[JENKINS-13650] Upgrading Active Directory plugin from 1.26 to 1.27 causes loss of Jenkins admin rights

Type: Bug
Resolution: Fixed
Priority: Major
Component/s: active-directory-plugin
Labels:
- plugin
- security
Environment:
Windows Server 2003 x86, non-domain, connecting to Windows Server 2008 Active Directory. "Domain Name" set to ourcompanyname.com, "Domain controller" left blank. Jenkins version=1.450, AD plugin version=1.26

Similar Issues:
Powered by SuggestiMate

Show

I just updated the AD plugin with "install without restarting" turned on to attempt to fix bug 12619 which I originally reported.

It failed:

INFO: Starting the installation of Active Directory plugin on behalf of tfanning
01-May-2012 11:23:40 hudson.model.UpdateCenter$UpdateCenterConfiguration download
INFO: Downloading Active Directory plugin
01-May-2012 11:23:41 hudson.PluginManager dynamicLoad
INFO: Attempting to dynamic load C:\Program Files\Jenkins\plugins\active-directory.jpi
01-May-2012 11:23:41 hudson.model.UpdateCenter$DownloadJob run
SEVERE: Failed to install Active Directory plugin
hudson.util.IOException2: Failed to dynamically deploy this plugin
at hudson.model.UpdateCenter$InstallationJob._run(UpdateCenter.java:1137)
at hudson.model.UpdateCenter$DownloadJob.run(UpdateCenter.java:955)
at java.util.concurrent.Executors$RunnableAdapter.call(Unknown Source)
at java.util.concurrent.FutureTask$Sync.innerRun(Unknown Source)
at java.util.concurrent.FutureTask.run(Unknown Source)
at java.util.concurrent.ThreadPoolExecutor$Worker.runTask(Unknown Source)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(Unknown Source)
at java.lang.Thread.run(Unknown Source)
Caused by: java.io.IOException: Unable to delete C:\Program Files\Jenkins\plugins\active-directory\WEB-INF\lib\active-directory-1.0.jar
at hudson.Util.deleteFile(Util.java:237)
at hudson.Util.deleteRecursive(Util.java:287)
at hudson.Util.deleteContentsRecursive(Util.java:198)
at hudson.Util.deleteRecursive(Util.java:278)
at hudson.Util.deleteContentsRecursive(Util.java:198)
at hudson.Util.deleteRecursive(Util.java:278)
at hudson.Util.deleteContentsRecursive(Util.java:198)
at hudson.ClassicPluginStrategy.explode(ClassicPluginStrategy.java:389)
at hudson.ClassicPluginStrategy.createPluginWrapper(ClassicPluginStrategy.java:113)
at hudson.PluginManager.dynamicLoad(PluginManager.java:340)
at hudson.model.UpdateCenter$InstallationJob._run(UpdateCenter.java:1133)
... 7 more

I then restarted the Jenkins service, waited, logged in with my AD credentials, so this appeared to work.

However in Jenkins my AD account has now lost all of its admin privileges, i.e. I nor any other person configured to have admin rights can now configure Jenkins.

I noticed active-directory.bak left over in the Jenkins plugin folder. Stopped the service, deleted active-directory.jpi, renamed active-directory.bak to .jpi, restarted, all working (albeit with bug 12619 still present)

How should I upgrade to 1.27 safely?

Tom Fanning created issue - 2012-05-01 10:51

John Salvo added a comment - 2012-05-02 05:11

I have a similar but different issue. The active directory was upgraded properly to 1.27, but I also lost all jenkins admin rights ( There is no "Manage Jenkins" in the web page ).

$ cat /home/jenkins/plugins/active-directory/META-INF/MANIFEST.MF
Manifest-Version: 1.0
Archiver-Version: Plexus Archiver
Created-By: Apache Maven
Built-By: kohsuke
Build-Jdk: 1.6.0_26
Extension-Name: active-directory
Implementation-Title: active-directory
Implementation-Version: 1.27
Group-Id: org.jenkins-ci.plugins
Short-Name: active-directory
Long-Name: Jenkins Active Directory plugin
Url: http://wiki.jenkins-ci.org/display/JENKINS/Active+Directory+Plugin
Plugin-Version: 1.27
Hudson-Version: 1.403
Jenkins-Version: 1.403
Plugin-Developers: Kohsuke Kawaguchi:kohsuke:

I'll try to revert back to 1.26 to see if that helps.

John Salvo added a comment - 2012-05-02 05:11 I have a similar but different issue. The active directory was upgraded properly to 1.27, but I also lost all jenkins admin rights ( There is no "Manage Jenkins" in the web page ). $ cat /home/jenkins/plugins/active-directory/META-INF/MANIFEST.MF Manifest-Version: 1.0 Archiver-Version: Plexus Archiver Created-By: Apache Maven Built-By: kohsuke Build-Jdk: 1.6.0_26 Extension-Name: active-directory Implementation-Title: active-directory Implementation-Version: 1.27 Group-Id: org.jenkins-ci.plugins Short-Name: active-directory Long-Name: Jenkins Active Directory plugin Url: http://wiki.jenkins-ci.org/display/JENKINS/Active+Directory+Plugin Plugin-Version: 1.27 Hudson-Version: 1.403 Jenkins-Version: 1.403 Plugin-Developers: Kohsuke Kawaguchi:kohsuke: I'll try to revert back to 1.26 to see if that helps.

John Salvo added a comment - 2012-05-02 05:16

If it helps, I am using project matrix authorisation

<authorizationStrategy class="hudson.security.ProjectMatrixAuthorizationStrategy">
<permission>hudson.model.Computer.Configure:salvojo</permission>
<permission>hudson.model.Computer.Connect:salvojo</permission>
<permission>hudson.model.Computer.Create:salvojo</permission>
<permission>hudson.model.Computer.Delete:salvojo</permission>
<permission>hudson.model.Computer.Disconnect:salvojo</permission>
<permission>hudson.model.Hudson.Administer:salvojo</permission>
< ...snip ...>

John Salvo added a comment - 2012-05-02 05:16 If it helps, I am using project matrix authorisation <authorizationStrategy class="hudson.security.ProjectMatrixAuthorizationStrategy"> <permission>hudson.model.Computer.Configure:salvojo</permission> <permission>hudson.model.Computer.Connect:salvojo</permission> <permission>hudson.model.Computer.Create:salvojo</permission> <permission>hudson.model.Computer.Delete:salvojo</permission> <permission>hudson.model.Computer.Disconnect:salvojo</permission> <permission>hudson.model.Hudson.Administer:salvojo</permission> < ...snip ...>

John Salvo added a comment - 2012-05-02 06:07

Confirmed that restoring the active directory plug-in back to 1.26 restored my admin rights, and the "Manage Jenkins" link is now displayed again.

John Salvo added a comment - 2012-05-02 06:07 Confirmed that restoring the active directory plug-in back to 1.26 restored my admin rights, and the "Manage Jenkins" link is now displayed again.

Deniz Bahadir added a comment - 2012-05-02 08:05 - edited

I have the same behavior. (After upgrading, all admin users lost their privileged rights.)

However, I might have a clue, whats going on:

With "Active Directory" plugin version 1.26: Jenkins shows my username in the top bar next to the logout-button.
With "Active Directory" plugin version 1.27: Jenkins shows my realname (in the form of "lastname, firstname") in the top bar next to the logout-button.
With "Active Directory" plugin version 1.27: Jenkins lists two users that seem to belong to me. One with my username as Jenkins user id (as with version 1.26), the other with my realname (in the form of "lastname, firstname").
With all "Active Directory" plugin versions: No matter what, I still can only login to Jenkins with my username, not with my realname (in the form of "lastname, firstname").

After manually editing jenkins' config.xml in the filesystem - by copying all the permission-related lines with my username and replacing the username with realname ("lastname, firstname") - I am able to get my admin rights back.

I assume, something got mixed up in version 1.27, so that wrong fields are read from the "Active Directory" database and the realname accidentally becomes the Jenkins user id.

