• Icon: Bug Bug
    • Resolution: Unresolved
    • Icon: Major Major
    • role-strategy-plugin
    • None
    • Jenkins LTS 2.222.1
      role-strategy-plugin 2.16

      After upgrading to Jenkins LTS 2.222.1 + role-strategy-plugin 2.16, REST API calls have stopped working. On the Log we can see
       

      2020-04-02 14:42:46.468+0000 [id=20318] INFO o.e.j.s.h.ContextHandler$Context#log: While serving http://XXXXXXXXXXX/jenkins/job/YYYYYY-pipeline/buildWithParameters: hudson.security.AccessDeniedException2: inetic is missing the Job/Build permission
      

      which is exactly what we get through the REST API

      inetic has Admin permissions granted to a role, set throuch role-strategy-plugin and is able to execute any jobs through the UI.

      We're using user+token for auth, which should not need Jenkins-Crumb header. Nevertheless, we've also tried user+password+crumb and user+token+crumb and we get the same results. We've also tried setting hudson.security.csrf.GlobalCrumbIssuerConfiguration.DISABLE_CSRF_PROTECTION to either true or false, but again, it makes no difference.

      May be the security hardening done on 2.222.1 / 2.204.6 affects the role-strategy-plugin?

      Only workaround found so far is to set global Read + Build permissions, however that allows every user to execute everything without being logged which is not so funny.

      EDIT: forgot to add, $JENKINS/whoAmI for user yields:

      Name:	INETIC
      IsAuthenticated?:	true
      Authorities:	* "authenticated"
      

          [JENKINS-61785] REST API requires Job/Build permission

          Juan Pablo Santos Rodríguez created issue -
          Juan Pablo Santos Rodríguez made changes -
          Description Original: After upgrading to Jenkins LTS 2.222.1 + role-strategy-plugin 2.16, REST API calls have stopped working. On the Log we can see

           
          {code}2020-04-02 14:42:46.468+0000 [id=20318] INFO o.e.j.s.h.ContextHandler$Context#log: While serving http://XXXXXXXXXXX/jenkins/job/YYYYYY-pipeline/buildWithParameters: hudson.security.AccessDeniedException2: inetic is missing the Job/Build permission
          {code}

          which is exactly what we get through the REST API

          inetic has Admin permissions set throuch role-strategy-plugin and is able to execute any jobs through the UI.

          We're using user+token for auth, which should not need Jenkins-Crumb header. Nevertheless, we've also tried user+password+crumb and user+token+crumb and we get the same results. We've also tried setting {{hudson.security.csrf.GlobalCrumbIssuerConfiguration.DISABLE_CSRF_PROTECTION}} to either {{true}} or {{false}}, but again, it makes no difference.

          May be the security hardening done on 2.222.1 / 2.204.6 affects the role-strategy-plugin?

          Only workaround found so far is to set global Read + Build permissions, however that allows every user to execute everything without being logged which is not so funny.

          New: After upgrading to Jenkins LTS 2.222.1 + role-strategy-plugin 2.16, REST API calls have stopped working. On the Log we can see
           
          {code}2020-04-02 14:42:46.468+0000 [id=20318] INFO o.e.j.s.h.ContextHandler$Context#log: While serving http://XXXXXXXXXXX/jenkins/job/YYYYYY-pipeline/buildWithParameters: hudson.security.AccessDeniedException2: inetic is missing the Job/Build permission
          {code}

          which is exactly what we get through the REST API

          inetic has Admin permissions set throuch role-strategy-plugin and is able to execute any jobs through the UI.

          We're using user+token for auth, which should not need Jenkins-Crumb header. Nevertheless, we've also tried user+password+crumb and user+token+crumb and we get the same results. We've also tried setting {{hudson.security.csrf.GlobalCrumbIssuerConfiguration.DISABLE_CSRF_PROTECTION}} to either {{true}} or {{false}}, but again, it makes no difference.

          May be the security hardening done on 2.222.1 / 2.204.6 affects the role-strategy-plugin?

          Only workaround found so far is to set global Read + Build permissions, however that allows every user to execute everything without being logged which is not so funny.

          EDIT: forgot to add, $JENKINS/whoAmI for user yields:
          {code}
          Name: INETIC
          IsAuthenticated?: true
          Authorities: * "authenticated"
          {code}
          Juan Pablo Santos Rodríguez made changes -
          Description Original: After upgrading to Jenkins LTS 2.222.1 + role-strategy-plugin 2.16, REST API calls have stopped working. On the Log we can see
           
          {code}2020-04-02 14:42:46.468+0000 [id=20318] INFO o.e.j.s.h.ContextHandler$Context#log: While serving http://XXXXXXXXXXX/jenkins/job/YYYYYY-pipeline/buildWithParameters: hudson.security.AccessDeniedException2: inetic is missing the Job/Build permission
          {code}

          which is exactly what we get through the REST API

          inetic has Admin permissions set throuch role-strategy-plugin and is able to execute any jobs through the UI.

          We're using user+token for auth, which should not need Jenkins-Crumb header. Nevertheless, we've also tried user+password+crumb and user+token+crumb and we get the same results. We've also tried setting {{hudson.security.csrf.GlobalCrumbIssuerConfiguration.DISABLE_CSRF_PROTECTION}} to either {{true}} or {{false}}, but again, it makes no difference.

          May be the security hardening done on 2.222.1 / 2.204.6 affects the role-strategy-plugin?

          Only workaround found so far is to set global Read + Build permissions, however that allows every user to execute everything without being logged which is not so funny.

          EDIT: forgot to add, $JENKINS/whoAmI for user yields:
          {code}
          Name: INETIC
          IsAuthenticated?: true
          Authorities: * "authenticated"
          {code}
          New: After upgrading to Jenkins LTS 2.222.1 + role-strategy-plugin 2.16, REST API calls have stopped working. On the Log we can see
           
          {code}2020-04-02 14:42:46.468+0000 [id=20318] INFO o.e.j.s.h.ContextHandler$Context#log: While serving http://XXXXXXXXXXX/jenkins/job/YYYYYY-pipeline/buildWithParameters: hudson.security.AccessDeniedException2: inetic is missing the Job/Build permission
          {code}

          which is exactly what we get through the REST API

          inetic has Admin permissions granted to a role, set throuch role-strategy-plugin and is able to execute any jobs through the UI.

          We're using user+token for auth, which should not need Jenkins-Crumb header. Nevertheless, we've also tried user+password+crumb and user+token+crumb and we get the same results. We've also tried setting {{hudson.security.csrf.GlobalCrumbIssuerConfiguration.DISABLE_CSRF_PROTECTION}} to either {{true}} or {{false}}, but again, it makes no difference.

          May be the security hardening done on 2.222.1 / 2.204.6 affects the role-strategy-plugin?

          Only workaround found so far is to set global Read + Build permissions, however that allows every user to execute everything without being logged which is not so funny.

          EDIT: forgot to add, $JENKINS/whoAmI for user yields:
          {code}
          Name: INETIC
          IsAuthenticated?: true
          Authorities: * "authenticated"
          {code}
          Juan Pablo Santos Rodríguez made changes -
          Summary Original: REST API requires Task/Build permission New: REST API requires Job/Build permission
          Juan Pablo Santos Rodríguez made changes -
          Link New: This issue relates to JENKINS-59105 [ JENKINS-59105 ]

            oleg_nenashev Oleg Nenashev
            juanpablo Juan Pablo Santos Rodríguez
            Votes:
            2 Vote for this issue
            Watchers:
            6 Start watching this issue

              Created:
              Updated: