Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-59105

Accessing Jenkins using API token does not work in group memberships

    • Icon: Bug Bug
    • Resolution: Unresolved
    • Icon: Major Major
    • None
    • Jenkins version : 2.174
      Role-based Authorization Strategy version : 2.10
      ---
      Jenkins: 2.332.3
      Folder-based Authorization Strategy: 1.4
      Folders: 6.722.v8165b_a_cf25e9

      I am using Role Based Strategy to manage user permission.

      I have an account under group A. I give this group Admin permission. When I call rest API with user API token Jenkins rejects the request with 403 Forbidden Error. If I add this user directly to the global roles and grant appropriate permission, it works. 

      It seems API authorization doesn't work with Group. Any idea on this?

          [JENKINS-59105] Accessing Jenkins using API token does not work in group memberships

          Harish Kumar created issue -

          Oleg Nenashev added a comment -

          Are you sure you have set up the CSRF Token correctly? Please also provide the REST API request you are invoking

          Oleg Nenashev added a comment - Are you sure you have set up the CSRF Token correctly? Please also provide the REST API request you are invoking
          Harish Kumar made changes -
          Attachment New: CSFR_Config.PNG [ 48517 ]

          Harish Kumar added a comment - - edited

          Yes as far I can tell the set up seems valid.

          Its is the crumb request which is failing : "https://jenkinsurl/crumbIssuer/api/json"

          Error : someuser is missing the Overall/Read permission

          Harish Kumar added a comment - - edited Yes as far I can tell the set up seems valid. Its is the crumb request which is failing : "https://jenkinsurl/crumbIssuer/api/json" Error : someuser is missing the Overall/Read permission
          Harish Kumar made changes -
          Attachment Original: CSFR_Config.PNG [ 48517 ]

          Alex Raber added a comment - - edited

          This is something I've noticed as well. Github webhooks are failing with 403, which were previously succeeding without any issues after upgrading LTS from `2.204.5` to `2.222.1`.

          Alex Raber added a comment - - edited This is something I've noticed as well. Github webhooks are failing with 403, which were previously succeeding without any issues after upgrading LTS from `2.204.5` to `2.222.1`.
          Juan Pablo Santos Rodríguez made changes -
          Link New: This issue relates to JENKINS-61785 [ JENKINS-61785 ]

          Zane Burton added a comment - - edited

          I have replicated this bug. This command fails with the error "Access Denied user is missing the Agent/Create permission"

          curl --location --user 'username:APIKEY' --header "Content-Type:application/x-www-form-urlencoded" --request POST "https://jenkins.example.com/computer/doCreateItem?name=I-00A223022A4B270A6.example.com&type=hudson.slaves.DumbSlave"

          Zane Burton added a comment - - edited I have replicated this bug. This command fails with the error "Access Denied user is missing the Agent/Create permission" curl --location --user 'username:APIKEY' --header "Content-Type:application/x-www-form-urlencoded" --request POST "https://jenkins.example.com/computer/doCreateItem?name=I-00A223022A4B270A6.example.com&type=hudson.slaves.DumbSlave"
          Oleg Nenashev made changes -
          Status Original: Open [ 1 ] New: In Progress [ 3 ]

          Alex Raber added a comment - - edited

          More details:

           

          I added this to JENKINS_OPS in my jenkins.sh (I'm running in k8s via docker):

          jenkins_opts_array=('-Dhudson.security.csrf.CrumbFilter.UNPROCESSED_PATHINFO=true')

          ^ per: https://jenkins.io/doc/upgrade-guide/2.204/#upgrading-to-jenkins-lts-2-204-6

          I then generated a new token for my user, and set up my Github repo webhook as follows:
          url: https://dev-jenkins.url.gov/job/testjob/build
          secret: <user-token> (with admin/owner perms)
          application/json

          Then click apply and then click the test button from github. 403.

          I have also enabled and disabled the Enable proxy compatibility CSRF checkbox in Global Security.

          Note my testing is done in a sandbox, but the issue is impacting my production jenkins as well. I'd prefer not to roll back if possible.

          There are also these items in the 2.204.6 upgrade doc:

           

          - Remove Enable Security checkbox in the Global Security configuration. (issue 40228) 
          - Remove the ability to disable CSRF protection. Instances upgrading from older versions of Jenkins will have CSRF protection enabled and the default issuer set if they currently have it disabled. (pull 4509)
          

           

          These are not options in the UI in 2.222.1

          Alex Raber added a comment - - edited More details:   I added this to JENKINS_OPS in my jenkins.sh (I'm running in k8s via docker): jenkins_opts_array=('-Dhudson.security.csrf.CrumbFilter.UNPROCESSED_PATHINFO=true') ^ per:  https://jenkins.io/doc/upgrade-guide/2.204/#upgrading-to-jenkins-lts-2-204-6 I then generated a new token for my user, and set up my Github repo webhook as follows: url:  https://dev-jenkins.url.gov/job/testjob/build secret: <user-token> (with admin/owner perms) application/json Then click apply and then click the test button from github. 403. I have also enabled and disabled the Enable proxy compatibility CSRF checkbox in Global Security. Note my testing is done in a sandbox, but the issue is impacting my production jenkins as well. I'd prefer not to roll back if possible. There are also these items in the 2.204.6 upgrade doc:   - Remove Enable Security checkbox in the Global Security configuration. (issue 40228) - Remove the ability to disable CSRF protection. Instances upgrading from older versions of Jenkins will have CSRF protection enabled and the default issuer set if they currently have it disabled. (pull 4509)   These are not options in the UI in 2.222.1

            Unassigned Unassigned
            hmr5kor Harish Kumar
            Votes:
            4 Vote for this issue
            Watchers:
            14 Start watching this issue

              Created:
              Updated: