.5` to `2.222.1`.

            Show
            alexhraber Alex Raber added a comment - - edited This is something I've noticed as well. Github webhooks are failing with 403, which were previously succeeding without any issues after upgrading LTS from `2.204.5` to `2.222.1`.
            Hide
            zburton_ancestry Zane Burton added a comment - - edited

            I have replicated this bug. This command fails with the error "Access Denied user is missing the Agent/Create permission"

            curl --location --user 'username:APIKEY' --header "Content-Type:application/x-www-form-urlencoded" --request POST "https://jenkins.example.com/computer/doCreateItem?name=I-00A223022A4B270A6.example.com&type=hudson.slaves.DumbSlave"

            Show
            zburton_ancestry Zane Burton added a comment - - edited I have replicated this bug. This command fails with the error "Access Denied user is missing the Agent/Create permission" curl --location --user 'username:APIKEY' --header "Content-Type:application/x-www-form-urlencoded" --request POST "https://jenkins.example.com/computer/doCreateItem?name=I-00A223022A4B270A6.example.com&type=hudson.slaves.DumbSlave"
            Hide
            alexhraber Alex Raber added a comment - - edited

            More details:

             

            I added this to JENKINS_OPS in my jenkins.sh (I'm running in k8s via docker):

            jenkins_opts_array=('-Dhudson.security.csrf.CrumbFilter.UNPROCESSED_PATHINFO=true')

            ^ per: https://jenkins.io/doc/upgrade-guide/2.204/#upgrading-to-jenkins-lts-2-204-6

            I then generated a new token for my user, and set up my Github repo webhook as follows:
            url: https://dev-jenkins.url.gov/job/testjob/build
            secret: <user-token> (with admin/owner perms)
            application/json

            Then click apply and then click the test button from github. 403.

            I have also enabled and disabled the Enable proxy compatibility CSRF checkbox in Global Security.

            Note my testing is done in a sandbox, but the issue is impacting my production jenkins as well. I'd prefer not to roll back if possible.

            There are also these items in the 2.204.6 upgrade doc:

             

            - Remove Enable Security checkbox in the Global Security configuration. (issue 40228) 
            - Remove the ability to disable CSRF protection. Instances upgrading from older versions of Jenkins will have CSRF protection enabled and the default issuer set if they currently have it disabled. (pull 4509)
            

             

            These are not options in the UI in 2.222.1

            Show
            alexhraber Alex Raber added a comment - - edited More details:   I added this to JENKINS_OPS in my jenkins.sh (I'm running in k8s via docker): jenkins_opts_array=('-Dhudson.security.csrf.CrumbFilter.UNPROCESSED_PATHINFO=true') ^ per:  https://jenkins.io/doc/upgrade-guide/2.204/#upgrading-to-jenkins-lts-2-204-6 I then generated a new token for my user, and set up my Github repo webhook as follows: url:  https://dev-jenkins.url.gov/job/testjob/build secret: <user-token> (with admin/owner perms) application/json Then click apply and then click the test button from github. 403. I have also enabled and disabled the Enable proxy compatibility CSRF checkbox in Global Security. Note my testing is done in a sandbox, but the issue is impacting my production jenkins as well. I'd prefer not to roll back if possible. There are also these items in the 2.204.6 upgrade doc:   - Remove Enable Security checkbox in the Global Security configuration. (issue 40228) - Remove the ability to disable CSRF protection. Instances upgrading from older versions of Jenkins will have CSRF protection enabled and the default issuer set if they currently have it disabled. (pull 4509)   These are not options in the UI in 2.222.1
            Show
            danielbeck Daniel Beck added a comment - Alex Raber Try https://jenkins.io/doc/upgrade-guide/2.222/#always-enabled-csrf-protection
            Hide
            bollohz Federico Bollotta added a comment -

            Any news on this? It happens also in Jenkins version 2.249.1.

            Show
            bollohz Federico Bollotta added a comment - Any news on this? It happens also in  Jenkins version 2.249.1 .

              People

              Assignee:
              Unassigned Unassigned
              Reporter:
              hmr5kor Harish Kumar
              Votes:
              1 Vote for this issue
              Watchers:
              10 Start watching this issue

                Dates

                Created:
                Updated: