HTTP/1.1 403 Forbidden when authentication is disabled

[Starefossen]

Version report

Jenkins and plugins versions report:

Jenkins: 2.313
OS: Linux - 3.13.0-147-generic
---
JiraTestResultReporter:2.0.9
ace-editor:1.1
active-directory:2.25
all-changes:1.5
ansible:1.1
antisamy-markup-formatter:2.4
apache-httpcomponents-client-4-api:4.5.13-1.0
authentication-tokens:1.4
basic-branch-build-strategies:1.3.2
blueocean:1.25.1
blueocean-autofavorite:1.2.4
blueocean-bitbucket-pipeline:1.25.1
blueocean-commons:1.25.1
blueocean-config:1.25.1
blueocean-core-js:1.25.1
blueocean-dashboard:1.25.1
blueocean-display-url:2.4.1
blueocean-events:1.25.1
blueocean-git-pipeline:1.25.1
blueocean-github-pipeline:1.25.1
blueocean-i18n:1.25.1
blueocean-jwt:1.25.1
blueocean-personalization:1.25.1
blueocean-pipeline-api-impl:1.25.1
blueocean-pipeline-editor:1.25.1
blueocean-pipeline-scm-api:1.25.1
blueocean-rest:1.25.1
blueocean-rest-impl:1.25.1
blueocean-web:1.25.1
bootstrap4-api:4.6.0-3
bootstrap5-api:5.1.1-1
bouncycastle-api:2.25
branch-api:2.7.0
build-monitor-plugin:1.13+build.202110011223
build-pipeline-plugin:1.5.8
caffeine-api:2.9.2-29.v717aac953ff3
checks-api:1.7.2
chucknorris:1.4
ci-skip:0.0.2
claim:2.18.2
cloud-stats:0.27
cloudbees-bitbucket-branch-source:2.9.11
cloudbees-disk-usage-simple:0.10
cloudbees-folder:6.16
cobertura:1.16
code-coverage-api:2.0.2
command-launcher:1.6
conditional-buildstep:1.4.1
config-file-provider:3.8.1
copyartifact:1.46.2
credentials:2.6.2
credentials-binding:1.27
cucumber-reports:5.6.0
dashboard-view:2.18
data-tables-api:1.11.3-1
dependency-check-jenkins-plugin:5.1.1
display-url-api:2.3.5
docker-commons:1.17
docker-workflow:1.26
dtkit-api:3.0.0
durable-task:1.39
echarts-api:5.2.1-2
embeddable-build-status:2.0.3
envinject:2.4.0
envinject-api:1.7
extended-read-permission:3.2
extensible-choice-parameter:1.8.0
external-monitor-job:1.7
favorite:2.3.3
font-awesome-api:5.15.4-1
forensics-api:1.5.0
gatling:1.3.0
git:4.9.0
git-client:3.10.0
git-server:1.10
github:1.34.1
github-api:1.133
github-branch-source:2.11.3
greenballs:1.15.1
handlebars:3.0.8
handy-uri-templates-2-api:2.1.8-1.0
htmlpublisher:1.27
icon-shim:3.0.0
jackson2-api:2.13.0-230.v59243c64b0a5
jacoco:3.3.0
javadoc:1.6
jdk-tool:1.5
jenkins-design-language:1.25.1
jenkins-jira-plugin:1.5.3
jira:3.6
jjwt-api:0.11.2-9.c8b45b8bb173
jquery:1.12.4-1
jquery3-api:3.6.0-2
jsch:0.1.55.2
junit:1.53
keycloak:2.3.0
ldap:2.7
lockable-resources:2.12
m2release:0.16.2
mailer:1.34
mapdb-api:1.0.9.0
mask-passwords:3.0
matrix-auth:2.6.8
matrix-project:1.19
maven-info:0.3.0
maven-metadata-plugin:2.0.0
maven-plugin:3.15
metrics:4.0.2.8
momentjs:1.1.1
monitoring:1.88.0
okhttp-api:3.14.9
pam-auth:1.6
parameterized-trigger:2.41
permissive-script-security:0.7
pipeline-build-step:2.15
pipeline-graph-analysis:1.11
pipeline-input-step:2.12
pipeline-milestone-step:1.3.2
pipeline-model-api:1.9.2
pipeline-model-definition:1.9.2
pipeline-model-extensions:1.9.2
pipeline-multibranch-defaults:2.1
pipeline-rest-api:2.19
pipeline-stage-step:2.5
pipeline-stage-tags-metadata:1.9.2
pipeline-stage-view:2.19
pipeline-utility-steps:2.10.0
plain-credentials:1.7
plugin-usage-plugin:2.0
plugin-util-api:2.5.0
popper-api:1.16.1-2
popper2-api:2.10.2-1
postbuild-task:1.9
prometheus:2.0.10
publish-over:0.22
publish-over-ssh:1.22
pubsub-light:1.16
repository-connector:2.2.0
resource-disposer:0.16
ruby-runtime:0.12
run-condition:1.5
scm-api:2.6.5
script-security:1.78
slack:2.48
snakeyaml-api:1.29.1
sonar:2.13.1
sse-gateway:1.24
ssh-agent:1.23
ssh-credentials:1.19
ssh-slaves:1.33.0
sshd:3.1.0
stashNotifier:1.20
structs:1.23
token-macro:266.v44a80cf277fd
trilead-api:1.0.13
variant:1.4
windows-slaves:1.8
workflow-aggregator:2.6
workflow-api:2.47
workflow-basic-steps:2.24
workflow-cps:2.94
workflow-cps-global-lib:2.21
workflow-durable-task-step:2.40
workflow-job:2.42
workflow-multibranch:2.26
workflow-scm-step:2.13
workflow-step-api:2.24
workflow-support:3.8
ws-cleanup:0.39
xunit:3.0.4
yet-another-docker-plugin:0.2.0

