[JIRA] (JENKINS-59105) Accessing Jenkins using API token does not work in group memberships
Title: Message Title Daniel Beck commented on JENKINS-59105 Re: Accessing Jenkins using API token does not work in group memberships Alex Raber Try https://jenkins.io/doc/upgrade-guide/2.222/#always-enabled-csrf-protection Add Comment This message was sent by Atlassian Jira (v7.13.12#713012-sha1:6e07c38) -- You received this message because you are subscribed to the Google Groups "Jenkins Issues" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-issues/JIRA.201528.1566922172000.9389.1586623800234%40Atlassian.JIRA.
[JIRA] (JENKINS-59105) Accessing Jenkins using API token does not work in group memberships
Title: Message Title
Alex Raber edited a comment on JENKINS-59105
Re: Accessing Jenkins using API token does not work in group memberships
More details: I added this to JENKINS_OPS in my jenkins.sh (I'm running in k8s via docker):{{jenkins_opts_array=('-Dhudson.security.csrf.CrumbFilter.UNPROCESSED_PATHINFO=true')}}^ per: [https://jenkins.io/doc/upgrade-guide/2.204/#upgrading-to-jenkins-lts-2-204-6]I then generated a new token for my user, and set up my Github repo webhook as follows: url: [https://dev-jenkins.url.gov/job/testjob/build] secret: (with admin/owner perms) application/jsonThen click apply and then click the test button from github. 403.I have also enabled and disabled the Enable proxy compatibility CSRF checkbox in Global Security.Note my testing is done in a sandbox, but the issue is impacting my production jenkins as well. I'd prefer not to roll back if possible. There are also these items in the 2.204.6 upgrade doc: {code:java}- Remove Enable Security checkbox in the Global Security configuration. (issue 40228) - Remove the ability to disable CSRF protection. Instances upgrading from older versions of Jenkins will have CSRF protection enabled and the default issuer set if they currently have it disabled. (pull 4509){code} These are not options in the UI in 2.222.1
Add Comment
This message was sent by Atlassian Jira (v7.13.12#713012-sha1:6e07c38)
--
You received this message because you are subscribed to the Google Groups "Jenkins Issues" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [email protected].
To view this discussion on the web visit https://groups
[JIRA] (JENKINS-59105) Accessing Jenkins using API token does not work in group memberships
Title: Message Title
Alex Raber edited a comment on JENKINS-59105
Re: Accessing Jenkins using API token does not work in group memberships
More details: I added this to JENKINS_OPS in my jenkins.sh (I'm running in k8s via docker): ` {{ jenkins_opts_array=('-Dhudson.security.csrf.CrumbFilter.UNPROCESSED_PATHINFO=true') ` }} I then generated a new token for my user, and set up my Github repo webhook as follows: url: [https://dev-jenkins.url.gov/job/testjob/build] secret: (with admin/owner perms) application/jsonThen click apply and then click the test button from github. 403.I have also enabled and disabled the Enable proxy compatibility CSRF checkbox in Global Security.Note my testing is done in a sandbox, but the issue is impacting my production jenkins as well. I'd prefer not to roll back if possible.
Add Comment
This message was sent by Atlassian Jira (v7.13.12#713012-sha1:6e07c38)
--
You received this message because you are subscribed to the Google Groups "Jenkins Issues" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [email protected].
To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-issues/JIRA.201528.1566922172000.7794.1586286600319%40Atlassian.JIRA.
[JIRA] (JENKINS-59105) Accessing Jenkins using API token does not work in group memberships
Title: Message Title
Alex Raber edited a comment on JENKINS-59105
Re: Accessing Jenkins using API token does not work in group memberships
More details: I added this to JENKINS_OPS in my jenkins.sh (I'm running in k8s via docker):{{jenkins_opts_array=('-Dhudson.security.csrf.CrumbFilter.UNPROCESSED_PATHINFO=true')}} ^ per: [https://jenkins.io/doc/upgrade-guide/2.204/#upgrading-to-jenkins-lts-2-204-6] I then generated a new token for my user, and set up my Github repo webhook as follows: url: [https://dev-jenkins.url.gov/job/testjob/build] secret: (with admin/owner perms) application/jsonThen click apply and then click the test button from github. 403.I have also enabled and disabled the Enable proxy compatibility CSRF checkbox in Global Security.Note my testing is done in a sandbox, but the issue is impacting my production jenkins as well. I'd prefer not to roll back if possible.
Add Comment
This message was sent by Atlassian Jira (v7.13.12#713012-sha1:6e07c38)
--
You received this message because you are subscribed to the Google Groups "Jenkins Issues" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [email protected].
To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-issues/JIRA.201528.1566922172000.7799.1586286600419%40Atlassian.JIRA.
[JIRA] (JENKINS-59105) Accessing Jenkins using API token does not work in group memberships
Title: Message Title
Alex Raber commented on JENKINS-59105
Re: Accessing Jenkins using API token does not work in group memberships
More details: I added this to JENKINS_OPS in my jenkins.sh (I'm running in k8s via docker): jenkins_opts_array=('-Dhudson.security.csrf.CrumbFilter.UNPROCESSED_PATHINFO=true') I then generated a new token for my user, and set up my Github repo webhook as follows: url: https://dev-jenkins.url.gov/job/testjob/build secret: (with admin/owner perms) application/json Then click apply and then click the test button from github. 403. I have also enabled and disabled the Enable proxy compatibility CSRF checkbox in Global Security. Note my testing is done in a sandbox, but the issue is impacting my production jenkins as well. I'd prefer not to roll back if possible.
Add Comment
This message was sent by Atlassian Jira (v7.13.12#713012-sha1:6e07c38)
--
You received this message because you are subscribed to the Google Groups "Jenkins Issues" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [email protected].
To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-issues/JIRA.201528.1566922172000.7779.1586286540417%40Atlassian.JIRA.
[JIRA] (JENKINS-59105) Accessing Jenkins using API token does not work in group memberships
Title: Message Title
Alex Raber edited a comment on JENKINS-59105
Re: Accessing Jenkins using API token does not work in group memberships
More details: I added this to JENKINS_OPS in my jenkins.sh (I'm running in k8s via docker): ` jenkins_opts_array=('-Dhudson.security.csrf.CrumbFilter.UNPROCESSED_PATHINFO=true') ` I then generated a new token for my user, and set up my Github repo webhook as follows:url: [ https://dev-jenkins.url.gov/job/testjob/build ] secret: (with admin/owner perms)application/jsonThen click apply and then click the test button from github. 403.I have also enabled and disabled the Enable proxy compatibility CSRF checkbox in Global Security.Note my testing is done in a sandbox, but the issue is impacting my production jenkins as well. I'd prefer not to roll back if possible.
Add Comment
This message was sent by Atlassian Jira (v7.13.12#713012-sha1:6e07c38)
--
You received this message because you are subscribed to the Google Groups "Jenkins Issues" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [email protected].
To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-issues/JIRA.201528.1566922172000.7784.1586286540477%40Atlassian.JIRA.
[JIRA] (JENKINS-59105) Accessing Jenkins using API token does not work in group memberships
Title: Message Title
Alex Raber edited a comment on JENKINS-59105
Re: Accessing Jenkins using API token does not work in group memberships
More details: I added this to JENKINS_OPS in my jenkins.sh (I'm running in k8s via docker):`jenkins_opts_array=('-Dhudson.security.csrf.CrumbFilter.UNPROCESSED_PATHINFO=true')`I then generated a new token for my user, and set up my Github repo webhook as follows: url: [https://dev-jenkins.url.gov/job/testjob/build] secret: (with admin/owner perms) application/jsonThen click apply and then click the test button from github. 403.I have also enabled and disabled the Enable proxy compatibility CSRF checkbox in Global Security.Note my testing is done in a sandbox, but the issue is impacting my production jenkins as well. I'd prefer not to roll back if possible.
Add Comment
This message was sent by Atlassian Jira (v7.13.12#713012-sha1:6e07c38)
--
You received this message because you are subscribed to the Google Groups "Jenkins Issues" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [email protected].
To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-issues/JIRA.201528.1566922172000.7789.1586286540531%40Atlassian.JIRA.
[JIRA] (JENKINS-59105) Accessing Jenkins using API token does not work in group memberships
Title: Message Title Oleg Nenashev started work on JENKINS-59105 Change By: Oleg Nenashev Status: Open In Progress Add Comment This message was sent by Atlassian Jira (v7.13.12#713012-sha1:6e07c38) -- You received this message because you are subscribed to the Google Groups "Jenkins Issues" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-issues/JIRA.201528.1566922172000.7491.1586257860345%40Atlassian.JIRA.
[JIRA] (JENKINS-59105) Accessing Jenkins using API token does not work in group memberships
Title: Message Title Zane Burton commented on JENKINS-59105 Re: Accessing Jenkins using API token does not work in group memberships I have replicated this bug. This command fails with the error "Access Denied user is missing the Agent/Create permission" curl --location --user 'username:APIKEY' --header "Content-Type:application/x-www-form-urlencoded" --request POST "https://jenkins.example.com/computer/doCreateItem?name=I-00A223022A4B270A6.example.com&type=hudson.slaves.DumbSlave" Add Comment This message was sent by Atlassian Jira (v7.13.12#713012-sha1:6e07c38) -- You received this message because you are subscribed to the Google Groups "Jenkins Issues" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-issues/JIRA.201528.1566922172000.7225.1586206380381%40Atlassian.JIRA.
[JIRA] (JENKINS-59105) Accessing Jenkins using API token does not work in group memberships
Title: Message Title
Zane Burton edited a comment on JENKINS-59105
Re: Accessing Jenkins using API token does not work in group memberships
I have replicated this bug. This command fails with the error "Access Denied user is missing the Agent/Create permission" {color:#00}curl --location --user {color}{color:#a31515}'username:APIKEY'{color}{color:#00} --header {color}{color:#a31515}"Content-Type:application/x-www-form-urlencoded"{color}{color:#00} --request POST {color}{color:#a31515}"https://jenkins.example.com/computer/doCreateItem?name=I-00A223022A4B270A6.example.com&type=hudson.slaves.DumbSlave"{color}
Add Comment
This message was sent by Atlassian Jira (v7.13.12#713012-sha1:6e07c38)
--
You received this message because you are subscribed to the Google Groups "Jenkins Issues" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [email protected].
To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-issues/JIRA.201528.1566922172000.7228.1586206380421%40Atlassian.JIRA.
[JIRA] (JENKINS-59105) Accessing Jenkins using API token does not work in group memberships
Title: Message Title Alex Raber edited a comment on JENKINS-59105 Re: Accessing Jenkins using API token does not work in group memberships This is something I've noticed as well. Github webhooks are failing with 403, which were previously succeeding without any issues after upgrading LTS from `2 . 204.5` to `2.222.1`. Add Comment This message was sent by Atlassian Jira (v7.13.12#713012-sha1:6e07c38) -- You received this message because you are subscribed to the Google Groups "Jenkins Issues" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-issues/JIRA.201528.1566922172000.7185.1586201220200%40Atlassian.JIRA.
[JIRA] (JENKINS-59105) Accessing Jenkins using API token does not work in group memberships
Title: Message Title Alex Raber commented on JENKINS-59105 Re: Accessing Jenkins using API token does not work in group memberships This is something I've noticed as well. Github webhooks are failing with 403, which were previously succeeding without any issues. Add Comment This message was sent by Atlassian Jira (v7.13.12#713012-sha1:6e07c38) -- You received this message because you are subscribed to the Google Groups "Jenkins Issues" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-issues/JIRA.201528.1566922172000.7180.1586201160235%40Atlassian.JIRA.
[JIRA] (JENKINS-59105) Accessing Jenkins using API token does not work in group memberships
Title: Message Title Harish Kumar edited a comment on JENKINS-59105 Re: Accessing Jenkins using API token does not work in group memberships Yes as far I can tell the set up seems valid.Its is the crumb request which is failing : "https://jenkinsurl/crumbIssuer/api/json" Error : someuser is missing the Overall/Read permission Add Comment This message was sent by Atlassian Jira (v7.11.2#711002-sha1:fdc329d) -- You received this message because you are subscribed to the Google Groups "Jenkins Issues" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-issues/JIRA.201528.1566922172000.2084.1567002000163%40Atlassian.JIRA.
