[JENKINS-5930] CLI authenticated mode not working

Type: Bug
Resolution: Fixed
Priority: Major
Component/s: cli
Labels:
None
Environment:
Vista 32bit, JDK 1.6.0_18, Hudson 1.350

Similar Issues:
Powered by SuggestiMate

Show

According to Hudson 1.350 changelog:

Authentication support in Hudson CLI. (issue 3796)

it should be possible now to use the CLI when Authorization is set up... but it does not seem to work.

My setup:

Enable security ticked
Authorization Matrix-based security
Anonymous (all denied)
admin (all allowed)

I can only login at the Hudson dashboard if I use the admin account.

But when I try to use the hudson CLI (downloaded the jar file from http://localhost:8080/hudson/cli) I get:
C:\Work\hudson>java -jar hudson-cli.jar -s http://localhost:8080/hudson help
Exception in thread "main" java.io.IOException: Server returned HTTP response code: 403 for URL: http://localhost:8080/hudson/cli
at sun.net.www.protocol.http.HttpURLConnection.getInputStream(Unknown Source)
at hudson.cli.FullDuplexHttpStream.<init>(FullDuplexHttpStream.java:51)
at hudson.cli.CLI.<init>(CLI.java:90)
at hudson.cli.CLI.<init>(CLI.java:62)
at hudson.cli.CLI.main(CLI.java:171)

The same happens when I provide the username and password details:
C:\Work\hudson>java -jar hudson-cli.jar -s http://localhost:8080/hudson help --username admin --password theRightPassword
Exception in thread "main" java.io.IOException: Server returned HTTP response code: 403 for URL: http://localhost:8080/hudson/cli
at sun.net.www.protocol.http.HttpURLConnection.getInputStream(Unknown Source)
at hudson.cli.FullDuplexHttpStream.<init>(FullDuplexHttpStream.java:51)
at hudson.cli.CLI.<init>(CLI.java:90)
at hudson.cli.CLI.<init>(CLI.java:62)
at hudson.cli.CLI.main(CLI.java:171)

is this the correct way to provide auth credentials via the CLI args?

Andrea Barbieri created issue - 2010-03-14 08:36

Andrea Barbieri added a comment - 2010-03-20 05:07

the same error occurs in 1.352.

C:\Work\hudson>java -jar hudson-cli.jar -s http://localhost:8080/hudson login –
username admin
Exception in thread "main" java.io.IOException: Server returned HTTP response code: 403 for URL: http://localhost:8080/hudson/cli
at sun.net.www.protocol.http.HttpURLConnection.getInputStream(Unknown Source)
at hudson.cli.FullDuplexHttpStream.<init>(FullDuplexHttpStream.java:51)
at hudson.cli.CLI.<init>(CLI.java:90)
at hudson.cli.CLI.<init>(CLI.java:62)
at hudson.cli.CLI.main(CLI.java:171)

only when I allow the user Anonymous Overall Read permission I can login:
C:\Work\hudson>java -jar hudson-cli.jar -s http://localhost:8080/hudson login --username admin
Password:
C:\Work\hudson>

I believe it should be possible to fully lockdown Hudson without allowing Anonymous any access rights.

Andrea Barbieri added a comment - 2010-03-20 05:07 the same error occurs in 1.352. C:\Work\hudson>java -jar hudson-cli.jar -s http://localhost:8080/hudson login – username admin Exception in thread "main" java.io.IOException: Server returned HTTP response code: 403 for URL: http://localhost:8080/hudson/cli at sun.net.www.protocol.http.HttpURLConnection.getInputStream(Unknown Source) at hudson.cli.FullDuplexHttpStream.<init>(FullDuplexHttpStream.java:51) at hudson.cli.CLI.<init>(CLI.java:90) at hudson.cli.CLI.<init>(CLI.java:62) at hudson.cli.CLI.main(CLI.java:171) only when I allow the user Anonymous Overall Read permission I can login: C:\Work\hudson>java -jar hudson-cli.jar -s http://localhost:8080/hudson login --username admin Password: C:\Work\hudson> I believe it should be possible to fully lockdown Hudson without allowing Anonymous any access rights.

Andrea Barbieri added a comment - 2010-03-20 05:33

There is information leak with Anonymous Overall Read permission following the People URL (http://localhost:8080/hudson/people/), users details are exposed and accessible.

Andrea Barbieri added a comment - 2010-03-20 05:33 There is information leak with Anonymous Overall Read permission following the People URL ( http://localhost:8080/hudson/people/ ), users details are exposed and accessible.

eguess74 added a comment - 2010-05-12 08:36

I'm trying to use CLI in 1.355 in authenticated mode.
Login command seems to work - returns nothing. But when i try to run any other (f.e. groovysh) command after login it says that anonymous is missing Administer permission. Also i was trying to run groovysh like this:

java -jar hudson-cli.jar -s ServerURL groovysh --username adminuser --password correctpass and it says the same.

The only thing i was able to perform so far is to quiet-down

eguess74 added a comment - 2010-05-12 08:36 I'm trying to use CLI in 1.355 in authenticated mode. Login command seems to work - returns nothing. But when i try to run any other (f.e. groovysh) command after login it says that anonymous is missing Administer permission. Also i was trying to run groovysh like this: java -jar hudson-cli.jar -s ServerURL groovysh --username adminuser --password correctpass and it says the same. The only thing i was able to perform so far is to quiet-down

jshomphe added a comment - 2010-05-26 10:32

This same issue is also preventing our server from automagically restarting itself unless the Anonymous user has full admin rights over hudson

(we are using Project-based Matrix Authorization Strategy )

jshomphe added a comment - 2010-05-26 10:32 This same issue is also preventing our server from automagically restarting itself unless the Anonymous user has full admin rights over hudson (we are using Project-based Matrix Authorization Strategy )

jlpinardon added a comment - 2010-06-28 09:46

When running :
java -jar hudson-cli.jar -s ServerURL login --username <an admin user> --password <the good one>
It tells me :
"--username" is not a valid option

We are running Hudson 1.359 with Matrix Based Security connected to a LDAP server, on a TOMCAT server.

jlpinardon added a comment - 2010-06-28 09:46 When running : java -jar hudson-cli.jar -s ServerURL login --username <an admin user> --password <the good one> It tells me : "--username" is not a valid option We are running Hudson 1.359 with Matrix Based Security connected to a LDAP server, on a TOMCAT server.

jlpinardon added a comment - 2010-07-01 02:02 - edited

This question becomes critical for us, because we really need to use security and want to extract some data to build our own metrics.
So, I tried the same on both Unix or Windows client and the same occurs.

Nevertheless, when using wget, I can give the credentials via :
http://username:pass@HudsonURL
For ex :
http://username:pass@HudsonURL/quietDown

And it works correctly.
The same command using java -jar does not work, saying that --username is not a valid option

Considering that the credentials are correctly passed using wget and not with the Hudson-cli jar,
I suppose there is something wrong with the CLI jar.

jlpinardon added a comment - 2010-07-01 02:02 - edited This question becomes critical for us, because we really need to use security and want to extract some data to build our own metrics. So, I tried the same on both Unix or Windows client and the same occurs. Nevertheless, when using wget, I can give the credentials via : http://username:pass@HudsonURL For ex : http://username:pass@HudsonURL/quietDown And it works correctly. The same command using java -jar does not work, saying that --username is not a valid option Considering that the credentials are correctly passed using wget and not with the Hudson-cli jar, I suppose there is something wrong with the CLI jar.

Alan Harder added a comment - 2010-08-12 21:24

abarbieri, what is the current status of this issue? What security realm type do you use? I'm looking into ~~JENKINS-6628~~ now (fixing LDAP security realm so it accepts --username/password parameters.. jlpinardon, this is what you mention in your comment above).. any other problems you see in CLI authentication in the latest Hudson release?

Alan Harder added a comment - 2010-08-12 21:24 abarbieri, what is the current status of this issue? What security realm type do you use? I'm looking into JENKINS-6628 now (fixing LDAP security realm so it accepts --username/password parameters.. jlpinardon, this is what you mention in your comment above).. any other problems you see in CLI authentication in the latest Hudson release?

Andrea Barbieri added a comment - 2010-08-12 23:46

will provide feedback later today for these two types of security realms

LDAP
Hudson

Andrea Barbieri added a comment - 2010-08-12 23:46 will provide feedback later today for these two types of security realms LDAP Hudson

Andrea Barbieri added a comment - 2010-08-13 10:41

using hudson version 1.371

when I use the help command I read:
...
login
Saves the current credential to allow future commands to run without explicit credential information
logout
Deletes the credential stored with the login command

so if one performs:
java -jar hudson-cli.jar -s http://localhost:8080/hudson login --username admin
Password:
and logs is successfully... why do I get this?
java -jar hudson-cli.jar -s http://localhost:8080/hudson groovysh

Exception in thread "main" java.lang.reflect.UndeclaredThrowableException
at $Proxy2.main(Unknown Source)
at hudson.cli.CLI.execute(CLI.java:131)
at hudson.cli.CLI.main(CLI.java:180)
Caused by: hudson.remoting.ProxyException: hudson.security.AccessDeniedException
2: anonymous is missing the Administer permission
at hudson.security.ACL.checkPermission(ACL.java:53)
at hudson.model.Node.checkPermission(Node.java:310)
at hudson.cli.GroovyshCommand.main(GroovyshCommand.java:61)
at hudson.cli.CliManagerImpl.main(CliManagerImpl.java:68)
at sun.reflect.GeneratedMethodAccessor110.invoke(Unknown Source)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(Unknown Source)
at java.lang.reflect.Method.invoke(Unknown Source)
at hudson.remoting.RemoteInvocationHandler$RPCRequest.perform(RemoteInvocationHandler.java:274)
at hudson.remoting.RemoteInvocationHandler$RPCRequest.call(RemoteInvocationHandler.java:255)
at hudson.remoting.RemoteInvocationHandler$RPCRequest.call(RemoteInvocationHandler.java:215)
at hudson.remoting.UserRequest.perform(UserRequest.java:114)
at hudson.remoting.UserRequest.perform(UserRequest.java:48)
at hudson.remoting.Request$2.run(Request.java:270)
at java.util.concurrent.Executors$RunnableAdapter.call(Unknown Source)
at java.util.concurrent.FutureTask$Sync.innerRun(Unknown Source)
at java.util.concurrent.FutureTask.run(Unknown Source)
at java.util.concurrent.ThreadPoolExecutor$Worker.runTask(Unknown Source)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(Unknown Source)
at java.lang.Thread.run(Unknown Source)

