Quantcast
Jenkins CI Jenkins issues

[JIRA] Created: (JENKINS-11149) JNLP slave fails to connect if Anonymous has not permission READ

classic Classic list List threaded Threaded
18 messages Options
JIRA noreply@jenkins-ci.org
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate
star

[JIRA] Created: (JENKINS-11149) JNLP slave fails to connect if Anonymous has not permission READ

JIRA noreply@jenkins-ci.org
JNLP slave fails to connect if Anonymous has not permission READ
----------------------------------------------------------------

                 Key: JENKINS-11149
                 URL: https://issues.jenkins-ci.org/browse/JENKINS-11149
             Project: Jenkins
          Issue Type: Bug
          Components: slave-setup
    Affects Versions: current
            Reporter: Matthias Vach
            Assignee: Kohsuke Kawaguchi


Hi all,
I do face a problem with JNLP based windows slaves in combination with restricted permissions of Anonymous.
If user Anonymous doesn't has READ permission granted, the JNLP slave (converted to a windows service) fails to connect to the master.

The jenkins-slave.xml contains
------------------------------------------------------------------------------------
<arguments>-Xrs -jar "%BASE%\slave.jar" -jnlpUrl https://xxx:8443/hudson/computer/xxx/slave-agent.jnlp -jnlpCredentials abcd:efgh -auth abcd:efgh</arguments>
------------------------------------------------------------------------------------

The tomcat-users.xml  contains
------------------------------------------------------------------------------------
<tomcat-users>
<role rolename="admin"/>
<role rolename="manager"/>
<user username="abcd" password="efgh" roles="admin,manager"/>
</tomcat-users>
------------------------------------------------------------------------------------

The jenkins-slave.err.log contains
------------------------------------------------------------------------------------
Failing to obtain https://xxx:8443/hudson/computer/xxx/slave-agent.jnlp
java.io.IOException: Failed to load https://xxx:8443/hudson/computer/xxx/slave-agent.jnlp: 500 Internal Server Error
        at hudson.remoting.Launcher.parseJnlpArguments(Launcher.java:228)
        at hudson.remoting.Launcher.run(Launcher.java:190)
        at hudson.remoting.Launcher.main(Launcher.java:166)
Waiting 10 seconds before retry
------------------------------------------------------------------------------------

The tomcat's localhost.2011-xx-xx.log contains
------------------------------------------------------------------------------------
SEVERE: Servlet.service() for servlet Stapler threw exception
hudson.security.AccessDeniedException2: anonymous is missing the Read permission
at hudson.security.ACL.checkPermission(ACL.java:53)
at hudson.model.Node.checkPermission(Node.java:363)
at hudson.model.Hudson.getTarget(Hudson.java:3538)
...
------------------------------------------------------------------------------------

The setup is as follows:
------------------------------------------------------------------------------------
OS: Windows 7
Tomcat: 6.0.33
Jenkins: 1.4.10 (also not working with 1.4.31)
JDK: 1.6.27
Security Realm: Matrix based Security is enabled
Authorization: Delegate to servlet container

permissions of user abcd: Overall Read, Overall Administer
permissions of user Anonymous: none
------------------------------------------------------------------------------------

--
This message is automatically generated by JIRA.
-
For more information on JIRA, see: http://www.atlassian.com/software/jira

       
JIRA noreply@jenkins-ci.org
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate
star

[JIRA] Commented: (JENKINS-11149) JNLP slave fails to connect if Anonymous has not permission READ

JIRA noreply@jenkins-ci.org

    [ https://issues.jenkins-ci.org/browse/JENKINS-11149?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=154004#comment-154004 ]

aleksas commented on JENKINS-11149:
-----------------------------------

Ran into this issue by accidentally removing read permission for Anonymous user. Jenkins access control is managed using Active Directory settings. Windows (Windows Server 2008) slave service wasn't able to load slave-agent.jnlp - same case as stated above, while service itself runs as a privileged user. Expected behavior would be to permit slave service running as a privileged user to connect to master even if anonymous does not have Overall/Read permissions.

> JNLP slave fails to connect if Anonymous has not permission READ
> ----------------------------------------------------------------
>
>                 Key: JENKINS-11149
>                 URL: https://issues.jenkins-ci.org/browse/JENKINS-11149
>             Project: Jenkins
>          Issue Type: Bug
>          Components: slave-setup
>    Affects Versions: current
>            Reporter: Matthias Vach
>            Assignee: Kohsuke Kawaguchi
>
> Hi all,
> I do face a problem with JNLP based windows slaves in combination with restricted permissions of Anonymous.
> If user Anonymous doesn't has READ permission granted, the JNLP slave (converted to a windows service) fails to connect to the master.
> The jenkins-slave.xml contains
> ------------------------------------------------------------------------------------
> <arguments>-Xrs -jar "%BASE%\slave.jar" -jnlpUrl https://xxx:8443/hudson/computer/xxx/slave-agent.jnlp -jnlpCredentials abcd:efgh -auth abcd:efgh</arguments>
> ------------------------------------------------------------------------------------
> The tomcat-users.xml  contains
> ------------------------------------------------------------------------------------
> <tomcat-users>
> <role rolename="admin"/>
> <role rolename="manager"/>
> <user username="abcd" password="efgh" roles="admin,manager"/>
> </tomcat-users>
> ------------------------------------------------------------------------------------
> The jenkins-slave.err.log contains
> ------------------------------------------------------------------------------------
> Failing to obtain https://xxx:8443/hudson/computer/xxx/slave-agent.jnlp
> java.io.IOException: Failed to load https://xxx:8443/hudson/computer/xxx/slave-agent.jnlp: 500 Internal Server Error
> at hudson.remoting.Launcher.parseJnlpArguments(Launcher.java:228)
> at hudson.remoting.Launcher.run(Launcher.java:190)
> at hudson.remoting.Launcher.main(Launcher.java:166)
> Waiting 10 seconds before retry
> ------------------------------------------------------------------------------------
> The tomcat's localhost.2011-xx-xx.log contains
> ------------------------------------------------------------------------------------
> SEVERE: Servlet.service() for servlet Stapler threw exception
> hudson.security.AccessDeniedException2: anonymous is missing the Read permission
> at hudson.security.ACL.checkPermission(ACL.java:53)
> at hudson.model.Node.checkPermission(Node.java:363)
> at hudson.model.Hudson.getTarget(Hudson.java:3538)
> ...
> ------------------------------------------------------------------------------------
> The setup is as follows:
> ------------------------------------------------------------------------------------
> OS: Windows 7
> Tomcat: 6.0.33
> Jenkins: 1.4.10 (also not working with 1.4.31)
> JDK: 1.6.27
> Security Realm: Matrix based Security is enabled
> Authorization: Delegate to servlet container
> permissions of user abcd: Overall Read, Overall Administer
> permissions of user Anonymous: none
> ------------------------------------------------------------------------------------

--
This message is automatically generated by JIRA.
-
For more information on JIRA, see: http://www.atlassian.com/software/jira

       
JIRA noreply@jenkins-ci.org
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate
star

[JIRA] (JENKINS-11149) JNLP slave fails to connect if Anonymous has not permission READ

JIRA noreply@jenkins-ci.org
In reply to this post by JIRA noreply@jenkins-ci.org

    [ https://issues.jenkins-ci.org/browse/JENKINS-11149?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=155677#comment-155677 ]

Matthias Vach commented on JENKINS-11149:
-----------------------------------------

The problem still exists in Jenkins 1.4.40
               

> JNLP slave fails to connect if Anonymous has not permission READ
> ----------------------------------------------------------------
>
>                 Key: JENKINS-11149
>                 URL: https://issues.jenkins-ci.org/browse/JENKINS-11149
>             Project: Jenkins
>          Issue Type: Bug
>          Components: slave-setup
>    Affects Versions: current
>            Reporter: Matthias Vach
>            Assignee: Kohsuke Kawaguchi
>
> Hi all,
> I do face a problem with JNLP based windows slaves in combination with restricted permissions of Anonymous.
> If user Anonymous doesn't has READ permission granted, the JNLP slave (converted to a windows service) fails to connect to the master.
> The jenkins-slave.xml contains
> ------------------------------------------------------------------------------------
> <arguments>-Xrs -jar "%BASE%\slave.jar" -jnlpUrl https://xxx:8443/hudson/computer/xxx/slave-agent.jnlp -jnlpCredentials abcd:efgh -auth abcd:efgh</arguments>
> ------------------------------------------------------------------------------------
> The tomcat-users.xml  contains
> ------------------------------------------------------------------------------------
> <tomcat-users>
> <role rolename="admin"/>
> <role rolename="manager"/>
> <user username="abcd" password="efgh" roles="admin,manager"/>
> </tomcat-users>
> ------------------------------------------------------------------------------------
> The jenkins-slave.err.log contains
> ------------------------------------------------------------------------------------
> Failing to obtain https://xxx:8443/hudson/computer/xxx/slave-agent.jnlp
> java.io.IOException: Failed to load https://xxx:8443/hudson/computer/xxx/slave-agent.jnlp: 500 Internal Server Error
> at hudson.remoting.Launcher.parseJnlpArguments(Launcher.java:228)
> at hudson.remoting.Launcher.run(Launcher.java:190)
> at hudson.remoting.Launcher.main(Launcher.java:166)
> Waiting 10 seconds before retry
> ------------------------------------------------------------------------------------
> The tomcat's localhost.2011-xx-xx.log contains
> ------------------------------------------------------------------------------------
> SEVERE: Servlet.service() for servlet Stapler threw exception
> hudson.security.AccessDeniedException2: anonymous is missing the Read permission
> at hudson.security.ACL.checkPermission(ACL.java:53)
> at hudson.model.Node.checkPermission(Node.java:363)
> at hudson.model.Hudson.getTarget(Hudson.java:3538)
> ...
> ------------------------------------------------------------------------------------
> The setup is as follows:
> ------------------------------------------------------------------------------------
> OS: Windows 7
> Tomcat: 6.0.33
> Jenkins: 1.4.10 (also not working with 1.4.31)
> JDK: 1.6.27
> Security Realm: Matrix based Security is enabled
> Authorization: Delegate to servlet container
> permissions of user abcd: Overall Read, Overall Administer
> permissions of user Anonymous: none
> ------------------------------------------------------------------------------------

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.jenkins-ci.org/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira

       
JIRA noreply@jenkins-ci.org
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate
star

[JIRA] (JENKINS-11149) JNLP slave fails to connect if Anonymous has not permission READ

JIRA noreply@jenkins-ci.org
In reply to this post by JIRA noreply@jenkins-ci.org

    [ https://issues.jenkins-ci.org/browse/JENKINS-11149?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=159636#comment-159636 ]

candrews commented on JENKINS-11149:
------------------------------------

Still exists in 1.452
               

> JNLP slave fails to connect if Anonymous has not permission READ
> ----------------------------------------------------------------
>
>                 Key: JENKINS-11149
>                 URL: https://issues.jenkins-ci.org/browse/JENKINS-11149
>             Project: Jenkins
>          Issue Type: Bug
>          Components: slave-setup
>    Affects Versions: current
>            Reporter: Matthias Vach
>            Assignee: Kohsuke Kawaguchi
>
> Hi all,
> I do face a problem with JNLP based windows slaves in combination with restricted permissions of Anonymous.
> If user Anonymous doesn't has READ permission granted, the JNLP slave (converted to a windows service) fails to connect to the master.
> The jenkins-slave.xml contains
> ------------------------------------------------------------------------------------
> <arguments>-Xrs -jar "%BASE%\slave.jar" -jnlpUrl https://xxx:8443/hudson/computer/xxx/slave-agent.jnlp -jnlpCredentials abcd:efgh -auth abcd:efgh</arguments>
> ------------------------------------------------------------------------------------
> The tomcat-users.xml  contains
> ------------------------------------------------------------------------------------
> <tomcat-users>
> <role rolename="admin"/>
> <role rolename="manager"/>
> <user username="abcd" password="efgh" roles="admin,manager"/>
> </tomcat-users>
> ------------------------------------------------------------------------------------
> The jenkins-slave.err.log contains
> ------------------------------------------------------------------------------------
> Failing to obtain https://xxx:8443/hudson/computer/xxx/slave-agent.jnlp
> java.io.IOException: Failed to load https://xxx:8443/hudson/computer/xxx/slave-agent.jnlp: 500 Internal Server Error
> at hudson.remoting.Launcher.parseJnlpArguments(Launcher.java:228)
> at hudson.remoting.Launcher.run(Launcher.java:190)
> at hudson.remoting.Launcher.main(Launcher.java:166)
> Waiting 10 seconds before retry
> ------------------------------------------------------------------------------------
> The tomcat's localhost.2011-xx-xx.log contains
> ------------------------------------------------------------------------------------
> SEVERE: Servlet.service() for servlet Stapler threw exception
> hudson.security.AccessDeniedException2: anonymous is missing the Read permission
> at hudson.security.ACL.checkPermission(ACL.java:53)
> at hudson.model.Node.checkPermission(Node.java:363)
> at hudson.model.Hudson.getTarget(Hudson.java:3538)
> ...
> ------------------------------------------------------------------------------------
> The setup is as follows:
> ------------------------------------------------------------------------------------
> OS: Windows 7
> Tomcat: 6.0.33
> Jenkins: 1.4.10 (also not working with 1.4.31)
> JDK: 1.6.27
> Security Realm: Matrix based Security is enabled
> Authorization: Delegate to servlet container
> permissions of user abcd: Overall Read, Overall Administer
> permissions of user Anonymous: none
> ------------------------------------------------------------------------------------

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.jenkins-ci.org/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira

       
JIRA noreply@jenkins-ci.org
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate
star

[JIRA] (JENKINS-11149) JNLP slave fails to connect if Anonymous has not permission READ

JIRA noreply@jenkins-ci.org
In reply to this post by JIRA noreply@jenkins-ci.org

    [ https://issues.jenkins-ci.org/browse/JENKINS-11149?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=159929#comment-159929 ]

Thomas Fields commented on JENKINS-11149:
-----------------------------------------

I am also now hitting this problem. This issue is very old, will it ever get fixed?

