[JENKINS-21882] v1.551 + GitHub OAuth == broken api token access

Type: Bug
Resolution: Fixed
Priority: Major
Component/s: core, github-oauth-plugin
Labels:
None

Similar Issues:
Powered by SuggestiMate

Show

I've reproduced this by setting up a fresh Jenkins install.

Here are my notes from that install:

On Ubuntu 12.04.4 LTS

sudo sh -c 'echo deb http://pkg.jenkins-ci.org/debian binary/ > /etc/apt/sources.list.d/jenkins.list'
wget -q -O - http://pkg.jenkins-ci.org/debian/jenkins-ci.org.key | sudo apt-key add -
sudo apt-get update
sudo apt-get install jenkins

Visit http://host:8080/configureSecurity/
Check "Enable security"
Under the "Access Control" section choose the option "Jenkins’ own user database" under the "Security Realm" header.
Choose "Save" at the bottom of the page.

Visit http://host:8080/signup
Fill out form matching the username to your github username.

Return to Visit http://host:8080/configureSecurity/
Under the "Access Control" section unselect "Allow users to sign up" under "Jenkins’ own user database" which is under the "Security Realm" header.
Under the "Authorization" heading select the option "Logged-in users can do anything".
Choose "Save" at the bottom of the page.

Visit http://host:8080/pluginManager/
Select all plugins with available updates using the link at the bottom of the page and then "install without restart".
On the subsequent screen choose "Restart Jenkins when installation is complete and no jobs are running."

At this point running the following produces no error:

curl --url http://host:8080/user/mr-c --user mr-c:${api_token}

Install the Github OAuth Plugin (grabs the GitHub API Plugin)
Return to Visit http://host:8080/configureSecurity/
Under the "Access Control" section choose the option "Github Authentication Plugin" under the "Security Realm" header.
GitHub Web URI: https://github.com
GitHub API URI: https://api.github.com
Client ID: <masked for security>
Client Secret: <masked for security>
Under the "Authorization" heading select the option "Github Commiter Authorization Strategy".
Admin User Names: mr-c
Participant in Organization: ged-lab
Grant READ permissions to all Authenticated Users: yes
Grant READ permissions for /github-webhook: yes
Grant READ permissions for Anonymous Users: yes
Choose "Save" at the bottom of the page.

Now the command:

curl --url http://host:8080/user/mr-c --user mr-c:${api_token}

produces this output:

HTTP ERROR 401

Problem accessing /user/mr-c. Reason:
Unexpected authentication type: org.acegisecurity.providers.UsernamePasswordAuthenticationToken@23fcf1a8: Username: mr-c; Password: [PROTECTED]; Authenticated: false; Details: org.acegisecurity.ui.WebAuthenticationDetails@ffffa64e: RemoteIpAddress: <masked for privacy>; SessionId: null; Not granted any authorities

This became a problem for me while trying to update my OS X slave using rhwood's jenkins-slave-osx script. I've filed a ticket there:
https://github.com/rhwood/jenkins-slave-osx/issues/33

Michael Crusoe created issue - 2014-02-19 17:10

Michael Crusoe added a comment - 2014-02-19 17:18

The contents of /systemInfo:

System Properties

Name  ↓
Value   
executable-war	/usr/share/jenkins/jenkins.war
file.encoding	UTF-8
file.encoding.pkg	sun.io
file.separator	/
hudson.diyChunking	true
java.awt.graphicsenv	sun.awt.X11GraphicsEnvironment
java.awt.headless	true
java.awt.printerjob	sun.print.PSPrinterJob
java.class.path	/usr/share/jenkins/jenkins.war
java.class.version	50.0
java.endorsed.dirs	/usr/lib/jvm/java-6-openjdk-amd64/jre/lib/endorsed
java.ext.dirs	/usr/lib/jvm/java-6-openjdk-amd64/jre/lib/ext:/usr/java/packages/lib/ext
java.home	/usr/lib/jvm/java-6-openjdk-amd64/jre
java.io.tmpdir	/tmp
java.library.path	/usr/lib/jvm/java-6-openjdk-amd64/jre/lib/amd64/server:/usr/lib/jvm/java-6-openjdk-amd64/jre/lib/amd64:/usr/lib/jvm/java-6-openjdk-amd64/jre/../lib/amd64:/usr/java/packages/lib/amd64:/usr/lib/x86_64-linux-gnu/jni:/lib/x86_64-linux-gnu:/usr/lib/x86_64-linux-gnu:/usr/lib/jni:/lib:/usr/lib
java.runtime.name	OpenJDK Runtime Environment
java.runtime.version	1.6.0_27-b27
java.specification.name	Java Platform API Specification
java.specification.vendor	Sun Microsystems Inc.
java.specification.version	1.6
java.vendor	Sun Microsystems Inc.
java.vendor.url	http://java.sun.com/
java.vendor.url.bug	http://java.sun.com/cgi-bin/bugreport.cgi
java.version	1.6.0_27
java.vm.info	mixed mode
java.vm.name	OpenJDK 64-Bit Server VM
java.vm.specification.name	Java Virtual Machine Specification
java.vm.specification.vendor	Sun Microsystems Inc.
java.vm.specification.version	1.0
java.vm.vendor	Sun Microsystems Inc.
java.vm.version	20.0-b12
jna.platform.library.path	/usr/lib/x86_64-linux-gnu:/lib/x86_64-linux-gnu:/lib64:/usr/lib:/lib
line.separator	
mail.smtp.sendpartial	true
mail.smtps.sendpartial	true
os.arch	amd64
os.name	Linux
os.version	3.2.0-58-virtual
path.separator	:
sun.arch.data.model	64
sun.boot.class.path	/usr/lib/jvm/java-6-openjdk-amd64/jre/lib/resources.jar:/usr/lib/jvm/java-6-openjdk-amd64/jre/lib/rt.jar:/usr/lib/jvm/java-6-openjdk-amd64/jre/lib/sunrsasign.jar:/usr/lib/jvm/java-6-openjdk-amd64/jre/lib/jsse.jar:/usr/lib/jvm/java-6-openjdk-amd64/jre/lib/jce.jar:/usr/lib/jvm/java-6-openjdk-amd64/jre/lib/charsets.jar:/usr/lib/jvm/java-6-openjdk-amd64/jre/lib/netx.jar:/usr/lib/jvm/java-6-openjdk-amd64/jre/lib/plugin.jar:/usr/lib/jvm/java-6-openjdk-amd64/jre/lib/rhino.jar:/usr/lib/jvm/java-6-openjdk-amd64/jre/lib/modules/jdk.boot.jar:/usr/lib/jvm/java-6-openjdk-amd64/jre/classes
sun.boot.library.path	/usr/lib/jvm/java-6-openjdk-amd64/jre/lib/amd64
sun.cpu.endian	little
sun.cpu.isalist	
sun.io.unicode.encoding	UnicodeLittle
sun.java.command	/usr/share/jenkins/jenkins.war --webroot=/var/cache/jenkins/war --httpPort=8080 --ajp13Port=-1
sun.java.launcher	SUN_STANDARD
sun.jnu.encoding	UTF-8
sun.management.compiler	HotSpot 64-Bit Tiered Compilers
sun.os.patch.level	unknown
svnkit.http.methods	Digest,Basic,NTLM,Negotiate
svnkit.ssh2.persistent	false
user.country	US
user.dir	/
user.home	/var/lib/jenkins
user.language	en
user.name	jenkins
user.timezone	America/New_York
Environment Variables

Name  ↓
Value   
_	/usr/bin/daemon
HOME	/var/lib/jenkins
JENKINS_HOME	/var/lib/jenkins
LANG	en_US.UTF-8
LD_LIBRARY_PATH	/usr/lib/jvm/java-6-openjdk-amd64/jre/lib/amd64/server:/usr/lib/jvm/java-6-openjdk-amd64/jre/lib/amd64:/usr/lib/jvm/java-6-openjdk-amd64/jre/../lib/amd64
LOGNAME	jenkins
MAIL	/var/mail/jenkins
PATH	/usr/local/bin:/usr/bin:/bin:/usr/local/games:/usr/games
PWD	/var/lib/jenkins
SHELL	/bin/bash
SHLVL	1
TERM	screen
USER	jenkins
Plugins

