Jenkins CLI exception: missing Job/ExtendedRead permission

Question

I have a Jenkins user that I want to give rights to run the remote CLI towards the Jenkins instance. The first command is to fetch the config.xml:

java -jar jenkins-cli.jar -s http://jenkins:8080/hudson get-job thejob

However when he invokes the command, it fails with:

Caught: java.lang.RuntimeException: \
  hudson.security.AccessDeniedException2: \
  USER is missing the Job/ExtendedRead permission \
  at hudson.security.ACL.checkPermission(ACL.java:54) 

I have given the rights to execute scripts, read/create/configure jobs and more in our matrix-based security grid. There is another user who has EXACTLY the same permissions in the grid, but for this other user, everything works fine.

I don't have any of the plugins 'Extended Read permission' or 'Read-only configurations' installed.

I cannot see why it fails for this new user. Suggestions anyone?

Differences in the 2 users config.xml file:

<com.cloudbees.plugins.credentials.UserCredentialsProvider_-UserCredentialsProperty plugin="[email protected]">
    <credentials/>

vs:

<com.cloudbees.plugins.credentials.UserCredentialsProvider_-UserCredentialsProperty plugin="[email protected]">
    <domainCredentialsMap class="hudson.util.CopyOnWriteMap$Hash"/>

And a final one:

<hudson.security.HudsonPrivateSecurityRealm_-Details>
  <passwordHash>some values...</passwordHash>
</hudson.security.HudsonPrivateSecurityRealm_-Details>

Answer 1

I don't know if you are facing the same problem I had, but take a look here: Jenkins CLI: using Anonymous permissions instead of the user defined ones