Thanks
Tom
               

> JNLP slave fails to connect if Anonymous has not permission READ
> ----------------------------------------------------------------
>
>                 Key: JENKINS-11149
>                 URL: https://issues.jenkins-ci.org/browse/JENKINS-11149
>             Project: Jenkins
>          Issue Type: Bug
>          Components: slave-setup
>    Affects Versions: current
>            Reporter: Matthias Vach
>            Assignee: Kohsuke Kawaguchi
>
> Hi all,
> I do face a problem with JNLP based windows slaves in combination with restricted permissions of Anonymous.
> If user Anonymous doesn't has READ permission granted, the JNLP slave (converted to a windows service) fails to connect to the master.
> The jenkins-slave.xml contains
> ------------------------------------------------------------------------------------
> <arguments>-Xrs -jar "%BASE%\slave.jar" -jnlpUrl https://xxx:8443/hudson/computer/xxx/slave-agent.jnlp -jnlpCredentials abcd:efgh -auth abcd:efgh</arguments>
> ------------------------------------------------------------------------------------
> The tomcat-users.xml  contains
> ------------------------------------------------------------------------------------
> <tomcat-users>
> <role rolename="admin"/>
> <role rolename="manager"/>
> <user username="abcd" password="efgh" roles="admin,manager"/>
> </tomcat-users>
> ------------------------------------------------------------------------------------
> The jenkins-slave.err.log contains
> ------------------------------------------------------------------------------------
> Failing to obtain https://xxx:8443/hudson/computer/xxx/slave-agent.jnlp
> java.io.IOException: Failed to load https://xxx:8443/hudson/computer/xxx/slave-agent.jnlp: 500 Internal Server Error
> at hudson.remoting.Launcher.parseJnlpArguments(Launcher.java:228)
> at hudson.remoting.Launcher.run(Launcher.java:190)
> at hudson.remoting.Launcher.main(Launcher.java:166)
> Waiting 10 seconds before retry
> ------------------------------------------------------------------------------------
> The tomcat's localhost.2011-xx-xx.log contains
> ------------------------------------------------------------------------------------
> SEVERE: Servlet.service() for servlet Stapler threw exception
> hudson.security.AccessDeniedException2: anonymous is missing the Read permission
> at hudson.security.ACL.checkPermission(ACL.java:53)
> at hudson.model.Node.checkPermission(Node.java:363)
> at hudson.model.Hudson.getTarget(Hudson.java:3538)
> ...
> ------------------------------------------------------------------------------------
> The setup is as follows:
> ------------------------------------------------------------------------------------
> OS: Windows 7
> Tomcat: 6.0.33
> Jenkins: 1.4.10 (also not working with 1.4.31)
> JDK: 1.6.27
> Security Realm: Matrix based Security is enabled
> Authorization: Delegate to servlet container
> permissions of user abcd: Overall Read, Overall Administer
> permissions of user Anonymous: none
> ------------------------------------------------------------------------------------

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.jenkins-ci.org/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira

       
JIRA noreply@jenkins-ci.org
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate
star

[JIRA] (JENKINS-11149) JNLP slave fails to connect if Anonymous has not permission READ

JIRA noreply@jenkins-ci.org
In reply to this post by JIRA noreply@jenkins-ci.org

     [ https://issues.jenkins-ci.org/browse/JENKINS-11149?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Frederik Fromm updated JENKINS-11149:
-------------------------------------

    Component/s: master-slave
                     (was: slave-setup)
   

> JNLP slave fails to connect if Anonymous has not permission READ
> ----------------------------------------------------------------
>
>                 Key: JENKINS-11149
>                 URL: https://issues.jenkins-ci.org/browse/JENKINS-11149
>             Project: Jenkins
>          Issue Type: Bug
>          Components: master-slave
>    Affects Versions: current
>            Reporter: Matthias Vach
>            Assignee: Kohsuke Kawaguchi
>
> Hi all,
> I do face a problem with JNLP based windows slaves in combination with restricted permissions of Anonymous.
> If user Anonymous doesn't has READ permission granted, the JNLP slave (converted to a windows service) fails to connect to the master.
> The jenkins-slave.xml contains
> ------------------------------------------------------------------------------------
> <arguments>-Xrs -jar "%BASE%\slave.jar" -jnlpUrl https://xxx:8443/hudson/computer/xxx/slave-agent.jnlp -jnlpCredentials abcd:efgh -auth abcd:efgh</arguments>
> ------------------------------------------------------------------------------------
> The tomcat-users.xml  contains
> ------------------------------------------------------------------------------------
> <tomcat-users>
> <role rolename="admin"/>
> <role rolename="manager"/>
> <user username="abcd" password="efgh" roles="admin,manager"/>
> </tomcat-users>
> ------------------------------------------------------------------------------------
> The jenkins-slave.err.log contains
> ------------------------------------------------------------------------------------
> Failing to obtain https://xxx:8443/hudson/computer/xxx/slave-agent.jnlp
> java.io.IOException: Failed to load https://xxx:8443/hudson/computer/xxx/slave-agent.jnlp: 500 Internal Server Error
> at hudson.remoting.Launcher.parseJnlpArguments(Launcher.java:228)
> at hudson.remoting.Launcher.run(Launcher.java:190)
> at hudson.remoting.Launcher.main(Launcher.java:166)
> Waiting 10 seconds before retry
> ------------------------------------------------------------------------------------
> The tomcat's localhost.2011-xx-xx.log contains
> ------------------------------------------------------------------------------------
> SEVERE: Servlet.service() for servlet Stapler threw exception
> hudson.security.AccessDeniedException2: anonymous is missing the Read permission
> at hudson.security.ACL.checkPermission(ACL.java:53)
> at hudson.model.Node.checkPermission(Node.java:363)
> at hudson.model.Hudson.getTarget(Hudson.java:3538)
> ...
> ------------------------------------------------------------------------------------
> The setup is as follows:
> ------------------------------------------------------------------------------------
> OS: Windows 7
> Tomcat: 6.0.33
> Jenkins: 1.4.10 (also not working with 1.4.31)
> JDK: 1.6.27
> Security Realm: Matrix based Security is enabled
> Authorization: Delegate to servlet container
> permissions of user abcd: Overall Read, Overall Administer
> permissions of user Anonymous: none
> ------------------------------------------------------------------------------------

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.jenkins-ci.org/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira

       
JIRA noreply@jenkins-ci.org
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate
star

[JIRA] (JENKINS-11149) JNLP slave fails to connect if Anonymous has not permission READ

JIRA noreply@jenkins-ci.org
In reply to this post by JIRA noreply@jenkins-ci.org

    [ https://issues.jenkins-ci.org/browse/JENKINS-11149?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=160009#comment-160009 ]

Frederik Fromm commented on JENKINS-11149:
------------------------------------------

moved to master-slave component
               

> JNLP slave fails to connect if Anonymous has not permission READ
> ----------------------------------------------------------------
>
>                 Key: JENKINS-11149
>                 URL: https://issues.jenkins-ci.org/browse/JENKINS-11149
>             Project: Jenkins
>          Issue Type: Bug
>          Components: master-slave
>    Affects Versions: current
>            Reporter: Matthias Vach
>            Assignee: Kohsuke Kawaguchi
>
> Hi all,
> I do face a problem with JNLP based windows slaves in combination with restricted permissions of Anonymous.
> If user Anonymous doesn't has READ permission granted, the JNLP slave (converted to a windows service) fails to connect to the master.
> The jenkins-slave.xml contains
> ------------------------------------------------------------------------------------
> <arguments>-Xrs -jar "%BASE%\slave.jar" -jnlpUrl https://xxx:8443/hudson/computer/xxx/slave-agent.jnlp -jnlpCredentials abcd:efgh -auth abcd:efgh</arguments>
> ------------------------------------------------------------------------------------
> The tomcat-users.xml  contains
> ------------------------------------------------------------------------------------
> <tomcat-users>
> <role rolename="admin"/>
> <role rolename="manager"/>
> <user username="abcd" password="efgh" roles="admin,manager"/>
> </tomcat-users>
> ------------------------------------------------------------------------------------
> The jenkins-slave.err.log contains
> ------------------------------------------------------------------------------------
> Failing to obtain https://xxx:8443/hudson/computer/xxx/slave-agent.jnlp
> java.io.IOException: Failed to load https://xxx:8443/hudson/computer/xxx/slave-agent.jnlp: 500 Internal Server Error
> at hudson.remoting.Launcher.parseJnlpArguments(Launcher.java:228)
> at hudson.remoting.Launcher.run(Launcher.java:190)
> at hudson.remoting.Launcher.main(Launcher.java:166)
> Waiting 10 seconds before retry
> ------------------------------------------------------------------------------------
> The tomcat's localhost.2011-xx-xx.log contains
> ------------------------------------------------------------------------------------
> SEVERE: Servlet.service() for servlet Stapler threw exception
> hudson.security.AccessDeniedException2: anonymous is missing the Read permission
> at hudson.security.ACL.checkPermission(ACL.java:53)
> at hudson.model.Node.checkPermission(Node.java:363)
> at hudson.model.Hudson.getTarget(Hudson.java:3538)
> ...
> ------------------------------------------------------------------------------------
> The setup is as follows:
> ------------------------------------------------------------------------------------
> OS: Windows 7
> Tomcat: 6.0.33
> Jenkins: 1.4.10 (also not working with 1.4.31)
> JDK: 1.6.27
> Security Realm: Matrix based Security is enabled
> Authorization: Delegate to servlet container
> permissions of user abcd: Overall Read, Overall Administer
> permissions of user Anonymous: none
> ------------------------------------------------------------------------------------

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.jenkins-ci.org/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira

       
JIRA noreply@jenkins-ci.org
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate
star