the Anonymous user has all permissions disabled.

Andrea Barbieri added a comment - 2010-08-13 10:41 using hudson version 1.371 when I use the help command I read: ... login Saves the current credential to allow future commands to run without explicit credential information logout Deletes the credential stored with the login command so if one performs: java -jar hudson-cli.jar -s http://localhost:8080/hudson login --username admin Password: and logs is successfully... why do I get this? java -jar hudson-cli.jar -s http://localhost:8080/hudson groovysh Exception in thread "main" java.lang.reflect.UndeclaredThrowableException at $Proxy2.main(Unknown Source) at hudson.cli.CLI.execute(CLI.java:131) at hudson.cli.CLI.main(CLI.java:180) Caused by: hudson.remoting.ProxyException: hudson.security.AccessDeniedException 2: anonymous is missing the Administer permission at hudson.security.ACL.checkPermission(ACL.java:53) at hudson.model.Node.checkPermission(Node.java:310) at hudson.cli.GroovyshCommand.main(GroovyshCommand.java:61) at hudson.cli.CliManagerImpl.main(CliManagerImpl.java:68) at sun.reflect.GeneratedMethodAccessor110.invoke(Unknown Source) at sun.reflect.DelegatingMethodAccessorImpl.invoke(Unknown Source) at java.lang.reflect.Method.invoke(Unknown Source) at hudson.remoting.RemoteInvocationHandler$RPCRequest.perform(RemoteInvocationHandler.java:274) at hudson.remoting.RemoteInvocationHandler$RPCRequest.call(RemoteInvocationHandler.java:255) at hudson.remoting.RemoteInvocationHandler$RPCRequest.call(RemoteInvocationHandler.java:215) at hudson.remoting.UserRequest.perform(UserRequest.java:114) at hudson.remoting.UserRequest.perform(UserRequest.java:48) at hudson.remoting.Request$2.run(Request.java:270) at java.util.concurrent.Executors$RunnableAdapter.call(Unknown Source) at java.util.concurrent.FutureTask$Sync.innerRun(Unknown Source) at java.util.concurrent.FutureTask.run(Unknown Source) at java.util.concurrent.ThreadPoolExecutor$Worker.runTask(Unknown Source) at java.util.concurrent.ThreadPoolExecutor$Worker.run(Unknown Source) at java.lang.Thread.run(Unknown Source) the Anonymous user has all permissions disabled.

Assignee:: Unassigned

Reporter:: Andrea Barbieri

Votes:: 4 Vote for this issue

Watchers:: 6 Start watching this issue

Created:: 2010-03-14 08:36

Updated:: 2010-08-27 13:53

Resolved:: 2010-08-27 13:53

Jenkins

Details

Description

Attachments

Activity

Collapse comment: Andrea Barbieri added a comment - 2010-03-20 05:07

Expand comment: Andrea Barbieri added a comment - 2010-03-20 05:07

Collapse comment: Andrea Barbieri added a comment - 2010-03-20 05:33

Expand comment: Andrea Barbieri added a comment - 2010-03-20 05:33

Collapse comment: eguess74 added a comment - 2010-05-12 08:36

Expand comment: eguess74 added a comment - 2010-05-12 08:36

Collapse comment: jshomphe added a comment - 2010-05-26 10:32

Expand comment: jshomphe added a comment - 2010-05-26 10:32

Collapse comment: jlpinardon added a comment - 2010-06-28 09:46

Expand comment: jlpinardon added a comment - 2010-06-28 09:46

Collapse comment: jlpinardon added a comment - 2010-07-01 02:02, Edited by jlpinardon - 2010-07-06 01:57

Expand comment: jlpinardon added a comment - 2010-07-01 02:02, Edited by jlpinardon - 2010-07-06 01:57

Collapse comment: Alan Harder added a comment - 2010-08-12 21:24

Expand comment: Alan Harder added a comment - 2010-08-12 21:24

Collapse comment: Andrea Barbieri added a comment - 2010-08-12 23:46

Expand comment: Andrea Barbieri added a comment - 2010-08-12 23:46

Collapse comment: Andrea Barbieri added a comment - 2010-08-13 10:41

Expand comment: Andrea Barbieri added a comment - 2010-08-13 10:41

People

Dates