[JIRA] (JENKINS-57429) SYSTEM; is prohibited as a username for security reasons.

[groenator@gmail.com (JIRA)]

Bogdan Grosu created an issue

Jenkins / JENKINS-57429 SYSTEM; is prohibited as a username for security reasons. Issue Type: Bug Assignee: Unassigned Components: credentials-plugin Created: 2019-05-13 12:23 Priority: Minor Reporter: Bogdan Grosu Hi, I have a pre-build Jenkins environment where I inject my secrets from a JSON file to the credentails.xml file via variables using ansible. Ideally would be that when Jenkins starts, the credential.xml will be encrypted, however, Jenkins doesn't encrypt credentials.xml file, is only encrypting secrets inside config.xml file on startup.  Eventually, I wrote a Groovy script to encrypt all the credentials on boot, from config.xml and credential.xml. Now, when Jenkins starts will run this groovy script; // import jenkins.model.Jenkins; ;com.cloudbees.plugins.credentials.CredentialsProvider.saveAll() Everything gets encrypted, thus, now I see a warning message from Jenkins, complaining about the system user is a prohibited user name.  This is the warning message I see in the logs; // May 10, 2019 5:54:34 PM com.cloudbees.plugins.credentials.CredentialsProvider$3 runMay 10, 2019 5:54:34 PM com.cloudbees.plugins.credentials.CredentialsProvider$3 runWARNING: Forced save credentials stores: Could not save com.cloudbees.plugins.credentials.UserCredentialsProvider$StoreImpl@c1aa8e7ERROR: "SYSTEM" is prohibited as a username for security reasons. at hudson.util.FormValidation._errorWithMarkup(FormValidation.java:266) at hudson.util.FormValidation.errorWithMarkup(FormValidation.java:252) at hudson.util.FormValidation.error(FormValidation.java:143) at hudson.model.User.save(User.java:792) at com.cloudbees.plugins.credentials.UserCredentialsProvider$UserCredentialsProperty.save(UserCredentialsProvider.java:488) at com.cloudbees.plugins.credentials.UserCredentialsProvider$UserCredentialsProperty.access$1100(UserCredentialsProvider.java:196) at com.cloudbees.plugins.credentials.UserCredentialsProvider$StoreImpl.save(UserCredentialsProvider.java:805) at com.cloudbees.plugins.credentials.CredentialsProvider$3.run(CredentialsProvider.java:1705) at jenkins.security.ImpersonatingScheduledExecutorService$1.run(ImpersonatingScheduledExecutorService.java:58) at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:511) at java.util.concurrent.FutureTask.run(FutureTask.java:266) at java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.access$201(ScheduledThreadPoolExecutor.java:180) at java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.run(ScheduledThreadPoolExecutor.java:293) at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149) at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624) at java.lang.Thread.run(Thread.java:748) Why am I seeing this warning message and how can I fix it? Is there another way on how to enforce encryption on startup, rather than using the groovy script I wrote? When I start working on this CI/CD project, Jenkins was encrypting the secrets on startup. I am not sure what  I have done that in the end Jenkins is ignoring credentials.xml file and leaves the secrets in plain text.  The Jenkins master is running inside a Docker container. The flavour of the container it is Centos 7.  The version of Jenkins is 2.164.3. Credential plugin version is crede...@2.1.18 Thank you! Add Comment

This message was sent by Atlassian Jira (v7.11.2#711002-sha1:fdc329d)

[groenator@gmail.com (JIRA)]

Bogdan Grosu updated an issue

Jenkins / JENKINS-57429 SYSTEM; is prohibited as a username for security reasons.

Change By: Bogdan Grosu

Hi, I have a pre-build Jenkins environment where I inject my secrets from a JSON file to the credentails.xml file via variables using ansible. Ideally would be that when Jenkins starts, the credential.xml will be encrypted, however, Jenkins doesn't encrypt credentials.xml file, is only encrypting secrets inside config.xml file on startup.  Eventually, I wrote a Groovy script to encrypt all the credentials on boot, from config.xml and credential.xml. Now, when Jenkins starts will run this groovy script;

{code:java} // import jenkins.model.Jenkins; ;com.cloudbees.plugins.credentials.CredentialsProvider.saveAll() {code}

Everything gets encrypted, thus, now I see a warning message from Jenkins, complaining about the system user is a prohibited user name.  This is the warning message I see in the logs;

{code:java}

// May 10, 2019 5:54:34 PM com.cloudbees.plugins.credentials.CredentialsProvider$3 runMay 10, 2019 5:54:34 PM com.cloudbees.plugins.credentials.CredentialsProvider$3 runWARNING: Forced save credentials stores: Could not save com.cloudbees.plugins.credentials.UserCredentialsProvider$StoreImpl@c1aa8e7ERROR: "SYSTEM" is prohibited as a username for security reasons. at hudson.util.FormValidation._errorWithMarkup(FormValidation.java:266) at hudson.util.FormValidation.errorWithMarkup(FormValidation.java:252) at hudson.util.FormValidation.error(FormValidation.java:143) at hudson.model.User.save(User.java:792) at com.cloudbees.plugins.credentials.UserCredentialsProvider$UserCredentialsProperty.save(UserCredentialsProvider.java:488) at com.cloudbees.plugins.credentials.UserCredentialsProvider$UserCredentialsProperty.access$1100(UserCredentialsProvider.java:196) at com.cloudbees.plugins.credentials.UserCredentialsProvider$StoreImpl.save(UserCredentialsProvider.java:805) at com.cloudbees.plugins.credentials.CredentialsProvider$3.run(CredentialsProvider.java:1705) at jenkins.security.ImpersonatingScheduledExecutorService$1.run(ImpersonatingScheduledExecutorService.java:58) at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:511) at java.util.concurrent.FutureTask.run(FutureTask.java:266) at java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.access$201(ScheduledThreadPoolExecutor.java:180) at java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.run(ScheduledThreadPoolExecutor.java:293) at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149) at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624) at java.lang.Thread.run(Thread.java:748)

{code}

Why am I seeing this warning message and how can I fix it? Is there another way on how to enforce encryption on startup, rather than using the groovy script I wrote? When I start working on this CI/CD project, Jenkins was encrypting the secrets on startup. I am not sure what  I have done that in the end Jenkins is ignoring credentials.xml file and leaves the secrets in plain text.

* The Jenkins master is running inside a Docker container . * The flavour of the container it is Centos 7 .  * The version of Jenkins is 2.164. 3. 2 * Credential plugin version is crede...@2.1.18 Thank you!

Add Comment

[groenator@gmail.com (JIRA)]

Bogdan Grosu commented on JENKINS-57429

Re: SYSTEM; is prohibited as a username for security reasons. Hi guys,   Is it possible to get an update on this bug? Is this a bug or not?  Thank you!

Add Comment

[groenator@gmail.com (JIRA)]

Bogdan Grosu edited a comment on JENKINS-57429

Re: SYSTEM; is prohibited as a username for security reasons.

Hi guys,   Is it possible to get an update on this bug? Is this a bug or not?   What would be the way to remediate the issue? Thank you!

Add Comment

[contact@anthonygreen.me (JIRA)]

Anthony Green commented on JENKINS-57429

Re: SYSTEM; is prohibited as a username for security reasons.

Have the same issue

Add Comment

[groenator@gmail.com (JIRA)]

Bogdan Grosu commented on JENKINS-57429

Re: SYSTEM; is prohibited as a username for security reasons.

Anthony Green did you found a fix for this?

Add Comment