[JIRA] (JENKINS-11149) JNLP slave fails to connect if Anonymous has not permission READ

JIRA noreply@jenkins-ci.org
In reply to this post by JIRA noreply@jenkins-ci.org

     [ https://issues.jenkins-ci.org/browse/JENKINS-11149?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

abayer reassigned JENKINS-11149:
--------------------------------

    Assignee: abayer  (was: Kohsuke Kawaguchi)
   

> JNLP slave fails to connect if Anonymous has not permission READ
> ----------------------------------------------------------------
>
>                 Key: JENKINS-11149
>                 URL: https://issues.jenkins-ci.org/browse/JENKINS-11149
>             Project: Jenkins
>          Issue Type: Bug
>          Components: master-slave
>    Affects Versions: current
>            Reporter: Matthias Vach
>            Assignee: abayer
>
> Hi all,
> I do face a problem with JNLP based windows slaves in combination with restricted permissions of Anonymous.
> If user Anonymous doesn't has READ permission granted, the JNLP slave (converted to a windows service) fails to connect to the master.
> The jenkins-slave.xml contains
> ------------------------------------------------------------------------------------
> <arguments>-Xrs -jar "%BASE%\slave.jar" -jnlpUrl https://xxx:8443/hudson/computer/xxx/slave-agent.jnlp -jnlpCredentials abcd:efgh -auth abcd:efgh</arguments>
> ------------------------------------------------------------------------------------
> The tomcat-users.xml  contains
> ------------------------------------------------------------------------------------
> <tomcat-users>
> <role rolename="admin"/>
> <role rolename="manager"/>
> <user username="abcd" password="efgh" roles="admin,manager"/>
> </tomcat-users>
> ------------------------------------------------------------------------------------
> The jenkins-slave.err.log contains
> ------------------------------------------------------------------------------------
> Failing to obtain https://xxx:8443/hudson/computer/xxx/slave-agent.jnlp
> java.io.IOException: Failed to load https://xxx:8443/hudson/computer/xxx/slave-agent.jnlp: 500 Internal Server Error
> at hudson.remoting.Launcher.parseJnlpArguments(Launcher.java:228)
> at hudson.remoting.Launcher.run(Launcher.java:190)
> at hudson.remoting.Launcher.main(Launcher.java:166)
> Waiting 10 seconds before retry
> ------------------------------------------------------------------------------------
> The tomcat's localhost.2011-xx-xx.log contains
> ------------------------------------------------------------------------------------
> SEVERE: Servlet.service() for servlet Stapler threw exception
> hudson.security.AccessDeniedException2: anonymous is missing the Read permission
> at hudson.security.ACL.checkPermission(ACL.java:53)
> at hudson.model.Node.checkPermission(Node.java:363)
> at hudson.model.Hudson.getTarget(Hudson.java:3538)
> ...
> ------------------------------------------------------------------------------------
> The setup is as follows:
> ------------------------------------------------------------------------------------
> OS: Windows 7
> Tomcat: 6.0.33
> Jenkins: 1.4.10 (also not working with 1.4.31)
> JDK: 1.6.27
> Security Realm: Matrix based Security is enabled
> Authorization: Delegate to servlet container
> permissions of user abcd: Overall Read, Overall Administer
> permissions of user Anonymous: none
> ------------------------------------------------------------------------------------

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.jenkins-ci.org/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira

       
JIRA noreply@jenkins-ci.org
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate
star

[JIRA] (JENKINS-11149) JNLP slave fails to connect if Anonymous has not permission READ

JIRA noreply@jenkins-ci.org
In reply to this post by JIRA noreply@jenkins-ci.org

    [ https://issues.jenkins-ci.org/browse/JENKINS-11149?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=160256#comment-160256 ]

abayer commented on JENKINS-11149:
----------------------------------

Seems to me like the ideal here would be to move to using a private key approach like the CLI does (see https://wiki.jenkins-ci.org/display/JENKINS/Jenkins+CLI, e.g.). But if that's not viable for now...Hrm. Not sure. Lemme dig more.
               

> JNLP slave fails to connect if Anonymous has not permission READ
> ----------------------------------------------------------------
>
>                 Key: JENKINS-11149
>                 URL: https://issues.jenkins-ci.org/browse/JENKINS-11149
>             Project: Jenkins
>          Issue Type: Bug
>          Components: master-slave
>    Affects Versions: current
>            Reporter: Matthias Vach
>            Assignee: abayer
>
> Hi all,
> I do face a problem with JNLP based windows slaves in combination with restricted permissions of Anonymous.
> If user Anonymous doesn't has READ permission granted, the JNLP slave (converted to a windows service) fails to connect to the master.
> The jenkins-slave.xml contains
> ------------------------------------------------------------------------------------
> <arguments>-Xrs -jar "%BASE%\slave.jar" -jnlpUrl https://xxx:8443/hudson/computer/xxx/slave-agent.jnlp -jnlpCredentials abcd:efgh -auth abcd:efgh</arguments>
> ------------------------------------------------------------------------------------
> The tomcat-users.xml  contains
> ------------------------------------------------------------------------------------
> <tomcat-users>
> <role rolename="admin"/>
> <role rolename="manager"/>
> <user username="abcd" password="efgh" roles="admin,manager"/>
> </tomcat-users>
> ------------------------------------------------------------------------------------
> The jenkins-slave.err.log contains
> ------------------------------------------------------------------------------------
> Failing to obtain https://xxx:8443/hudson/computer/xxx/slave-agent.jnlp
> java.io.IOException: Failed to load https://xxx:8443/hudson/computer/xxx/slave-agent.jnlp: 500 Internal Server Error
> at hudson.remoting.Launcher.parseJnlpArguments(Launcher.java:228)
> at hudson.remoting.Launcher.run(Launcher.java:190)
> at hudson.remoting.Launcher.main(Launcher.java:166)
> Waiting 10 seconds before retry
> ------------------------------------------------------------------------------------
> The tomcat's localhost.2011-xx-xx.log contains
> ------------------------------------------------------------------------------------
> SEVERE: Servlet.service() for servlet Stapler threw exception
> hudson.security.AccessDeniedException2: anonymous is missing the Read permission
> at hudson.security.ACL.checkPermission(ACL.java:53)
> at hudson.model.Node.checkPermission(Node.java:363)
> at hudson.model.Hudson.getTarget(Hudson.java:3538)
> ...
> ------------------------------------------------------------------------------------
> The setup is as follows:
> ------------------------------------------------------------------------------------
> OS: Windows 7
> Tomcat: 6.0.33
> Jenkins: 1.4.10 (also not working with 1.4.31)
> JDK: 1.6.27
> Security Realm: Matrix based Security is enabled
> Authorization: Delegate to servlet container
> permissions of user abcd: Overall Read, Overall Administer
> permissions of user Anonymous: none
> ------------------------------------------------------------------------------------

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.jenkins-ci.org/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira

       
JIRA noreply@jenkins-ci.org
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate
star

[JIRA] (JENKINS-11149) JNLP slave fails to connect if Anonymous has not permission READ

JIRA noreply@jenkins-ci.org
In reply to this post by JIRA noreply@jenkins-ci.org

    [ https://issues.jenkins-ci.org/browse/JENKINS-11149?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=162679#comment-162679 ]

Thomas Fields commented on JENKINS-11149:
-----------------------------------------

Has there been any update on this issue at all?
               

> JNLP slave fails to connect if Anonymous has not permission READ
> ----------------------------------------------------------------
>
>                 Key: JENKINS-11149
>                 URL: https://issues.jenkins-ci.org/browse/JENKINS-11149
>             Project: Jenkins
>          Issue Type: Bug
>          Components: master-slave
>    Affects Versions: current
>            Reporter: Matthias Vach
>            Assignee: abayer
>
> Hi all,
> I do face a problem with JNLP based windows slaves in combination with restricted permissions of Anonymous.
> If user Anonymous doesn't has READ permission granted, the JNLP slave (converted to a windows service) fails to connect to the master.
> The jenkins-slave.xml contains
> ------------------------------------------------------------------------------------
> <arguments>-Xrs -jar "%BASE%\slave.jar" -jnlpUrl https://xxx:8443/hudson/computer/xxx/slave-agent.jnlp -jnlpCredentials abcd:efgh -auth abcd:efgh</arguments>
> ------------------------------------------------------------------------------------
> The tomcat-users.xml  contains
> ------------------------------------------------------------------------------------
> <tomcat-users>
> <role rolename="admin"/>
> <role rolename="manager"/>
> <user username="abcd" password="efgh" roles="admin,manager"/>
> </tomcat-users>
> ------------------------------------------------------------------------------------
> The jenkins-slave.err.log contains
> ------------------------------------------------------------------------------------
> Failing to obtain https://xxx:8443/hudson/computer/xxx/slave-agent.jnlp
> java.io.IOException: Failed to load https://xxx:8443/hudson/computer/xxx/slave-agent.jnlp: 500 Internal Server Error
> at hudson.remoting.Launcher.parseJnlpArguments(Launcher.java:228)
> at hudson.remoting.Launcher.run(Launcher.java:190)
> at hudson.remoting.Launcher.main(Launcher.java:166)
> Waiting 10 seconds before retry
> ------------------------------------------------------------------------------------
> The tomcat's localhost.2011-xx-xx.log contains
> ------------------------------------------------------------------------------------
> SEVERE: Servlet.service() for servlet Stapler threw exception
> hudson.security.AccessDeniedException2: anonymous is missing the Read permission
> at hudson.security.ACL.checkPermission(ACL.java:53)
> at hudson.model.Node.checkPermission(Node.java:363)
> at hudson.model.Hudson.getTarget(Hudson.java:3538)
> ...
> ------------------------------------------------------------------------------------
> The setup is as follows:
> ------------------------------------------------------------------------------------
> OS: Windows 7
> Tomcat: 6.0.33
> Jenkins: 1.4.10 (also not working with 1.4.31)
> JDK: 1.6.27
> Security Realm: Matrix based Security is enabled
> Authorization: Delegate to servlet container
> permissions of user abcd: Overall Read, Overall Administer
> permissions of user Anonymous: none
> ------------------------------------------------------------------------------------