[JIRA] (JENKINS-59105) Accessing Jenkins using API token does not work in group memberships
Title: Message Title Harish Kumar edited a comment on JENKINS-59105 Re: Accessing Jenkins using API token does not work in group memberships It fails in Yes as far I can tell the very first request made and it set up seems valid.Its is the crumb request which is failing : "https://jenkinsurl/crumbIssuer/api/json" Add Comment This message was sent by Atlassian Jira (v7.11.2#711002-sha1:fdc329d) -- You received this message because you are subscribed to the Google Groups "Jenkins Issues" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-issues/JIRA.201528.1566922172000.2082.1567001880126%40Atlassian.JIRA.
[JIRA] (JENKINS-59105) Accessing Jenkins using API token does not work in group memberships
Title: Message Title Harish Kumar updated an issue Jenkins / JENKINS-59105 Accessing Jenkins using API token does not work in group memberships Change By: Harish Kumar Attachment: CSFR_Config.PNG Add Comment This message was sent by Atlassian Jira (v7.11.2#711002-sha1:fdc329d) -- You received this message because you are subscribed to the Google Groups "Jenkins Issues" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-issues/JIRA.201528.1566922172000.845.1566923280124%40Atlassian.JIRA.
[JIRA] (JENKINS-59105) Accessing Jenkins using API token does not work in group memberships
Title: Message Title Harish Kumar commented on JENKINS-59105 Re: Accessing Jenkins using API token does not work in group memberships It fails in the very first request made and it is the crumb request : "https://jenkinsurl/crumbIssuer/api/json" Add Comment This message was sent by Atlassian Jira (v7.11.2#711002-sha1:fdc329d) -- You received this message because you are subscribed to the Google Groups "Jenkins Issues" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-issues/JIRA.201528.1566922172000.843.1566923220198%40Atlassian.JIRA.
[JIRA] (JENKINS-59105) Accessing Jenkins using API token does not work in group memberships
Title: Message Title Harish Kumar updated an issue Jenkins / JENKINS-59105 Accessing Jenkins using API token does not work in group memberships Change By: Harish Kumar Attachment: CSFR_Config.PNG Add Comment This message was sent by Atlassian Jira (v7.11.2#711002-sha1:fdc329d) -- You received this message because you are subscribed to the Google Groups "Jenkins Issues" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-issues/JIRA.201528.1566922172000.841.1566923100134%40Atlassian.JIRA.
[JIRA] (JENKINS-59105) Accessing Jenkins using API token does not work in group memberships
Title: Message Title Oleg Nenashev commented on JENKINS-59105 Re: Accessing Jenkins using API token does not work in group memberships Are you sure you have set up the CSRF Token correctly? Please also provide the REST API request you are invoking Add Comment This message was sent by Atlassian Jira (v7.11.2#711002-sha1:fdc329d) -- You received this message because you are subscribed to the Google Groups "Jenkins Issues" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-issues/JIRA.201528.1566922172000.829.1566922380104%40Atlassian.JIRA.
[JIRA] (JENKINS-59105) Accessing Jenkins using API token does not work in group memberships
Title: Message Title Harish Kumar created an issue Jenkins / JENKINS-59105 Accessing Jenkins using API token does not work in group memberships Issue Type: Bug Assignee: Oleg Nenashev Components: role-strategy-plugin Created: 2019-08-27 16:09 Environment: Jenkins version : 2.174 Role-based Authorization Strategy version : 2.10 Priority: Major Reporter: Harish Kumar I am using Role Based Strategy to manage user permission. I have an account under group A. I give this group Admin permission. When I call rest API with user API token Jenkins rejects the request with 403 Forbidden Error. If I add this user directly to the global roles and grant appropriate permission, it works. It seems API authorization doesn't work with Group. Any idea on this? Add Comment
