Hi, I have a LDAP account with Admin access to Jenkins and it gets 403 error only for REST API accesses. (I can do everything through Web-UI)
> GET /jp-jenkins/job/FOLDER/job/JOB-NAME/304/api/json?tree=result,estimatedDuration HTTP/1.1 > Authorization: Basic cmFhLXJzX29wczo3NWE1MjE5NjExOGFjMTI5ZTExNGE3NDEyMTMyNWUyNw== > User-Agent: curl/7.29.0 > Host: <Jenkins Host> > Accept: */* > < HTTP/1.1 403 Forbidden < Server: nginx < Date: Fri, 25 May 2018 19:22:34 GMT < Content-Type: text/html;charset=utf-8 < Content-Length: 7480 < Connection: close < X-Content-Type-Options: nosniff < Set-Cookie: JSESSIONID.2303422e=node015vjysep9akuw1gwu2i7dhfp1n4069.node0;Path=/jp-jenkins;HttpOnly < Expires: 0 < X-You-Are-Authenticated-As: MY-LDAP-USER < X-You-Are-In-Group-Disabled: JENKINS-39402: use -Dhudson.security.AccessDeniedException2.REPORT_GROUP_HEADERS=true or use /whoAmI to diagnose < X-Required-Permission: hudson.model.Hudson.Read < X-Permission-Implied-By: hudson.security.Permission.GenericRead < X-Permission-Implied-By: hudson.model.Hudson.Administer < Cache-Control: no-cache,no-store,must-revalidate < X-Hudson-Theme: default < X-Hudson: 1.395 < X-Jenkins: 2.73.3 < X-Jenkins-Session: f21d4522 < X-Hudson-CLI-Port: 50000 < X-Jenkins-CLI-Port: 50000 < X-Jenkins-CLI2-Port: 50000 < X-Frame-Options: sameorigin < X-Instance-Identity: MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAn3UkYxDt4u5EUiFAZDtPQ2hn2cOVDNQIuDhBbskrq38XRJ+4qvfgmKl5zqByuHLtmtdD39VX1C1Q0YPu8/WXkHTlsuHP190To350pGDlpvHgYqbCypcuJ+Ye8FTNcX0BK0vDIGayftatSuH+vc6NxKQsxYLM7h8tBG2RbGh0MUe1dutsWl8rhuOIRgHBFmFzIu9bhVgy9EFg3IOahRmDUeymxpZxeH3TE7dVyv3q21NF8OmrP67VAxgTBv5FVZdjfrce2y9dk1WlPcWjeC4m29bZ5oOgsp7tlyQg2G+M7VI4fSiAWQWuiHo+hS99m5iNuNi+TI+Y8tQPTxIPzEQEhwIDAQAB < X-SSH-Endpoint: <Jenkins Host>:3000 < This account was working just fine and it started generating 403 recently but we're not sure if it's ldap setting or Jenkins setting. To debug, we have checked if there is any change or deactivated group in LDAP that this user belongs to, but there was none. Adding this user to Administrator role didn't matter, renewing API token didn't matter either. What would be the issue with this account and how we can fix it? -- You received this message because you are subscribed to the Google Groups "Jenkins Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to jenkinsci-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-users/6ace100c-3cb1-4e67-aa73-d5eba721474b%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
