[JIRA] (JENKINS-57434) Unable to add or edit roles

Issue Type:	Bug
Assignee:	Oleg Nenashev
Components:	role-strategy-plugin
Created:	2019-05-13 13:15
Priority:	Major
Reporter:	Nathan Vahrenberg

When attempting to add or edit roles at "role-strategy/assign-roles" I get a "No valid crumb included with the request" error after I click Save or Apply.

I turned off CSRF protection temporarily to see what would happen and when I tried the same thing again I got directed to a page that states "**The URL you're trying to access requires that requests be sent using POST (like a form submission). The button below allows you to retry accessing this URL using POST."

If I try the "Retry using POST" button it doesn't throw any errors in the browser but the role is not saved. The /var/log/jenkins/jenkins.log file has this error: "2019-05-13 13:12:07.481+0000 [id=3062] INFO o.e.j.s.h.ContextHandler$Context#log: While serving https://jenkins.cerner.com/dwx2/role-strategy/assignSubmit: hudson.security.AccessDeniedException2: anonymous is missing the Overall/Administer permission"

I am definitely signed in before and after making the request, but is my login context not being included on the retried request?

For what it's worth I tried the fix from ~~JENKINS-20327~~ to adjust the maximum form size, but no luck there.

This message was sent by Atlassian Jira (v7.11.2#711002-sha1:fdc329d)

o.v.nenashev@gmail.com (JIRA)

unread,

May 13, 2019, 10:31:02 AM5/13/19

to jenkinsc...@googlegroups.com

Oleg Nenashev commented on

Which Jenkins core and plugin version do you use? Cannot reproduce on LTS/latest

Nathan.Vahrenberg@cerner.com (JIRA)

unread,

May 13, 2019, 10:40:02 AM5/13/19

to jenkinsc...@googlegroups.com

Nathan Vahrenberg commented on

Core: Jenkins 2.177

Plugin: Role-based Authorization Strategy 2.1

All other plugins are the latest version as of today. Our user accounts are all Github accounts using the Github Authentication plugin, then we define roles to certain folders and assign Github teams to those roles. We do have a decent number of roles and teams, approximately 16 roles and 20 groups, then a handful of individual users (approx. 20) assigned to admin roles.

I'm trying to think of what else might be relevant to this issue. I can tell you that it used to work fine but I don't know what change would have broken it. Let me know what other information I can grab for you.

Nathan.Vahrenberg@cerner.com (JIRA)

unread,

May 13, 2019, 10:41:02 AM5/13/19

to jenkinsc...@googlegroups.com

Nathan Vahrenberg edited a comment on

Core: Jenkins 2.177

Plugin: Role-based Authorization Strategy 2. 1 10

All other plugins are the latest version as of today. Our user accounts are all Github accounts using the Github Authentication plugin, then we define roles to certain folders and assign Github teams to those roles. We do have a decent number of roles and teams, approximately 16 roles and 20 groups, then a handful of individual users (approx. 20) assigned to admin roles.

I'm trying to think of what else might be relevant to this issue. I can tell you that it used to work fine but I don't know what change would have broken it. Let me know what other information I can grab for you.

antonio.arbutina@reversinglabs.com (JIRA)

unread,

May 20, 2019, 4:50:04 AM5/20/19

to jenkinsc...@googlegroups.com

Antonio Arbutina commented on

Hi, we have exactly the same problem as Nathan has. We tried to reverting in to 2.9.0 version but to no avail.

Currently only workaround we can think off that works is changing config.xml file for Jenkins itself and assing roles like that, but this requires Jenkins reloading.

stowns3@gmail.com (JIRA)

unread,

May 21, 2019, 11:09:02 AM5/21/19

to jenkinsc...@googlegroups.com

simon townsend updated an issue

Jenkins /

Change By:	simon townsend
Attachment:	Screen Shot 2019-05-21 at 10.08.15 AM.png

stowns3@gmail.com (JIRA)

unread,

May 21, 2019, 11:09:03 AM5/21/19

to jenkinsc...@googlegroups.com

simon townsend commented on

Also experiencing this issue. I am able to create new roles but cannot assign them due to ''

stowns3@gmail.com (JIRA)

unread,

May 21, 2019, 11:10:04 AM5/21/19

to jenkinsc...@googlegroups.com

simon townsend edited a comment on

!Screen Shot 2019-05-21 at 10.08.15 AM.png! Also experiencing this issue. I am able to create new roles but cannot assign them due to ''

!Screen Shot 2019-05-21 at 10.08.15 AM.png!

Nathan.Vahrenberg@cerner.com (JIRA)

unread,

Jun 25, 2019, 3:34:02 PM6/25/19

to jenkinsc...@googlegroups.com

Nathan Vahrenberg commented on

Oleg Nenashev is there any other info I can provide that might help? This has been difficult for us to work around unfortunately.

Nathan.Vahrenberg@cerner.com (JIRA)

unread,

Jun 25, 2019, 3:54:02 PM6/25/19

to jenkinsc...@googlegroups.com

Nathan Vahrenberg edited a comment on

[~oleg_nenashev] is there any other info I can provide that might help? This has been difficult for us to work around unfortunately.

Edit: speaking of workarounds, editing the config.xml to add a new entry in the <assignedSIDs> does work after cycling Jenkins. It's not ideal, but we can at least add new permission groups this way

nick.johns@gmail.com (JIRA)

unread,

Aug 7, 2019, 12:26:05 PM8/7/19

to jenkinsc...@googlegroups.com

Nick Johns updated an issue

Jenkins /

Change By:	Nick Johns
Attachment:	image-2019-08-07-17-25-15-036.png

nick.johns@gmail.com (JIRA)

unread,

Aug 7, 2019, 12:26:08 PM8/7/19

to jenkinsc...@googlegroups.com

Nick Johns updated an issue

Jenkins /

Change By:	Nick Johns
Attachment:	image-2019-08-07-17-25-17-212.png

nick.johns@gmail.com (JIRA)

unread,

Aug 7, 2019, 12:35:02 PM8/7/19

to jenkinsc...@googlegroups.com

Nick Johns commented on

I'm also seeing this issue.

I initially saw the no valid crumb error as well, I believe this is caused by the plugin incorrectly redirecting you via javascript to reauthenticate with your provider (mine is Github Enterprise) which kills the session. I think this is hiding the root cause.

To try and simplify things, I disabled javascript, and I disabled CSRF. When doing that I get the following error when submitting the assingRoles page:

The content being posted (according to chrome developer tools) looks to be a lot less than I would expect for the complexity of the assign roles matrixes:

 
                                                                [authenticated]: on
[admin]: on
[admin]: on
[admin]: on
[extended-read]: on
[admin]: on
[admin]: on
[admin]: on
[anonymous]: on
_.: 
[project1-write]: on
[project1-admin]: on
[project1-admin]: on
[project1-write]: on
[project2-write]: on
[project2-admin]: on
[project3-write]: on
[project3-admin]: on
[project4-write]: on
[project4-admin]: on
[project5-write]: on
[project5-admin]: on
[project6-read]: on
[project6-write]: on
[project6-admin]: on
[project6-admin]: on
[project6-write]: on
[project1-admin]: on
[project1-write]: on
[project6-admin]: on
[project6-write]: on
[project7-write]: on
[project7-admin]: on
[project6-team-admin]: on
[project8-write]: on
[project8-admin]: on
[project9-write]: on
[project9-admin]: on
_.: 
_.: 
Submit: Save
core:apply: 
                                                            

nick.johns@gmail.com (JIRA)

unread,

Aug 7, 2019, 12:39:03 PM8/7/19

to jenkinsc...@googlegroups.com

Nick Johns edited a comment on

I'm also seeing this issue.

I initially saw the no valid crumb error as well, I believe this is caused by the plugin incorrectly redirecting you via javascript to reauthenticate with your provider (mine is Github Enterprise) which kills the session. I think this is hiding the root cause.

To try and simplify things, I disabled javascript, and I disabled CSRF. When doing that

(removing debug from disabling javascript, I get know see that the following error when submitting the assingRoles page :

!image-2019-08-07-17-25-17-212.png!
The content being posted (according requires javascript in order to chrome developer tools) looks to be a lot less than I would expect for pass the complexity of the assign roles matrixes:

{noformat}[authenticated]: on

core:apply:{noformat} json form data)

nick.johns@gmail.com (JIRA)

unread,

Aug 7, 2019, 12:40:02 PM8/7/19

to jenkinsc...@googlegroups.com

Nick Johns edited a comment on

I'm also seeing this issue.

I initially saw the no valid crumb error as well, I believe this is caused by the plugin incorrectly redirecting you via javascript to reauthenticate with your provider (mine is Github Enterprise) which kills the session. I think this is hiding the root cause.

To try and simplify things, I disabled javascript, and I disabled CSRF.

* ( removing removed debug from disabling javascript, I know see that the page requires javascript in order to pass the json form data) *

nick.johns@gmail.com (JIRA)

unread,

Aug 7, 2019, 12:46:03 PM8/7/19

to jenkinsc...@googlegroups.com

Nick Johns edited a comment on

I'm also seeing this issue.

I initially saw the no valid crumb error as well, I believe this is caused by the plugin incorrectly redirecting you via javascript to reauthenticate with your provider (mine is Github Enterprise) which kills the session. I think this is hiding the root cause.

To try and simplify things, I disabled javascript, and I disabled

CSRF.

*(removed debug from disabling javascript, I know see that the page requires javascript in order to pass the json form data)*

Using developer tools, I can see the assignSubmit response has the following headers:

{noformat}content-encoding: gzip
content-type: text/html;charset=utf-8
date: Wed, 07 Aug 2019 16:37:41 GMT
server: nginx/1.13.8
status: 403
strict-transport-security: max-age=15724800; includeSubDomains;
vary: Accept-Encoding
x-content-type-options: nosniff
x-hudson: 1.395
x-hudson-cli-port: 50000
x-jenkins: 2.164.1
x-jenkins-cli-port: 50000
x-jenkins-cli2-port: 50000
x-jenkins-session: efedebfb
x-required-permission: hudson.model.Hudson.Administer
x-you-are-authenticated-as: anonymous
x-you-are-in-group-disabled: JENKINS-39402: use -Dhudson.security.AccessDeniedException2.REPORT_GROUP_HEADERS=true or use /whoAmI to diagnose{noformat}

nick.johns@gmail.com (JIRA)

unread,

Aug 7, 2019, 12:46:04 PM8/7/19

to jenkinsc...@googlegroups.com

Nick Johns edited a comment on

I'm also seeing this issue.

I initially saw the no valid crumb error as well, I believe this is caused by the plugin incorrectly redirecting you via javascript to reauthenticate with your provider (mine is Github Enterprise) which kills the session. I think this is hiding the root cause.

To try and simplify things, I disabled CSRF.

*(removed debug from disabling javascript, I know now see that the page requires javascript in order to pass the json form data)*

Using developer tools, I can see the assignSubmit response has the following headers:

{noformat}content-encoding: gzip
content-type: text/html;charset=utf-8
date: Wed, 07 Aug 2019 16:37:41 GMT
server: nginx/1.13.8
status: 403
strict-transport-security: max-age=15724800; includeSubDomains;
vary: Accept-Encoding
x-content-type-options: nosniff
x-hudson: 1.395
x-hudson-cli-port: 50000
x-jenkins: 2.164.1
x-jenkins-cli-port: 50000
x-jenkins-cli2-port: 50000
x-jenkins-session: efedebfb
x-required-permission: hudson.model.Hudson.Administer
x-you-are-authenticated-as: anonymous
x-you-are-in-group-disabled: JENKINS-39402: use -Dhudson.security.AccessDeniedException2.REPORT_GROUP_HEADERS=true or use /whoAmI to diagnose{noformat}

nick.johns@gmail.com (JIRA)

unread,

Aug 7, 2019, 12:49:03 PM8/7/19

to jenkinsc...@googlegroups.com

Nick Johns commented on

After seeing the above issue, that I'm considered anonymous when submitting the assignRoles, I did an additional experiment.

view assignRoles page
view page that doesn't require authentication

I see that I'm logged out! Just viewing the assignRoles page with javascript enabled seems to invalidate my session.

As it's when javascript is enabled only that logs me out, I can only concluded an AJAX request is invalidating my session?

nick.johns@gmail.com (JIRA)

unread,

Aug 7, 2019, 12:49:05 PM8/7/19

to jenkinsc...@googlegroups.com

Nick Johns edited a comment on

After seeing the above issue, that I'm considered anonymous when submitting the assignRoles, I did an additional experiment.

* view assignRoles page
* view page that doesn't require authentication

I see that I'm logged out! Just viewing the assignRoles page *with javascript enabled* seems to invalidate my session.

As it's when javascript is enabled only that logs me out, I can only concluded conclude that an AJAX request triggered by the page is invalidating my session?

nick.johns@gmail.com (JIRA)

unread,

Aug 7, 2019, 12:55:03 PM8/7/19

to jenkinsc...@googlegroups.com

Nick Johns edited a comment on

After seeing the above issue, that I'm considered anonymous when submitting the assignRoles, I did an additional experiment.

* view assignRoles page
* view page that doesn't require authentication

I see that I'm logged out! Just viewing the assignRoles page *with javascript enabled* seems to invalidate my session.

As it's when javascript is enabled only that logs me out, I can only conclude that an AJAX request triggered by the page is invalidating my session?

Looking at dev tools I just see a lot of checkName calls (all returning 200), and then a failed ajaxBuildQueue and ajaxExecutors pair of requests, followed by more succesful checkName calls. When I test the unauthenticated page in another tab, it looks like my session is invalidated.

nick.johns@gmail.com (JIRA)

unread,

Aug 7, 2019, 12:56:04 PM8/7/19

to jenkinsc...@googlegroups.com

Nick Johns edited a comment on

After seeing the above issue, that I'm considered anonymous when submitting the assignRoles, I did an additional experiment.

* view assignRoles page
* view page that doesn't require authentication

I see that I'm logged out! Just viewing the assignRoles page *with javascript enabled* seems to invalidate my session.

As it's when javascript is enabled only that logs me out, I can only conclude that an AJAX request triggered by the page is invalidating my session?

Looking at dev tools I just see a lot of checkName calls (all returning 200), and then a failed ajaxBuildQueue and ajaxExecutors pair of requests, followed by more succesful checkName calls. When I test the unauthenticated page in another tab, it looks like my session is invalidated.

Response from the ajax call? "No valid crumb was included in the request"

nick.johns@gmail.com (JIRA)

unread,

Aug 7, 2019, 1:05:02 PM8/7/19

to jenkinsc...@googlegroups.com

Nick Johns commented on

By disabling calls to the checkName endpoint, I was able to avoid being logged out. Somehow the https://jenkins/descriptor/com.michelin.cio.hudson.plugins.rolestrategy.RoleBasedAuthorizationStrategy/checkName?value=<my role name> is invalidating my sessions.

nick.johns@gmail.com (JIRA)

unread,

Aug 7, 2019, 1:05:03 PM8/7/19

to jenkinsc...@googlegroups.com

Nick Johns edited a comment on

By disabling calls to the checkName endpoint, I was able to avoid being logged out. Somehow the https://jenkins/descriptor/com.michelin.cio.hudson.plugins.rolestrategy.RoleBasedAuthorizationStrategy/checkName?value=<my role name> is invalidating my sessions.

Obviously this still leaves the assign roles page broken

nick.johns@gmail.com (JIRA)

unread,

Aug 7, 2019, 1:30:04 PM8/7/19

to jenkinsc...@googlegroups.com

Nick Johns commented on

https://jenkins/descriptor/com.michelin.cio.hudson.plugins.rolestrategy.RoleBasedAuthorizationStrategy/checkName?value=%5Bjsmith%5D

WOW. By iterating through the various checkName URLs, I've found a particular role name that logs me out. Not all roles do this

(was not originally jsmith, but something similarly simple).

I need to investigate why this is happening but jeeez.

nick.johns@gmail.com (JIRA)

unread,

Aug 8, 2019, 8:46:05 AM8/8/19

to jenkinsc...@googlegroups.com

Nick Johns edited a comment on

WOW. By iterating through the various checkName URLs, I've found a particular role name that logs me out. Not all roles do this :D

https://jenkins/descriptor/com.michelin.cio.hudson.plugins.rolestrategy.RoleBasedAuthorizationStrategy/checkName?value=%5Bjsmith%5D

(was not originally jsmith, but something similarly simple).

I need to investigate why this is happening but jeeez.

Continuing to investigate today, found that I can be logged out by viewing a user (that isn't me) via the UI too:

https://j5s.anaplan-np.net/users/<user>

nick.johns@gmail.com (JIRA)

unread,

Aug 8, 2019, 8:56:02 AM8/8/19

to jenkinsc...@googlegroups.com

Nick Johns commented on

This lead me to https://issues.jenkins-ci.org/browse/JENKINS-57154 which is resolved in https://github.com/jenkinsci/github-oauth-plugin/blob/master/CHANGELOG.md#version-033-released-aug-5-2019

Nathan Vahrenberg, are you using github authentication? This might work for you!

nick.johns@gmail.com (JIRA)

unread,

Aug 8, 2019, 8:57:06 AM8/8/19

to jenkinsc...@googlegroups.com

Nick Johns edited a comment on

This lead me to https://issues.jenkins-ci.org/browse/JENKINS-57154 which is resolved in https://github.com/jenkinsci/github-oauth-plugin/blob/master/CHANGELOG.md#version-033-released-aug-5-2019 . Installing this new version resolved the issue for me.

[~nv035674], are you using github authentication? This might work for you!

Nathan.Vahrenberg@cerner.com (JIRA)

unread,

Aug 9, 2019, 12:42:04 PM8/9/19

to jenkinsc...@googlegroups.com

Nathan Vahrenberg commented on

Thanks for diving into it Nick Johns! I'm glad to know where it was coming from before it mysteriously disappeared

I installed the updated github-oauth-plugin today, and it looks like the issue is resolved on my end as well. Oleg Nenashev I think we could close this out at this point and attribute it to ~~JENKINS-57154~~

nick.johns@gmail.com (JIRA)

unread,

Aug 11, 2019, 9:56:04 AM8/11/19

to jenkinsc...@googlegroups.com

Nick Johns edited a comment on

WOW. By iterating through the various checkName URLs, I've found a particular role name that logs me out. Not all roles do this :D

https://jenkins/descriptor/com.michelin.cio.hudson.plugins.rolestrategy.RoleBasedAuthorizationStrategy/checkName?value=%5Bjsmith%5D

(was not originally jsmith, but something similarly simple).

I need to investigate why this is happening but jeeez.

Continuing to investigate today, found that I can be logged out by viewing a user (that isn't me) via the UI too:

https:// <jenkinsurl> jenkins /users/<user>

nick.johns@gmail.com (JIRA)

unread,

Aug 11, 2019, 9:56:04 AM8/11/19

to jenkinsc...@googlegroups.com

Nick Johns edited a comment on

WOW. By iterating through the various checkName URLs, I've found a particular role name that logs me out. Not all roles do this :D

https://jenkins/descriptor/com.michelin.cio.hudson.plugins.rolestrategy.RoleBasedAuthorizationStrategy/checkName?value=%5Bjsmith%5D

(was not originally jsmith, but something similarly simple).

I need to investigate why this is happening but jeeez.

Continuing to investigate today, found that I can be logged out by viewing a user (that isn't me) via the UI too:

https:// j5s.anaplan-np.net <jenkinsurl> /users/<user>