• What Operating System are you using (both controller, and any agents involved in the problem)?

ubuntu

Reproduction steps

1. Install Prometheus plugin
2. Leave "Authentication" checkbox unchecked
3. Scrape from Prometheus

Results

Expected result:

Expected 200 status code

Actual result:

Got 403 status code (URL works with token and when logging in).

curl -voL https://jenkins.acme.org/prometheus/
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
  0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0*   Trying 172.28.0.9...
* TCP_NODELAY set
* Connected to jenkins.acme.org (172.28.0.9) port 443 (#0)
> GET /prometheus/ HTTP/1.1
> Host: jenkins.acme.org
> User-Agent: curl/7.64.1
> Accept: */*
> 
< HTTP/1.1 403 Forbidden
< Date: Tue, 26 Oct 2021 20:09:28 GMT
< Server: Jetty(9.4.43.v20210629)
< X-Content-Type-Options: nosniff
< Expires: Thu, 01 Jan 1970 00:00:00 GMT
< Content-Type: text/html;charset=utf-8
< X-Hudson: 1.395
< X-Jenkins: 2.313
< Content-Length: 567
< 
{ [567 bytes data]
100   567  100   567    0     0   5968      0 --:--:-- --:--:-- --:--:--  5968
* Connection #0 to host jenkins.acme.org left intact
* Closing connection 0

[olafrauch]

I can confirm this behaviour. It started after recently upgrading other plugins on our Jenkins instances (using LTS).

[tyki6]

+1 got same issue

[rfvmonteiro]

Can you check if for some reason you have an error in your Jenkins logs like this:

Error while serving http://localhost:8080/prometheus
hudson.security.AccessDeniedException3: <user> is missing the Plugin Usage View/PluginView permission

If it is the case, this could be related with an upgrade of plugin-usage-plugin that introduces a new permission role that breaks some stuff. We solve this temporarily by granting the Plugin Usage View/PluginView permission to the needed users.

cc: @Starefossen @olafrauch @mBouamama

[Starefossen]

I@rfvmonteiro spot on!

Error while serving https://jenkins.acme.com/prometheus
hudson.security.AccessDeniedException3: anonymous is missing the Plugin Usage View/PluginView permission
    at hudson.security.ACL.checkPermission(ACL.java:79)
    at hudson.security.AccessControlled.checkPermission(AccessControlled.java:51)
    at org.jenkinsci.plugins.pluginusage.PluginUsageView.getUrlName(PluginUsageView.java:34)
    at jenkins.model.Jenkins.getDynamic(Jenkins.java:3889)

Can I grant this to guests?

[rfvmonteiro]

Great, I granted the Plugin Usage View/PluginView permission to the anonymous Users and the problem is gone.

I believe the change that introduces this is https://github.com/jenkinsci/plugin-usage-plugin/pull/19 and it is not a problem with Prometheus plugin.

[rfvmonteiro]

Can I grant this to guests?

I did it just for testing purposes. But it couldn't be a solution for that. Already asked the owners of the plugin usage plugin.

[olafrauch]

Yes, same error indication here: hudson.security.AccessDeniedException3: anonymous fehlt das Recht „Plugin Usage View/PluginView“ My workaround is to disable plugin-usage-plugin as it is not that important and we do not use fine grained access control to apply the other workaround.

[github-actions[bot]]

Stale issue message