Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-21086

jenkins-cli requires Overall/Read permission for anonymous to perform a safe-shutdown

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Duplicate
    • Icon: Major Major
    • cli
    • None
    • Version 1.544, Ubuntu 12.04.3 LTS, amd64, Openjdk 6b27-1.12.6-1ubuntu0.12.04.4

      Previously (Jenkins 1.534) we were using jenkins-cli to automate safe shutdown. But after upgrade to ver. 1.544 it stopped working.

      Our configuration uses Project-based Matrix Authorization Strategy.
      Here are 3 main users who involved into the shutdown procedure:

      • Anonymous - all permissions unset.
      • authenticated - Overall/Read, Job/Read, Job/Build
      • special jenkins-cli user - with Overall/Administer permission

      And here is the command to perform a safe shutdown

      java -jar jenkins-cli.jar -s http://localhost:8080 safe-shutdown --username "$JCLIUSER" --password "$JCLIPASSWD"

      So it has been working perfectly with the above configuration until I upgraded Jenkins to 1.544

      Now the command throws the error

      hudson.security.AccessDeniedException2: anonymous is missing the Overall/Read permission
      at hudson.security.ACL.checkPermission(ACL.java:54)
      at hudson.model.Node.checkPermission(Node.java:418)
      at hudson.cli.declarative.CLIRegisterer$1.main(CLIRegisterer.java:180)
      at hudson.cli.CliManagerImpl.main(CliManagerImpl.java:92)
      at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
      at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57)
      at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
      at java.lang.reflect.Method.invoke(Method.java:622)
      at hudson.remoting.RemoteInvocationHandler$RPCRequest.perform(RemoteInvocationHandler.java:299)
      at hudson.remoting.RemoteInvocationHandler$RPCRequest.call(RemoteInvocationHandler.java:280)
      at hudson.remoting.RemoteInvocationHandler$RPCRequest.call(RemoteInvocationHandler.java:239)
      at hudson.remoting.UserRequest.perform(UserRequest.java:118)
      at hudson.remoting.UserRequest.perform(UserRequest.java:48)
      at hudson.remoting.Request$2.run(Request.java:328)
      at hudson.remoting.InterceptingExecutorService$1.call(InterceptingExecutorService.java:72)
      at hudson.cli.CliManagerImpl$1.call(CliManagerImpl.java:63)
      at hudson.remoting.InterceptingExecutorService$2.call(InterceptingExecutorService.java:95)
      at java.util.concurrent.FutureTask$Sync.innerRun(FutureTask.java:334)
      at java.util.concurrent.FutureTask.run(FutureTask.java:166)
      at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1146)
      at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615)
      at java.lang.Thread.run(Thread.java:701)

      Of course, if I grant the permission to Anonymous, it will work. But I assume this is unsafe.

            Unassigned Unassigned
            shiryaev Roman Shiryaev
            Votes:
            2 Vote for this issue
            Watchers:
            6 Start watching this issue

              Created:
              Updated:
              Resolved: