accounts.jenkins.io can't login or use password reset

713 views
Skip to first unread message

Johan Cornelissen

unread,
Jun 3, 2020, 11:30:10 AM6/3/20
to Jenkins Developers
Up until two days ago I was able to log into Jenkins LDAP without issues.
Now if I try to login it says invalid password, and a password reset attempt on https://accounts.jenkins.io/ isn't working (I receive no email, even though password resets have worked for me in the past).

Could someone help take a look? I'll send my username privately.

Oleg Nenashev

unread,
Jun 3, 2020, 12:56:59 PM6/3/20
to Jenkins Developers
Hi Johan,

This is related to the yesterday's INFRA outage: https://groups.google.com/forum/#!topic/jenkins-infra/zRqdiyarLDE . " Ldap database backup stopped in February 2020 which means that we lost three months of ldap changes.". We restored the latest available backup, so recent changes are lost. We are looking into possible options to fully or partially restore the changes, but no good news right now. 

If you provide your account ID, I will try to reset it manually. If you have registered less than 3 months ago, then you may need to re-register

Best regards,
Oleg

Johan Cornelissen

unread,
Jun 3, 2020, 6:14:21 PM6/3/20
to Jenkins Developers
Thanks for the information Oleg. I was worried that it might be related to the outage.

My username is johanc if you are able to reset it manually.

Cheers,
Johan

Michał Malicki

unread,
Jun 4, 2020, 4:55:15 AM6/4/20
to Jenkins Developers
Hi Oleg,
I have similiar situation, can't log in into account with id "deviniti". I'd appreciate if you could try to reset that one as well.
If that account is not in current db, can we re-register providing the same id?
Regards,
Michał

Olblak

unread,
Jun 4, 2020, 6:31:42 AM6/4/20
to Jenkins Developers ML
If that account is not in current db, can we re-register providing the same id?
Yes you can, in your case I see that there is already account in the database
--
You received this message because you are subscribed to the Google Groups "Jenkins Developers" group.
To unsubscribe from this group and stop receiving emails from it, send an email to jenkinsci-de...@googlegroups.com.

Mez Pahlan

unread,
Jun 5, 2020, 4:16:19 AM6/5/20
to Jenkins Developers
I'm glad I checked here first!

Same thing happened to me. My user id is: mezpahlan

I registered more than 3 months ago but I have changed my password in the last 3 months and don't remember the old one any more. Do I need to password reset?

Thanks

Oleg Nenashev

unread,
Jun 5, 2020, 4:21:09 AM6/5/20
to JenkinsCI Developers
Yes, it is better to do password reset.
Admin UI in the Account App looks a bit strange for me, apparently I cannot reset passwords for other users at the moment.



--
You received this message because you are subscribed to a topic in the Google Groups "Jenkins Developers" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/jenkinsci-dev/juHejx8zfdg/unsubscribe.
To unsubscribe from this group and all its topics, send an email to jenkinsci-de...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-dev/cf850002-2412-49a1-988b-65b992a7e633o%40googlegroups.com.

Dmitry Sotnikov

unread,
Jun 8, 2020, 8:08:31 PM6/8/20
to Jenkins Developers
Do you guys plan to reach out to all the extension owners?

We just accidentally found out about the issue: couldn't log in or reset password, and then found this thread. When we created a new account (42Crunch) for our company it just automatically assumed all access and extension ownership for the plugin that we had published a few weeks ago.

This can be dangerous because someone might take over existing accounts of other vendors and then push malware updates to customers.

Dmitry


On Friday, June 5, 2020 at 1:21:09 AM UTC-7, Oleg Nenashev wrote:
Yes, it is better to do password reset.
Admin UI in the Account App looks a bit strange for me, apparently I cannot reset passwords for other users at the moment.



On Fri, Jun 5, 2020 at 10:16 AM Mez Pahlan <mez....@gmail.com> wrote:
I'm glad I checked here first!

Same thing happened to me. My user id is: mezpahlan

I registered more than 3 months ago but I have changed my password in the last 3 months and don't remember the old one any more. Do I need to password reset?

Thanks

On Wednesday, 3 June 2020 16:30:10 UTC+1, Johan Cornelissen wrote:
Up until two days ago I was able to log into Jenkins LDAP without issues.
Now if I try to login it says invalid password, and a password reset attempt on https://accounts.jenkins.io/ isn't working (I receive no email, even though password resets have worked for me in the past).

Could someone help take a look? I'll send my username privately.

--
You received this message because you are subscribed to a topic in the Google Groups "Jenkins Developers" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/jenkinsci-dev/juHejx8zfdg/unsubscribe.
To unsubscribe from this group and all its topics, send an email to jenkin...@googlegroups.com.

Oleg Nenashev

unread,
Jun 9, 2020, 5:15:03 AM6/9/20
to Jenkins Developers
Hi all,

An official update w.r.t this topic is coming soon. I confirm the assessment by Dmitry, it is a potential security risk which was reported on multiple occasions. SECURITY-1895 is a report for this incident, and it is currently being investigated by the security team.

Just to provide some updates:
  • As of 8:50AM UTC, uploads to Jenkins Artifactory "/releases" location are prohibited. Plugin maintainers will get HTTP 409 when they try to upload releases. Incremental releases and snapshot deployment are not affected b this change
  • We are reviewing all audit logs to confirm whether the potential issue with uploads was exploited. According to the preliminary analysis, the answer is "no"
Today at 3:30PM UTC we will also have a Jenkins Infrastructure team meeting where this issue will be discussed in more details. Calendar link

Best regards,
Oleg Nenashev
Jenkins Security Team

Oleg Nenashev

unread,
Jun 9, 2020, 8:29:39 AM6/9/20
to Jenkins Developers
We are also experiencing issues with artifact downloads, likely a collateral damage after the change

Oleg Nenashev

unread,
Jun 9, 2020, 8:58:33 AM6/9/20
to Jenkins Developers
Downloads are restored. Another workaround has been applied by Daniel in https://github.com/jenkins-infra/repository-permissions-updater/pull/1569 , so no user downloads are no longer broken.
Thanks a lot to Daniel Beck for the quick fix!

Uploads are still blocked for everyone except a few users with Artifactory-wide permissions. We will be reviewing our options and communicating the next steps soon

Best regards,
Oleg

Roni Segal

unread,
Jun 14, 2020, 8:40:06 AM6/14/20
to Jenkins Developers
Hi any updates on the uploads? we still cannot upload our plugin

Oleg Nenashev

unread,
Jun 14, 2020, 8:48:20 AM6/14/20
to JenkinsCI Developers
Please see https://groups.google.com/forum/m/#!topic/jenkinsci-dev/3UvrCTflXGk for the status updates. Yes, downloads are still blocked

To unsubscribe from this group and all its topics, send an email to jenkinsci-de...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-dev/82dfbbd1-7a72-4560-b2ad-5278e8383c6bo%40googlegroups.com.

Oleg Nenashev

unread,
Jun 15, 2020, 10:13:25 AM6/15/20
to Jenkins Developers
To unsubscribe from this group and all its topics, send an email to jenkinsci-dev+unsubscribe@googlegroups.com.

Matt Murphy

unread,
Jun 16, 2020, 4:31:39 PM6/16/20
to Jenkins Developers
Hi Oleg,

I've hit the same problem as others on this thread (my password no longer works and a reset doesn't send the email).  Can you reset my account pw too?  User id is mattmurp

Thanks,

Aaron Whiteside

unread,
Jul 4, 2020, 8:17:15 AM7/4/20
to Jenkins Developers
Hi Oleg,

I've had the same issue, not able to login or reset my password. My account ID is aaronjwhiteside.


Thanks in advance!

Regards,
Aaron

Oleg Nenashev

unread,
Jul 4, 2020, 3:53:48 PM7/4/20
to Jenkins Developers
Hi all,

Please bring up these issues in the Jenkins Infrastructure mailing list: https://groups.google.com/forum/#!forum/jenkins-infra

The user accounts password reset was not finished as communicated here: https://groups.google.com/d/msg/jenkinsci-dev/3UvrCTflXGk/ll-opqUhBgAJ. In the current state I am afraid of touching the user database, and I would prefer that other Jenkins Infra team members with more subject matter knowledge handle account requests. Right now I have no bandwidth to perform history review and manual fix for users.

Thanks for understanding,
Oleg
Reply all
Reply to author
Forward
0 new messages