search

microsoft / azure-pipelines-agent

Azure Pipelines Agent 🚀
MIT License
1.72k stars 864 forks source link

[BUG]: In Azure DevOps Server, collection scoped PAT is allowed for agent registration but not for agent removal #4426

Open Gabriel123N opened 1 year ago

Gabriel123N commented 1 year ago

What happened?

While using container based agents deployed inside a K8S cluster, I noticed that the agent were not removed whenever the pod was terminated.

After a bit of debugging, I noticed that the agent removal script returned an unauthorized error on my server url.

To register the agent, I was using a PAT scoped to the collection the agent was added to. When I changed the PAT to one that was scoped to the organization, the removal errors stopped and the agent was removed whenever the pod was terminated.

Versions

Both 3.220.0 and 2.210.1

Environment type (Please select at least one enviroment where you face this issue)

Azure DevOps Server type

Azure DevOps Server (Please specify exact version in the textbox below)

Azure DevOps Server Version (if applicable)

Azure DevOps Server 2022.0.1 patch 1

Operation system

Windows Server 2022

Version controll system

No response

Relevant log output

No response

ismayilov-ismayil commented 1 year ago

Hi @Gabriel123N, thanks for reporting! We are working on more prioritized issues at the moment, but will get back to this one soon.

github-actions[bot] commented 6 months ago

This issue has had no activity in 180 days. Please comment if it is not actually stale

Gabriel123N commented 6 months ago

Not stale

martin-toman commented 4 months ago

Hello @Gabriel123N, in Azure DevOps Server, agent pools are scoped to the entire server, see the following doc.

Our API documentation: Pools - Add is likely causing confusion - the /{collection}/ is not required in the URL. I will look into updating the API docs.

>In Azure DevOps Server, collection scoped PAT is allowed for agent registration but not for agent removal

In case a PAT has its audience set to a particular collection, the PAT will be rejected if it used to access a resource which is not under:

https://{instance}/{collection}/

>I noticed that the agent removal script returned an unauthorized error

Is it a proprietary script or was it provided by Microsoft? In case it is owned by Microsoft, could you please direct me to the location where you downloaded it from? Thank you!

Gabriel123N commented 4 months ago

Thank you for the clarification.

The script used by the container is the start.sh provided here https://learn.microsoft.com/en-us/azure/devops/pipelines/agents/docker?view=azure-devops for containerized Linux agents.