hudson.security.AccessDeniedException2: anonymous is missing the Read permission - jenkins

I'm running jenkins and getting this error
hudson.security.AccessDeniedException2: anonymous is missing the Read
permission
I tried many times, deleted cookies and all.

Disabling security is not the solution. It's probably there for a reason. Try "login" instead
java -jar jenkins-cli.jar -s http://yourserver/jenkins/ login --username usr --password qwerty
cheers

Similar issue I faced but with GitHub OAuth plugin,my problem and solution explained here
Errors
hudson.security.AccessDeniedException2: anonymous is missing the Overall/Administer permission at hudson.security.ACL.checkPermission(ACL.java:57)
org.kohsuke.github.HttpException: Server returned HTTP response code: -1, message: 'null' for URL: https://ghe.acme.com/api/v3/user

https://wiki.jenkins-ci.org/display/JENKINS/Disable+security
I am able to run
java -jar jenkins-cli.jar -s http://server get-job myjob > myjob.xml
works for me using abouv url

In addition to the above link, use these simple and clear steps
I think some of the answers in here were partial. This is how I resolved it:
Step Jenkins
/etc/init.d/jenkins stop
sudo vi /var/lib/jenkins/config.xml (Please copy the complete text somewhere first, so that later you don't run in other problems)
2.A. change useSecurity element's value to false
false
2.B. Remove authorizationStrategy block
Start Jenkins again:
/etc/init.d/jenkins start
Access Jenkins through URL and reconfigure security again.

Related

ios unlock-keychain issue in jenkins-pipeline using groovy file

Context
In the company they run many builds from blueocean/jenkins & they use iOS & MacOS
Many build fail with the error below randomly
error message :
Warning: A secret was passed to "sh" using Groovy String interpolation, which is insecure.
Affected argument(s) used the following variable(s): [sshPassword]
See https://jenkins.io/redirect/groovy-string-interpolation for details.
+ security unlock-keychain -p **** login.keychain
Sending interrupt signal to process
so I go to the documentation link but it didn't really help or/and I misunderstood it
I found the too lines in a groovy file
security unlock-keychain -p ${sshPassword} login.keychain
security set-keychain-settings -lut 1800 login.keychain
to me this is just looking good but this error make jenkins jobs to crash on different builds but always when this error occurs, so I guess this is the root cause.
how can I fix it ?
ok in fact, this runs on a setup that pop up a GUI windows.
So It needed to send someone on-site, to answer it.
to be sure machine is really ok, he also rebooted it.

Installing local plugin via jenkins-cli

I've enabled 'Enable CLI over remoting'.
I've set TCP port for JNLP either fixed or random.
I've downloaded the jenkins-cli.jar successfully.
when preforming plugin-install command i receive:
When executing: java -jar jenkins-cli.jar -auth user:pass -s http://localhost:8080 install-plugin file:///folder/plugin.hpi
ERROR: Unexpected exception occurred while performing install-plugin command.
java.io.FileNotFoundException: /folder/plugin.hpi (No such file or directory)
Without the file://
/folder/plugin.hpi is neither a valid file, URL, nor a plugin artifact name in the update center
I've tried every possible combination, the file does exist.
Edit: from the exception it keeps thinking that it's url instead of file:
at java.io.FileInputStream.open0(Native Method)
at java.io.FileInputStream.open(FileInputStream.java:195)
at java.io.FileInputStream.<init>(FileInputStream.java:138)
at java.io.FileInputStream.<init>(FileInputStream.java:93)
at sun.net.www.protocol.file.FileURLConnection.connect(FileURLConnection.java:90)
at sun.net.www.protocol.file.FileURLConnection.getInputStream(FileURLConnection.java:188)
at java.net.URL.openStream(URL.java:1045)
at hudson.FilePath.copyFrom(FilePath.java:890)
"
Edit 2: It does work when given HTTP URL, but it will require me to upload it to a server which I don't have every time.
Edit 3: I tried moving the file to the same folder of Jenkins /var/lib/jenkins and give it permissions of 777.
It was a combination of #Alex O solution, and that I used -auth myuser:mypass instead of --username admin --password password and toggled --remoting.
It looks like this:
java -jar jenkins-cli.jar -s http://host-ip:8080/ -remoting install-plugin ./plugin.hpi --username my-user --password my-pass -restart
The URL that you provide as argument to install-plugin must be accessible by the Jenkins master process. If you get the error message
/folder/plugin.hpi (No such file or directory)
then there's most likely a problem with access rights, or /folder is not mounted on the master's host (or in the master's container, if you use docker).
This is why a HTTP URL does work.
So, for file:// URLs, you need to align filesystem mounts and permissions between CLI user/machine and Jenkins master user/machine.

Using the jenkins CLI (on fedora 23)

I have a jenkins instance running. To create this instance on a Fedora 23 machine, I installed jenkins (via dnf) and started it (via systemd). It is running and I can see it in my browser at http://localhost:8080.
I have been trying to follow the directions in https://wiki.jenkins-ci.org/display/JENKINS/Jenkins+CLI.
I download http://localhost:8080/jnlpJars/jenkins-cli.jar to my computer.
Then I try to run the program java -jar jenkins-cli.jar http://127.0.0.1 -s help and I get no main manifest attribute, in jenkins-cli.jar
When I check jenkins-cli.jar, sure enough there is no Main-Class entry in the manifest file.
What is the proper way to invoke the jenkins cli?
Addendum
https://wiki.jenkins-ci.org/display/JENKINS/Starting+and+Accessing+Jenkins has a separate procedure for using the jenkins cli, but it does not explain where to obtain jenkins.jar.
I have worked out a kludgy solution. I hope someone has a better idea.
On my instance I run
curl http://www.java2s.com/Code/JarDownload/localizer/localizer-1.9.jar.zip > localizaer-1.9.jar.zip
unzip localizaer-1.9.jar.zip
curl http://central.maven.org/maven2/commons-codec/commons-codec/1.9/commons-codec-1.9.jar > commons-code-1.9.jar
java -classpath /usr/share/jenkins/webroot/WEB-INF/jenkins-cli.jar:/usr/share/jenkins/webroot/WEB-INF/remoting.jar:/usr/share/jenkins/webroot/WEB-INF/slave.jar:/usr/share/jenkins/webroot/WEB-INF/classes:localizer-1.9.jar:commons-code-1.9.jar:localizer-1.9.jar hudson.cli.CLI -s http://localhost:8080 help
I don't like it because it is super-kludgy, but it seems to work.

