CODEWITHSUNDEEP
jenkinscommand-line-interfacessh-keys
TanisDLJ
TanisDLJ

Reputation: 1005

Jenkins CLI: using Anonymous permissions instead of the user defined ones

I am getting mad with this problem and I have no idea how to solve it.

We are trying to trigger Jenkins builds from hooks on a Windows Central repository. This is actually working on an old Jenkins server (LTS 1.580.1).

The way we did it before was calling Jenkins CLI with the SSH private key stored on a file.

Here is the weird thing:

C:\Users\Username\jenkins>java -jar jenkins-cli.jar -s http://hostname:8080 -i ci.key list-jobs

hudson.security.AccessDeniedException2: jenkins_ci is missing the Overall/Read permission
         at hudson.security.ACL.checkPermission(ACL.java:58)
         at hudson.model.Node.checkPermission(Node.java:417)
         at hudson.cli.CLICommand.main(CLICommand.java:236)
         at hudson.cli.CliManagerImpl.main(CliManagerImpl.java:92)
         at sun.reflect.GeneratedMethodAccessor345.invoke(Unknown Source)
         at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
         at java.lang.reflect.Method.invoke(Method.java:483)
         at hudson.remoting.RemoteInvocationHandler$RPCRequest.perform(RemoteInvocationHandler.java:320)
         at hudson.remoting.RemoteInvocationHandler$RPCRequest.call(RemoteInvocationHandler.java:295)
         at hudson.remoting.RemoteInvocationHandler$RPCRequest.call(RemoteInvocationHandler.java:254)
         at hudson.remoting.UserRequest.perform(UserRequest.java:121)
         at hudson.remoting.UserRequest.perform(UserRequest.java:49)
         at hudson.remoting.Request$2.run(Request.java:324)
         at hudson.remoting.InterceptingExecutorService$1.call(InterceptingExecutorService.java:68)
         at hudson.cli.CliManagerImpl$1.call(CliManagerImpl.java:63)
         at hudson.remoting.CallableDecoratorAdapter.call(CallableDecoratorAdapter.java:18)
         at hudson.remoting.CallableDecoratorList$1.call(CallableDecoratorList.java:21)
         at jenkins.util.ContextResettingExecutorService$2.call(ContextResettingExecutorService.java:46)
         at java.util.concurrent.FutureTask.run(FutureTask.java:266)
         at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
         at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
         at java.lang.Thread.run(Thread.java:745)

The jenkins_ci user is an Active Directory Service Account which mostly worked with everything. In the Jenkins security matrix I have the same permissions that this service account.

When I use my ssh key and run exactly the same command, it worked like a charm.

If I run who-I-am it said "jenkins_ci" BUT if I change Anonymous permissions then jenkins_ci started to work. It seems that it is not reading the defined user permissions and it is using the Anonymous ones instead.

Any ideas how to make it work? Is this one a bug that I should report to Jenkins or am I missing anything?

Thanks!

Upvotes: 1

Views: 4708

Answers (2)

Jayen Chondigara
Jayen Chondigara

Reputation: 495

java -jar jenkins-cli.jar -s http://server get-job myjob > myjob.xml

I am able to run above command using below link

https://wiki.jenkins-ci.org/display/JENKINS/Disable+security

Upvotes: 0

TanisDLJ
TanisDLJ

Reputation: 1005

Ok, after hours and hours working on it, I had a "happy idea" and it worked.

Our Jenkins is authenticating against Active Directory using LDAP.

Somehow, the user created by Jenkins (and it's user folder) was: "jenkins_ci" (lowercase) and our Active Directory account is "JENKINS_CI" (upper case).

It seems that Jenkins security is case-sensitive somehow.

I stopped Jenkins, removed the user folder on host and just started Jenkins. The new folder is now called JENKINS_CI and now CLI is working.

Upvotes: 2

Related Questions