Deniz Bahadir added a comment - 2012-05-02 08:05 - edited I have the same behavior. (After upgrading, all admin users lost their privileged rights.) However, I might have a clue, whats going on: With "Active Directory" plugin version 1.26: Jenkins shows my username in the top bar next to the logout-button. With "Active Directory" plugin version 1.27: Jenkins shows my realname (in the form of "lastname, firstname") in the top bar next to the logout-button. With "Active Directory" plugin version 1.27: Jenkins lists two users that seem to belong to me. One with my username as Jenkins user id (as with version 1.26), the other with my realname (in the form of "lastname, firstname"). With all "Active Directory" plugin versions: No matter what, I still can only login to Jenkins with my username, not with my realname (in the form of "lastname, firstname"). After manually editing jenkins' config.xml in the filesystem - by copying all the permission-related lines with my username and replacing the username with realname ("lastname, firstname") - I am able to get my admin rights back. I assume, something got mixed up in version 1.27, so that wrong fields are read from the "Active Directory" database and the realname accidentally becomes the Jenkins user id.

John Salvo made changes - 2012-05-02 11:17

Summary

Original: Upgrading Active Directory plugin from 1.26 to 1.27 reported as failure then causes loss of Jenkins admin rights

New: Upgrading Active Directory plugin from 1.26 to 1.27 causes loss of Jenkins admin rights

John Salvo added a comment - 2012-05-02 11:18

I updated the subject of this issue to reflect that the issue occurs on a successful upgrade to 1.27

John Salvo added a comment - 2012-05-02 11:18 I updated the subject of this issue to reflect that the issue occurs on a successful upgrade to 1.27

John Salvo added a comment - 2012-05-02 11:20

Deniz is right ... I saw under /home/jenkins/users .... not the network user ID, but the full name of the user.

John Salvo added a comment - 2012-05-02 11:20 Deniz is right ... I saw under /home/jenkins/users .... not the network user ID, but the full name of the user.

Jacob Robertson added a comment - 2012-05-02 19:52

I have the same issue. I worked around it by going into config.xml and "Camel-Casing" all the user names. For example, each permission with the name "jacob.robertson" I changed to "Jacob.Robertson" and then restarted Jenkins. It worked.

Jacob Robertson added a comment - 2012-05-02 19:52 I have the same issue. I worked around it by going into config.xml and "Camel-Casing" all the user names. For example, each permission with the name "jacob.robertson" I changed to "Jacob.Robertson" and then restarted Jenkins. It worked.

Jacob Robertson added a comment - 2012-05-02 21:10

I'm not sure what's going on... After making the fix I described above, I updated Jenkins to the latest LTS (1.447.1). At that time my permissions broke once again, and I had to fix config.xml to make my name all lower-case to get my permissions to show up.

Jacob Robertson added a comment - 2012-05-02 21:10 I'm not sure what's going on... After making the fix I described above, I updated Jenkins to the latest LTS (1.447.1). At that time my permissions broke once again, and I had to fix config.xml to make my name all lower-case to get my permissions to show up.

Assignee:: Kohsuke Kawaguchi

Reporter:: Tom Fanning

Votes:: 9 Vote for this issue

Watchers:: 12 Start watching this issue

Created:: 2012-05-01 10:51

Updated:: 2013-04-18 19:40

Resolved:: 2013-04-18 19:40

Jenkins

Details

Description

Attachments

Activity

Collapse comment: John Salvo added a comment - 2012-05-02 05:11

Expand comment: John Salvo added a comment - 2012-05-02 05:11

Collapse comment: John Salvo added a comment - 2012-05-02 05:16

Expand comment: John Salvo added a comment - 2012-05-02 05:16

Collapse comment: John Salvo added a comment - 2012-05-02 06:07

Expand comment: John Salvo added a comment - 2012-05-02 06:07

Collapse comment: Deniz Bahadir added a comment - 2012-05-02 08:05, Edited by Deniz Bahadir - 2012-05-02 08:06

Expand comment: Deniz Bahadir added a comment - 2012-05-02 08:05, Edited by Deniz Bahadir - 2012-05-02 08:06

Collapse comment: John Salvo added a comment - 2012-05-02 11:18

Expand comment: John Salvo added a comment - 2012-05-02 11:18

Collapse comment: John Salvo added a comment - 2012-05-02 11:20

Expand comment: John Salvo added a comment - 2012-05-02 11:20

Collapse comment: Jacob Robertson added a comment - 2012-05-02 19:52

Expand comment: Jacob Robertson added a comment - 2012-05-02 19:52

Collapse comment: Jacob Robertson added a comment - 2012-05-02 21:10

Expand comment: Jacob Robertson added a comment - 2012-05-02 21:10

People

Dates