Increase the Jenkins login timeout

Does anyone know how to increase the the timeout window before Jenkins logs out a user? I'm looking to raise it to 1 day or so.
I work in and out jenkins all day and we keep getting logged out between running of jobs. Added to this frustration, the 'stay logged in' checkbox doesn't seem to work either.
Jenkins uses Jetty, and Jetty's default timeout is 30 minutes. This is independent of authentication settings -- I use Active Directory but it's still this setting that affects timeouts.
You can override the timeout by passing an argument --sessionTimeout=<minutes> to the Jenkins init script, or -DsessionTimeout=<minutes> to the .war file. For example:
# Set the session timeout to 1 week
$ java -jar jenkins.war --sessionTimeout=10080
Alternatively, you can edit Jenkins' <jenkinsHome>/.jenkins/war/WEB-INF/web.xml and add explicitly set it:
<session-config>
<!-- one hour -->
<session-timeout>60</session-timeout>
</session-config>
According to Oracle's docs you can set this to 0 to disable timeouts altogether.
To find out the current value for timeouts, you can use the Groovy console provided in Jenkins:
import org.kohsuke.stapler.Stapler;
Stapler.getCurrentRequest().getSession().getMaxInactiveInterval() / 60
On my instance, this shows Result: 30.
As of Jenkins version 2.107.2 you'll want to include sessionEviction
For example to keep people logged in for 24 hours and 12 hours of inactivity:
--sessionTimeout=1440 --sessionEviction=43200
If you don't specify sessionEviction people who close the tab will get logged out after 30 minutes.
For Ubuntu:
nano /etc/default/jenkins
Append to JENKINS_ARGS at the end of the file:
JENKINS_ARGS="--webroot=/var/cache/$NAME/war --httpPort=$HTTP_PORT --sessionTimeout=1440 --sessionEviction=43200"
As of 1.528 you can use the --sessionTimeout <minutes> parameter when starting up jenkins via an init script. If starting the war, pass in -DsessionTimeout=<minutes>
Update for 1.6
If passing in as an arg use --sessionTimeout=<minutes>
it also seems possible to set it using groovy console:
import org.kohsuke.stapler.Stapler;
Stapler.getCurrentRequest().getSession().setMaxInactiveInterval(TIME_IN_SECONDS)
But I guess it will only be available for current session
On my Linux distro, this setting can be added to /etc/sysconfig/jenkins
# Pass arbitrary arguments to Jenkins.
# Full option list: java -jar jenkins.war --help
#
JENKINS_ARGS="--sessionTimeout=480"
Subsequently, restart with
sudo /etc/init.d/jenkins restart
This version of Jenkins 1.567 also has the enable auto refresh option so it somehow keeps refreshing the session and I never get logged out. It works for me...
If Jenkins is running as a Windows service (jenkins.exe), parameters can be edited in jenkins.xml in the installation directory.
Working with Jenkins 2.2x on Windows Server as a windows service the setting
--sessionTimeout=1440 --sessionEviction=43200
can be added here
<arguments>... -Dhudson.lifecycle=hudson.lifecycle.WindowsServiceLifecycle -jar "%BASE%\jenkins.war" ... --sessionTimeout=1440 --sessionEviction=43200</arguments>
located in file jenkins.xml in the Jenkins folder, which for me was:
C:\Program Files\Jenkins on Windows Server 2012.
C:\Program Files (x86)\Jenkins on Windows Server 2008 R2
Restart the service for the change to take effect.
After dealing with this for a couple hours and making sense of everything said here this is what I did to solve the issue:
Log as sudo user
cd /var/cache/jenkins/war/WEB-INF/
vi web.xml
Type "i" to go to insert mode
Go down until you find <Session-Config> and type as screenshot
Hit Esc
Type :wd to save your changes
sudo systemctl restart jenkins
Screenshot:
For anyone on CentOS, web.xml will likely be in /var/lib/jenkins/%C/jenkins/war/WEB-INF/. In web.xml, you can add the session timeout and eviction settings to the session config like so:
<session-config>
<session-timeout>480</session-timeout>
<session-eviction>12600</session-eviction>
</session-config>
Leaving this here for anyone who struggled to find that file like I did.

jenkins-cli build on Cloudbees: "no such job"

I need to remotely trigger a Jenkins build hosted on CloudBees. Right now, I'm attempting to use jenkins-cli to no avail. Right now I am authenticating using a SSH key pair.
When I do:
$ java -jar jenkins-cli.jar -s https://... list-jobs All
I can see all the jobs, including the one I want to build. But when I do:
$ java -jar jenkins-cli.jar -s https://... build job1
No such job 'job1'
I've read about a workaround that involves adding permissions to the anonymous role. Even if I add every single permission to it, I get the same error.
If it helps, I'm using Jenkins 1.532.1.3. Thanks.
Today I ran into same problem and found the solution. The response 'no such job' comes when there is actually no such job or you don't have enough access to do requested operation.
Even when you have the access for requested operation and you are sending credentials with --username and --password arguments it still not works. Only solution I found was to use ssh authentication. So register your computer's ssh key to your jenkins and everything works fine. To register ssh key go to http://[yourjenkinsserver]/user/[username]/configure
I ran into the same error but managed to make it work by providing read permission in 'job' for anonymous user.
I encountered the same issue today on v1.621-1.1 while trying through a non-admin user which I named as 'vikas027'. In order to fix this I ticked all checkboxes under 'Job' column for user 'vikas027' and ticked 'Discover' and 'Read' (also under 'Job') for 'Anonymous' user. These settings are in http://<IP>:<port>/configureSecurity. Hope this helps someone.

Resources