[JIRA] (JENKINS-53188) New jobs created from Blue Ocean are tied with username that created them

52 views
Skip to first unread message

william.daniel.laszlo@gmail.com (JIRA)

unread,
Aug 22, 2018, 10:39:04 AM8/22/18
to jenkinsc...@googlegroups.com
William Laszlo created an issue
 
Jenkins / Bug JENKINS-53188
New jobs created from Blue Ocean are tied with username that created them
Issue Type: Bug Bug
Assignee: Unassigned
Attachments: usernameNotFound.png
Components: blueocean-plugin
Created: 2018-08-22 14:38
Priority: Minor Minor
Reporter: William Laszlo

An colleague (let's say, username cadana) created a Multibranch Pipeline job from Blue Ocean, with Github SCM (username for SCM is not tied in any way with cadana) and now he left the company. I had to copy the job manually to "recreate" it, to lose the first owner that no longer exists to fix this error.

 

Started by user Laszlo, William Daniel
[BFA] Scanning build for known causes...
[BFA] No failure causes found
[BFA] Done. 0s
org.acegisecurity.userdetails.UsernameNotFoundException: User cadana not found in directory.
 at org.acegisecurity.ldap.search.FilterBasedLdapUserSearch.searchForUser(FilterBasedLdapUserSearch.java:126)
 at hudson.security.LDAPSecurityRealm$LDAPUserDetailsService.loadUserByUsername(LDAPSecurityRealm.java:1314)
 at hudson.security.LDAPSecurityRealm$LDAPUserDetailsService.loadUserByUsername(LDAPSecurityRealm.java:1251)
 at jenkins.security.ImpersonatingUserDetailsService.loadUserByUsername(ImpersonatingUserDetailsService.java:32)
 at hudson.model.User.getUserDetailsForImpersonation(User.java:349)
 at hudson.model.User.impersonate(User.java:329)
 at io.jenkins.blueocean.rest.impl.pipeline.credential.BlueOceanCredentialsProvider.getCredentials(BlueOceanCredentialsProvider.java:76)
 at com.cloudbees.plugins.credentials.CredentialsProvider.lookupCredentials(CredentialsProvider.java:413)
 at com.cloudbees.plugins.credentials.CredentialsProvider.lookupCredentials(CredentialsProvider.java:532)
 at org.jenkinsci.plugins.github_branch_source.Connector.lookupScanCredentials(Connector.java:234)
 at org.jenkinsci.plugins.github_branch_source.GitHubSCMSource.retrieve(GitHubSCMSource.java:1399)
 at jenkins.scm.api.SCMSource.fetch(SCMSource.java:566)
 at org.jenkinsci.plugins.workflow.multibranch.SCMBinder.create(SCMBinder.java:95)
 at org.jenkinsci.plugins.workflow.job.WorkflowRun.run(WorkflowRun.java:303)
 at hudson.model.ResourceController.execute(ResourceController.java:97)
 at hudson.model.Executor.run(Executor.java:429)
Finished: FAILURE
Add Comment Add Comment
 
This message was sent by Atlassian JIRA (v7.10.1#710002-sha1:6efc396)

william.daniel.laszlo@gmail.com (JIRA)

unread,
Aug 22, 2018, 10:41:01 AM8/22/18
to jenkinsc...@googlegroups.com
William Laszlo updated an issue
Change By: William Laszlo
An colleague (let's say, username cadana) created a Multibranch Pipeline job from Blue Ocean, with Github SCM (username for SCM is not tied in any way with cadana) and now he left the company. I had to copy the job manually to "recreate" it, to lose the first owner that no longer exists to fix this error.
  A build log from a job:
{noformat}

