Uploaded image for project: 'Infrastructure'
  1. Infrastructure
  2. INFRA-2544

Incrementals deployment broken with 403

    XMLWordPrintable

    Details

    • Similar Issues:

      Description

      Vincent Latombe noticed today, and I also see, that Incrementals deployment is broken:

       ​HTTP/1.1 403 Forbidden
       ​Content-Lenth: 37
       ​Content-Type: text/plain; charset=utf-8
       ​Request-Context: ppId=cid-v1:ea51b449-66e3-4af7-ac1a-b4522a223b
       ​Date: Fri, 20 Mar 2020 18:0250 GMT
       

        Attachments

          Issue Links

            Activity

            Hide
            ericcitaire Eric Citaire added a comment -

            Same here : https://ci.jenkins.io/job/Plugins/job/docker-plugin/job/PR-777/12/execution/node/347/log/

            Also, the curl command should have the -f option to mark the step as failed.

            Show
            ericcitaire Eric Citaire added a comment - Same here :  https://ci.jenkins.io/job/Plugins/job/docker-plugin/job/PR-777/12/execution/node/347/log/ Also, the curl command should have the -f option to mark the step as failed.
            Hide
            jglick Jesse Glick added a comment -

            Also, the curl command should have the -f option to mark the step as failed.

            No, this is deliberately not treated as a build failure.

            Show
            jglick Jesse Glick added a comment - Also, the curl command should have the -f option to mark the step as failed. No, this is deliberately not treated as a build failure.
            Hide
            jglick Jesse Glick added a comment -

            Specifically the error is

            Response from Artifactory: Forbidden
            

            Possibly something as simple as an expired Artifactory access token. Can someone in infra look at this please?

            Show
            jglick Jesse Glick added a comment - Specifically the error is Response from Artifactory: Forbidden Possibly something as simple as an expired Artifactory access token. Can someone in infra look at this please?
            Hide
            timja Tim Jacomb added a comment -

            Jesse Glick the access to artifactory is very limited, it was discussed in the infra call today and Oleg said as far as he was aware only yourself and Daniel Beck have access.

            Daniel Beck would you be able to take a look at this? if you could pass the new credential to Olivier Vernin or grant him access to do it himself, that would be great thanks

            Show
            timja Tim Jacomb added a comment - Jesse Glick the access to artifactory is very limited, it was discussed in the infra call today and Oleg said as far as he was aware only yourself and Daniel Beck have access. Daniel Beck would you be able to take a look at this? if you could pass the new credential to Olivier Vernin or grant him access to do it himself, that would be great thanks
            Hide
            danielbeck Daniel Beck added a comment - - edited

            Incrementals deployment needs to use a different user to deploy. I consider jenkinsadmin (LDAP, not GitHub) compromised. Ideally a user like incrementals-deployer so it's obvious what it's for.

            Show
            danielbeck Daniel Beck added a comment - - edited Incrementals deployment needs to use a different user to deploy. I consider jenkinsadmin (LDAP, not GitHub) compromised. Ideally a user like incrementals-deployer so it's obvious what it's for.
            Hide
            jglick Jesse Glick added a comment -

            I neither have access to obtain a new Artifactory token for an appropriate user, nor to modify the publisher’s configuration to use it.

            Show
            jglick Jesse Glick added a comment - I neither have access to obtain a new Artifactory token for an appropriate user, nor to modify the publisher’s configuration to use it.
            Hide
            olblak Olivier Vernin added a comment -

            Daniel Beck
            Why jenkinsadmin would be compromised? I see that it was created by KK

            Show
            olblak Olivier Vernin added a comment - Daniel Beck Why jenkinsadmin would be compromised? I see that it was created by KK
            Hide
            danielbeck Daniel Beck added a comment -

            It was used on DEV@cloud and/or BuildHive to deploy Jenkins plugins years ago. As I have no idea how regularly KK rotates passwords, I revoked all permissions for this user I had hoped wasn't used anymore.

            Well, it still is

            Show
            danielbeck Daniel Beck added a comment - It was used on DEV@cloud and/or BuildHive to deploy Jenkins plugins years ago. As I have no idea how regularly KK rotates passwords, I revoked all permissions for this user I had hoped wasn't used anymore. Well, it still is
            Hide
            danielbeck Daniel Beck added a comment -

            (Probably as easy as rotating credentials, and probably a new email address to untie from KK's personal email.)

            Show
            danielbeck Daniel Beck added a comment - (Probably as easy as rotating credentials, and probably a new email address to untie from KK's personal email.)
            Hide
            olblak Olivier Vernin added a comment -

            Ok so I changed the email to be redirected to me and I also changed the password, Daniel Beck can you restore the permission for this user?

            Show
            olblak Olivier Vernin added a comment - Ok so I changed the email to be redirected to me and I also changed the password, Daniel Beck can you restore the permission for this user?
            Hide
            danielbeck Daniel Beck added a comment -

            The LDAP user jenkinsadmin now has permission to deploy to the incrementals Artifactory repository again.

            Would still favor a specific user for this service; users like this tend to get reused too much.

            Show
            danielbeck Daniel Beck added a comment - The LDAP user  jenkinsadmin now has permission to deploy to the  incrementals Artifactory repository again. Would still favor a specific user for this service; users like this tend to get reused too much.
            Hide
            olblak Olivier Vernin added a comment -

            The problem now seems to be a little different as it returns bad request link

            Show
            olblak Olivier Vernin added a comment - The problem now seems to be a little different as it returns bad request link
            Show
            jglick Jesse Glick added a comment - see https://github.com/jenkins-infra/pipeline-library/pull/142
            Show
            timja Tim Jacomb added a comment - Works now, https://repo.jenkins-ci.org/incrementals/com/sonyericsson/jenkins/plugins/bfa/build-failure-analyzer/1.25.2-rc673.52c337d160b0/
            Hide
            batmat Baptiste Mathus added a comment -

            Wooot thanks everyone!

            Show
            batmat Baptiste Mathus added a comment - Wooot thanks everyone!
            Hide
            jglick Jesse Glick added a comment -

            Confirmed working now, thanks!

            Show
            jglick Jesse Glick added a comment - Confirmed working now, thanks!

              People

              Assignee:
              olblak Olivier Vernin
              Reporter:
              jglick Jesse Glick
              Votes:
              1 Vote for this issue
              Watchers:
              7 Start watching this issue

                Dates

                Created:
                Updated:
                Resolved: