Authorization via Groups not working when using API tokens #83

schnatterer · 2021-03-25T14:49:18Z

Using the Jenkins API via API_TOKEN leads to 403 even though the user is authorized as admin via CesAdministrators group.

This might be a bug in Jenkins Cas Plugin. Authorization via API_TOKEN cannot be handled by CAS. Jenkins does not have the information about groups, though.

Tested on clean installed CES, Jenkins Dogu version Jenkins 2.263.3.

Reproduce:

JENKINS_URL="https://a.cloudogu.net/jenkins"
JENKINS_USERNAME="admin"
JENKINS_PASSWORD="12345" 
API_TOKEN=11ff333b0981866e56f4d53af4cd659b7b

function crumb() {
  curl -s --cookie-jar /tmp/cookies \
    -u "${JENKINS_USERNAME}:${JENKINS_PASSWORD}" \
    "${JENKINS_URL}/crumbIssuer/api/json" | jq -r '.crumb'
}

# -> 403
curl -fail -s -L -o /dev/null --write-out '%{http_code}' -H "Jenkins-Crumb:$(crumb)" --cookie /tmp/cookies \
    -u "${JENKINS_USERNAME}:${API_TOKEN}" \
  -X POST ${JENKINS_URL}/pluginManager/installNecessaryPlugins \
  -d '<jenkins><install plugin="[email protected]"/></jenkins>' -H 'Content-Type: text/xml'

# Same with Password -> 200
curl -fail -s -L -o /dev/null --write-out '%{http_code}' -H "Jenkins-Crumb:$(crumb)" --cookie /tmp/cookies \
    -u "${JENKINS_USERNAME}:${JENKINS_PASSWORD}" \
  -X POST ${JENKINS_URL}/pluginManager/installNecessaryPlugins \
  -d '<jenkins><install plugin="[email protected]"/></jenkins>' -H 'Content-Type: text/xml'

Our use case: cloudogu/gitops-playground@1e5a97d

The text was updated successfully, but these errors were encountered:

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Authorization via Groups not working when using API tokens #83

Authorization via Groups not working when using API tokens #83

schnatterer commented Mar 25, 2021

Authorization via Groups not working when using API tokens #83

Authorization via Groups not working when using API tokens #83

Comments

schnatterer commented Mar 25, 2021