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.jenkins-ci.org/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira

       
JIRA noreply@jenkins-ci.org
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate
star

[JIRA] (JENKINS-11149) JNLP slave fails to connect if Anonymous has not permission READ

JIRA noreply@jenkins-ci.org
In reply to this post by JIRA noreply@jenkins-ci.org

This issue is fairly old and has quite a few votes. Will this ever get fixed?
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators.
For more information on JIRA, see: http://www.atlassian.com/software/jira
JIRA noreply@jenkins-ci.org
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate
star

[JIRA] (JENKINS-11149) JNLP slave fails to connect if Anonymous has not permission READ

JIRA noreply@jenkins-ci.org
In reply to this post by JIRA noreply@jenkins-ci.org

Are we any closer to a fix for this issue?
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators.
For more information on JIRA, see: http://www.atlassian.com/software/jira
JIRA noreply@jenkins-ci.org
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate
star

[JIRA] (JENKINS-11149) JNLP slave fails to connect if Anonymous has not permission READ

JIRA noreply@jenkins-ci.org
In reply to this post by JIRA noreply@jenkins-ci.org
Waldek M commented on Bug JENKINS-11149

Same here. And it's a serious security issue; some plugins show much more information than they should (eg. Cobertura presents the source code under this "General read"), so the Anonymous access may be dangerous. But revoking this access is preventing from using master-slave architecture of Jenkins at all.
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators.
For more information on JIRA, see: http://www.atlassian.com/software/jira
JIRA noreply@jenkins-ci.org
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate
star

[JIRA] (JENKINS-11149) JNLP slave fails to connect if Anonymous has not permission READ

JIRA noreply@jenkins-ci.org
In reply to this post by JIRA noreply@jenkins-ci.org
 
Waldek M edited a comment on Bug JENKINS-11149

It seems that after some latest changes to permissions of Jenkins, giving just Read access prevents from seeing anything useful. If this is so, enabling the "General Read" permissions for Anonymous should be fine. Can anyone confirm that?
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators.
For more information on JIRA, see: http://www.atlassian.com/software/jira
JIRA noreply@jenkins-ci.org
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate
star

[JIRA] (JENKINS-11149) JNLP slave fails to connect if Anonymous has not permission READ

JIRA noreply@jenkins-ci.org
In reply to this post by JIRA noreply@jenkins-ci.org

This issue is still in the LTS 1.480.1 Version. Had to enable global read, because otherwise the "Jenkins controls this as windows service" doesn't work. Guess this also uses JNLP to start it. ( This can only be a temporarily workaround, there is a reason why anonymous doesn't have this right! )

Since some versions Jenkins supports "api tokens", wouldn't that be a way to go?
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators.
For more information on JIRA, see: http://www.atlassian.com/software/jira
JIRA noreply@jenkins-ci.org
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate
star

[JIRA] (JENKINS-11149) JNLP slave fails to connect if Anonymous has not permission READ

JIRA noreply@jenkins-ci.org
In reply to this post by JIRA noreply@jenkins-ci.org

@Waldek M :

Yes, you cannot see something useful. But you also don't get the login dialog (per default). So users are not aware that they have to login to seen anything useful. So from the user perception, the ui seems to "work" but they can't see any projects.
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators.
For more information on JIRA, see: http://www.atlassian.com/software/jira
JIRA noreply@jenkins-ci.org
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate
star

[JIRA] (JENKINS-11149) JNLP slave fails to connect if Anonymous has not permission READ

JIRA noreply@jenkins-ci.org
In reply to this post by JIRA noreply@jenkins-ci.org

Correct, we enforce the login by not offering read permissions to anonymous.
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators.
For more information on JIRA, see: http://www.atlassian.com/software/jira
JIRA noreply@jenkins-ci.org
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate
star

[JIRA] (JENKINS-11149) JNLP slave fails to connect if Anonymous has not permission READ

JIRA noreply@jenkins-ci.org
In reply to this post by JIRA noreply@jenkins-ci.org
Change By: Craig Ringer (20/Dec/12 6:15 AM)
Component/s: security
Component/s: slave-setup
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators.
For more information on JIRA, see: http://www.atlassian.com/software/jira
Loading...
Powered by Nabble Edit this page