Name  ↓
Version   
Enabled   
Pinned   
ant	1.2	true	false
credentials	1.10	true	true
cvs	2.11	true	false
external-monitor-job	1.2	true	false
github-api	1.44	true	false
github-oauth	0.14	true	false
javadoc	1.1	true	false
ldap	1.8	true	true
mailer	1.8	true	true
matrix-auth	1.1	true	false
maven-plugin	2.1	true	false
pam-auth	1.1	true	false
scm-api	0.2	true	false
ssh-credentials	1.6.1	true	true
ssh-slaves	1.6	true	true
subversion	2.2	true	true
translation	1.11	true	true
windows-slaves	1.0	true	false

Michael Crusoe added a comment - 2014-02-19 17:18 The contents of /systemInfo: System Properties Name ↓ Value executable-war /usr/share/jenkins/jenkins.war file.encoding UTF-8 file.encoding.pkg sun.io file.separator / hudson.diyChunking true java.awt.graphicsenv sun.awt.X11GraphicsEnvironment java.awt.headless true java.awt.printerjob sun.print.PSPrinterJob java.class.path /usr/share/jenkins/jenkins.war java.class.version 50.0 java.endorsed.dirs /usr/lib/jvm/java-6-openjdk-amd64/jre/lib/endorsed java.ext.dirs /usr/lib/jvm/java-6-openjdk-amd64/jre/lib/ext:/usr/java/packages/lib/ext java.home /usr/lib/jvm/java-6-openjdk-amd64/jre java.io.tmpdir /tmp java.library.path /usr/lib/jvm/java-6-openjdk-amd64/jre/lib/amd64/server:/usr/lib/jvm/java-6-openjdk-amd64/jre/lib/amd64:/usr/lib/jvm/java-6-openjdk-amd64/jre/../lib/amd64:/usr/java/packages/lib/amd64:/usr/lib/x86_64-linux-gnu/jni:/lib/x86_64-linux-gnu:/usr/lib/x86_64-linux-gnu:/usr/lib/jni:/lib:/usr/lib java.runtime.name OpenJDK Runtime Environment java.runtime.version 1.6.0_27-b27 java.specification.name Java Platform API Specification java.specification.vendor Sun Microsystems Inc. java.specification.version 1.6 java.vendor Sun Microsystems Inc. java.vendor.url http://java.sun.com/ java.vendor.url.bug http://java.sun.com/cgi-bin/bugreport.cgi java.version 1.6.0_27 java.vm.info mixed mode java.vm.name OpenJDK 64-Bit Server VM java.vm.specification.name Java Virtual Machine Specification java.vm.specification.vendor Sun Microsystems Inc. java.vm.specification.version 1.0 java.vm.vendor Sun Microsystems Inc. java.vm.version 20.0-b12 jna.platform.library.path /usr/lib/x86_64-linux-gnu:/lib/x86_64-linux-gnu:/lib64:/usr/lib:/lib line.separator mail.smtp.sendpartial true mail.smtps.sendpartial true os.arch amd64 os.name Linux os.version 3.2.0-58-virtual path.separator : sun.arch.data.model 64 sun.boot.class.path /usr/lib/jvm/java-6-openjdk-amd64/jre/lib/resources.jar:/usr/lib/jvm/java-6-openjdk-amd64/jre/lib/rt.jar:/usr/lib/jvm/java-6-openjdk-amd64/jre/lib/sunrsasign.jar:/usr/lib/jvm/java-6-openjdk-amd64/jre/lib/jsse.jar:/usr/lib/jvm/java-6-openjdk-amd64/jre/lib/jce.jar:/usr/lib/jvm/java-6-openjdk-amd64/jre/lib/charsets.jar:/usr/lib/jvm/java-6-openjdk-amd64/jre/lib/netx.jar:/usr/lib/jvm/java-6-openjdk-amd64/jre/lib/plugin.jar:/usr/lib/jvm/java-6-openjdk-amd64/jre/lib/rhino.jar:/usr/lib/jvm/java-6-openjdk-amd64/jre/lib/modules/jdk.boot.jar:/usr/lib/jvm/java-6-openjdk-amd64/jre/classes sun.boot.library.path /usr/lib/jvm/java-6-openjdk-amd64/jre/lib/amd64 sun.cpu.endian little sun.cpu.isalist sun.io.unicode.encoding UnicodeLittle sun.java.command /usr/share/jenkins/jenkins.war --webroot=/var/cache/jenkins/war --httpPort=8080 --ajp13Port=-1 sun.java.launcher SUN_STANDARD sun.jnu.encoding UTF-8 sun.management.compiler HotSpot 64-Bit Tiered Compilers sun.os.patch.level unknown svnkit.http.methods Digest,Basic,NTLM,Negotiate svnkit.ssh2.persistent false user.country US user.dir / user.home /var/lib/jenkins user.language en user.name jenkins user.timezone America/New_York Environment Variables Name ↓ Value _ /usr/bin/daemon HOME /var/lib/jenkins JENKINS_HOME /var/lib/jenkins LANG en_US.UTF-8 LD_LIBRARY_PATH /usr/lib/jvm/java-6-openjdk-amd64/jre/lib/amd64/server:/usr/lib/jvm/java-6-openjdk-amd64/jre/lib/amd64:/usr/lib/jvm/java-6-openjdk-amd64/jre/../lib/amd64 LOGNAME jenkins MAIL /var/mail/jenkins PATH /usr/local/bin:/usr/bin:/bin:/usr/local/games:/usr/games PWD /var/lib/jenkins SHELL /bin/bash SHLVL 1 TERM screen USER jenkins Plugins Name ↓ Version Enabled Pinned ant 1.2 true false credentials 1.10 true true cvs 2.11 true false external-monitor-job 1.2 true false github-api 1.44 true false github-oauth 0.14 true false javadoc 1.1 true false ldap 1.8 true true mailer 1.8 true true matrix-auth 1.1 true false maven-plugin 2.1 true false pam-auth 1.1 true false scm-api 0.2 true false ssh-credentials 1.6.1 true true ssh-slaves 1.6 true true subversion 2.2 true true translation 1.11 true true windows-slaves 1.0 true false

Michael Glass added a comment - 2014-02-19 17:28 - edited

confirmed: rolling back to git 1.550 fixes auth issues

Michael Glass added a comment - 2014-02-19 17:28 - edited confirmed: rolling back to git 1.550 fixes auth issues

Michael Crusoe added a comment - 2014-02-19 17:47

Should I remove 'github-oauth' from the component list then?

Michael Crusoe added a comment - 2014-02-19 17:47 Should I remove 'github-oauth' from the component list then?

Michael Glass added a comment - 2014-02-19 18:22 - edited

if you want username/api token access to jenkins, either disable the github oauth plugin or roll back to version jenkins 1.550 or before.

Michael Glass added a comment - 2014-02-19 18:22 - edited if you want username/api token access to jenkins, either disable the github oauth plugin or roll back to version jenkins 1.550 or before.

Jens Nielsen added a comment - 2014-02-25 13:35

I'm seeing the same issue on the latest LTS release (1.532.2) downgrading to 1.532.1 fixes it.

Jens Nielsen added a comment - 2014-02-25 13:35 I'm seeing the same issue on the latest LTS release (1.532.2) downgrading to 1.532.1 fixes it.

Michael Glass added a comment - 2014-02-27 07:57

confirmed still an issue with 1.552

Michael Glass added a comment - 2014-02-27 07:57 confirmed still an issue with 1.552

Soren Hansen added a comment - 2014-03-04 19:32

..and 1.553. Is anyone looking into this?

Soren Hansen added a comment - 2014-03-04 19:32 ..and 1.553. Is anyone looking into this?

Soren Hansen added a comment - 2014-03-05 05:33

This seems to have been introduced by https://github.com/jenkinsci/jenkins/commit/5548b5220cfd496831b5721124189ff18fbb12a3

This makes it work again:

https://github.com/sorenh/github-oauth-plugin/commit/da5c787cf72580f06c6a6318bf1b8a73071e8bcd

But I'm fairly sure it's not the right fix:

The correct fix should be to make sure the authtoken is set. I don't know why it isn't.
The correct exception to throw in that situation seems like DataAccessException, but that would not actually make this work again.

Perhaps someone else can shed some light on why authtoken might be null at this point? I've never looked at Jenkins internals before (and haven't really touched java in around a decade), so any further input would be greatly appreciated.

Soren Hansen added a comment - 2014-03-05 05:33 This seems to have been introduced by https://github.com/jenkinsci/jenkins/commit/5548b5220cfd496831b5721124189ff18fbb12a3 This makes it work again: https://github.com/sorenh/github-oauth-plugin/commit/da5c787cf72580f06c6a6318bf1b8a73071e8bcd But I'm fairly sure it's not the right fix: The correct fix should be to make sure the authtoken is set. I don't know why it isn't. The correct exception to throw in that situation seems like DataAccessException, but that would not actually make this work again. Perhaps someone else can shed some light on why authtoken might be null at this point? I've never looked at Jenkins internals before (and haven't really touched java in around a decade), so any further input would be greatly appreciated.

Soren Hansen added a comment - 2014-03-05 05:57

Or perhaps this is correct.. The authToken is specific to a user, so in this context it couldn't be set... and I don't suppose GitHub reveals information about users without authentication.

Soren Hansen added a comment - 2014-03-05 05:57 Or perhaps this is correct.. The authToken is specific to a user, so in this context it couldn't be set... and I don't suppose GitHub reveals information about users without authentication.

Assignee:: Sam Kottler

Reporter:: Michael Crusoe

Votes:: 7 Vote for this issue

Watchers:: 16 Start watching this issue

Created:: 2014-02-19 17:10

Updated:: 2014-05-09 22:33

Resolved:: 2014-04-28 01:29

Jenkins

Details

Description

Attachments

Activity

Collapse comment: Michael Crusoe added a comment - 2014-02-19 17:18

Expand comment: Michael Crusoe added a comment - 2014-02-19 17:18

Collapse comment: Michael Glass added a comment - 2014-02-19 17:28, Edited by Michael Glass - 2014-02-19 17:37

Expand comment: Michael Glass added a comment - 2014-02-19 17:28, Edited by Michael Glass - 2014-02-19 17:37

Collapse comment: Michael Crusoe added a comment - 2014-02-19 17:47

Expand comment: Michael Crusoe added a comment - 2014-02-19 17:47

Collapse comment: Michael Glass added a comment - 2014-02-19 18:22, Edited by Michael Glass - 2014-02-19 18:24

Expand comment: Michael Glass added a comment - 2014-02-19 18:22, Edited by Michael Glass - 2014-02-19 18:24

Collapse comment: Jens Nielsen added a comment - 2014-02-25 13:35

Expand comment: Jens Nielsen added a comment - 2014-02-25 13:35

Collapse comment: Michael Glass added a comment - 2014-02-27 07:57

Expand comment: Michael Glass added a comment - 2014-02-27 07:57

Collapse comment: Soren Hansen added a comment - 2014-03-04 19:32

Expand comment: Soren Hansen added a comment - 2014-03-04 19:32

Collapse comment: Soren Hansen added a comment - 2014-03-05 05:33

Expand comment: Soren Hansen added a comment - 2014-03-05 05:33

Collapse comment: Soren Hansen added a comment - 2014-03-05 05:57

Expand comment: Soren Hansen added a comment - 2014-03-05 05:57

People

Dates