Started by user Laszlo, William Daniel
[BFA] Scanning build for known causes...
[BFA] No failure causes found
[BFA] Done. 0s
org.acegisecurity.userdetails.UsernameNotFoundException: User cadana not found in directory.
at org.acegisecurity.ldap.search.FilterBasedLdapUserSearch.searchForUser(FilterBasedLdapUserSearch.java:126)
at hudson.security.LDAPSecurityRealm$LDAPUserDetailsService.loadUserByUsername(LDAPSecurityRealm.java:1314)
at hudson.security.LDAPSecurityRealm$LDAPUserDetailsService.loadUserByUsername(LDAPSecurityRealm.java:1251)
at jenkins.security.ImpersonatingUserDetailsService.loadUserByUsername(ImpersonatingUserDetailsService.java:32)
at hudson.model.User.getUserDetailsForImpersonation(User.java:349)
at hudson.model.User.impersonate(User.java:329)
at io.jenkins.blueocean.rest.impl.pipeline.credential.BlueOceanCredentialsProvider.getCredentials(BlueOceanCredentialsProvider.java:76)
at com.cloudbees.plugins.credentials.CredentialsProvider.lookupCredentials(CredentialsProvider.java:413)
at com.cloudbees.plugins.credentials.CredentialsProvider.lookupCredentials(CredentialsProvider.java:532)
at org.jenkinsci.plugins.github_branch_source.Connector.lookupScanCredentials(Connector.java:234)
at org.jenkinsci.plugins.github_branch_source.GitHubSCMSource.retrieve(GitHubSCMSource.java:1399)
at jenkins.scm.api.SCMSource.fetch(SCMSource.java:566)
at org.jenkinsci.plugins.workflow.multibranch.SCMBinder.create(SCMBinder.java:95)
at org.jenkinsci.plugins.workflow.job.WorkflowRun.run(WorkflowRun.java:303)
at hudson.model.ResourceController.execute(ResourceController.java:97)
at hudson.model.Executor.run(Executor.java:429)
Finished: FAILURE
{noformat}

william.daniel.laszlo@gmail.com (JIRA)

unread,
Aug 22, 2018, 10:41:02 AM8/22/18
to jenkinsc...@googlegroups.com
William Laszlo updated an issue
An A colleague (let's say, username cadana) created a Multibranch Pipeline job from Blue Ocean, with Github SCM (username for SCM is not tied in any way with cadana) and now he left the company. I had to copy the job manually to "recreate" it, to lose the first owner that no longer exists to fix this error.

gmogan@cloudbees.com (JIRA)

unread,
Feb 13, 2019, 8:11:01 PM2/13/19
to jenkinsc...@googlegroups.com
Gavin Mogan assigned an issue to Gavin Mogan
Change By: Gavin Mogan
Assignee: Gavin Mogan
This message was sent by Atlassian Jira (v7.11.2#711002-sha1:fdc329d)

gmogan@cloudbees.com (JIRA)

unread,
Feb 13, 2019, 11:07:06 PM2/13/19
to jenkinsc...@googlegroups.com
Gavin Mogan commented on Bug JENKINS-53188
 
Re: New jobs created from Blue Ocean are tied with username that created them

I haven't been able to reproduce this, but I have one more thing to try.

What version of blue ocean are you using? what version of jenkins?

Could credentials have been tied to that user?

Does it happen on run? on view?

 

william.daniel.laszlo@gmail.com (JIRA)

unread,
Feb 14, 2019, 3:05:01 AM2/14/19
to jenkinsc...@googlegroups.com

Jenkins 2.121.1
Blue Ocean 1.9.0

I'm pretty sure that he (user cadana) created the credentials for SCM which were used. SCM credentials are not tied with his account because everything else was working.
On run I've got the message from description and on settings view what is in screenshot.

gmogan@cloudbees.com (JIRA)

unread,
Feb 14, 2019, 6:11:03 PM2/14/19
to jenkinsc...@googlegroups.com

Okay, I was able to reproduce it with latest master (1.11.1) and jenkins (2.150.2) so not version dependant.

Looks like when you create a new pipeline with blueocean, it attaches the credentials to that project's folder

Then it tries to impersonate and grab that credential to be used

https://github.com/jenkinsci/blueocean-plugin/blob/1944c62bc252253450e15b5eaddd359963118a8b/blueocean-pipeline-scm-api/src/main/java/io/jenkins/blueocean/rest/impl/pipeline/credential/BlueOceanCredentialsProvider.java#L76

Now that I tracked it down, i'll add a test and try to get it fixed up.

gmogan@cloudbees.com (JIRA)

unread,
Feb 14, 2019, 6:15:01 PM2/14/19
to jenkinsc...@googlegroups.com

Note, I was able to reproduce this by deleting the folder users/deleteme_6666729664863048313 but the user was still in users.xml

When i delete the user within the UI, it actually errors out properly.

Looks like there's a map inside of $JENKINS_HOME/users/users.xml that maps usernames to the files on the disk.

William Laszlo: from the stacktrace, it looks like ldap is being used. Do you know how the user was actually deleted? Are they still inside users.xml? is the file still on the disk? (I'll see if there's a way to find out if you don't have disk access)

gmogan@cloudbees.com (JIRA)

unread,
Feb 14, 2019, 6:16:03 PM2/14/19
to jenkinsc...@googlegroups.com

(I can catch it, its UsernameNotFoundException, so fixable, but want to know if ldap needs a patch to clean up properly)

william.daniel.laszlo@gmail.com (JIRA)

unread,
Feb 15, 2019, 5:01:01 AM2/15/19
to jenkinsc...@googlegroups.com

I don't know how they were deleted from LDAP. I can confirm that it's still existing in $JENKINS_HOME/users/users.xml

william.daniel.laszlo@gmail.com (JIRA)

unread,
Feb 15, 2019, 5:04:01 AM2/15/19
to jenkinsc...@googlegroups.com
William Laszlo edited a comment on Bug JENKINS-53188
I don't know how they were users are deleted from LDAP. I can confirm that it's still existing in $JENKINS_HOME/users/users.xml

gmogan@cloudbees.com (JIRA)

unread,
Feb 16, 2019, 12:26:02 AM2/16/19
to jenkinsc...@googlegroups.com

gmogan@cloudbees.com (JIRA)

unread,
Feb 19, 2019, 1:09:02 PM2/19/19
to jenkinsc...@googlegroups.com
Change By: Gavin Mogan
Status: Open Fixed but Unreleased
Resolution: Fixed

gmogan@cloudbees.com (JIRA)

unread,
Mar 4, 2019, 12:37:02 PM3/4/19
to jenkinsc...@googlegroups.com
Change By: Gavin Mogan
Status: Fixed but Unreleased Resolved
Released As: 1.13.1

gmogan@cloudbees.com (JIRA)

unread,
Mar 4, 2019, 4:27:02 PM3/4/19
to jenkinsc...@googlegroups.com
 
Re: New jobs created from Blue Ocean are tied with username that created them

William Laszlo this was released on friday, so let me know if you continue to have problems once you upgrade (if you upgrade)

william.daniel.laszlo@gmail.com (JIRA)

unread,
Mar 7, 2019, 3:42:02 AM3/7/19
to jenkinsc...@googlegroups.com

Sure, thank you!
Even if I make the update, I don't know when this would happen again to my team (when someone is deleted from LDAP). I really can't test it when I want. I hope that no-one will have this issue from now.

I recreated the job when I figured out that I found a bug and I was able to run it. I can't confirm now that it's ok or not because I don't have anymore that original job.

csaba.harmath@gmail.com (JIRA)

unread,
Jun 6, 2019, 10:43:02 PM6/6/19
to jenkinsc...@googlegroups.com

I've stumbled up this as I was curious how to setup a pipeline with a global credential instead of a user specific.

Currently when a user creates a new pipeline at first time, he/she will be asked for a personal access token for github which then gets stored in the users credential.

Since users can come and go, it would be more practical if an administrator can set the credential.

This also has an added value of GitHub checks not showing the user who created the pipeline, but the user configured by the admin.

 

Happy to submit a new issue.

 

Thanks,

CJ

csaba.harmath@gmail.com (JIRA)

unread,
Jun 6, 2019, 10:50:03 PM6/6/19
to jenkinsc...@googlegroups.com

This is how my job's config.xml starts

<?xml version='1.1' encoding='UTF-8'?>
<org.jenkinsci.plugins.workflow.multibranch.WorkflowMultiBranchProject plugin="workflow-m...@2.21">
  <actions/>
  <description>test</description>
  <properties>
    <io.jenkins.blueocean.rest.impl.pipeline.credential.BlueOceanCredentialsProvider_-FolderPropertyImpl plugin="blueocean-pip...@1.14.0">
      <domain plugin="crede...@2.1.19">
        <name>blueocean-folder-credential-domain</name>
        <description>Blue Ocean Folder Credentials domain</description>
        <specifications/>
      </domain>
      <user>testuser</user>
      <id>github-enterprise:bd08318e10264d38792523a9e76b6f818f8ec73616f7b13b99692ed940ce642c</id>
    </io.jenkins.blueocean.rest.impl.pipeline.credential.BlueOceanCredentialsProvider_-FolderPropertyImpl>
    <org.jenkinsci.plugins.pipeline.modeldefinition.config.FolderConfig plugin="pipeline-mod...@1.3.8">
      <dockerLabel></dockerLabel>
      <registry plugin="docker-...@1.14"/>
    </org.jenkinsci.plugins.pipeline.modeldefinition.config.FolderConfig>
  </properties>

And I wonder if the BlueOceanCredentialProvider which references the testuser's credential can be changed to use the global credential instead.

I already have a jenkins level github enterprise access token credential, so i would like to just use that.

That token btw was issued to a service account which is also added on the GitHub Enterprise side with a nice Jenkins icon, so it looks much better than the pipeline creator's photo next to a Pull request check.

I've just changed the testuser to jenkins user then updated the user level credential as well and it works, but it's hacky and too involved.
Reply all
Reply to author
Forward
0 new messages