Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-24958

UsernameNotFoundException when ActiveDirectory used for API and token authentication

XMLWordPrintable

      When a valid username and api-token are used from the Jenkins Python API, the Jenkins server (version 1.582) returns an exception (see stack trace below).

      Note: When active-directory is not used, the Jenkins API authentication works (tested on Jenkins 1.554.2).

      ----- exception stack trace
      javax.servlet.ServletException: org.acegisecurity.userdetails.UsernameNotFoundException: Authentication was successful but cannot locate the user information for ci_dev_test
      at jenkins.security.BasicHeaderApiTokenAuthenticator.authenticate(BasicHeaderApiTokenAuthenticator.java:36)
      at jenkins.security.BasicHeaderProcessor.doFilter(BasicHeaderProcessor.java:72)
      at hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:87)
      at org.acegisecurity.context.HttpSessionContextIntegrationFilter.doFilter(HttpSessionContextIntegrationFilter.java:249)
      at hudson.security.HttpSessionContextIntegrationFilter2.doFilter(HttpSessionContextIntegrationFilter2.java:67)
      at hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:87)
      at hudson.security.ChainedServletFilter.doFilter(ChainedServletFilter.java:76)
      at hudson.security.HudsonFilter.doFilter(HudsonFilter.java:164)
      at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1482)
      at org.kohsuke.stapler.compression.CompressionFilter.doFilter(CompressionFilter.java:46)
      at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1482)
      at hudson.util.CharacterEncodingFilter.doFilter(CharacterEncodingFilter.java:81)
      at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1474)
      at org.eclipse.jetty.servlet.ServletHandler.doHandle(ServletHandler.java:499)
      at org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:137)
      at org.eclipse.jetty.security.SecurityHandler.handle(SecurityHandler.java:533)
      at org.eclipse.jetty.server.session.SessionHandler.doHandle(SessionHandler.java:231)
      at org.eclipse.jetty.server.handler.ContextHandler.doHandle(ContextHandler.java:1086)
      at org.eclipse.jetty.servlet.ServletHandler.doScope(ServletHandler.java:428)
      at org.eclipse.jetty.server.session.SessionHandler.doScope(SessionHandler.java:193)
      at org.eclipse.jetty.server.handler.ContextHandler.doScope(ContextHandler.java:1020)
      at org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:135)
      at org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:116)
      at org.eclipse.jetty.server.Server.handle(Server.java:370)
      at org.eclipse.jetty.server.AbstractHttpConnection.handleRequest(AbstractHttpConnection.java:489)
      at org.eclipse.jetty.server.AbstractHttpConnection.headerComplete(AbstractHttpConnection.java:949)
      at org.eclipse.jetty.server.AbstractHttpConnection$RequestHandler.headerComplete(AbstractHttpConnection.java:1011)
      at org.eclipse.jetty.http.HttpParser.parseNext(HttpParser.java:644)
      at org.eclipse.jetty.http.HttpParser.parseAvailable(HttpParser.java:235)
      at org.eclipse.jetty.server.AsyncHttpConnection.handle(AsyncHttpConnection.java:82)
      at org.eclipse.jetty.io.nio.SelectChannelEndPoint.handle(SelectChannelEndPoint.java:668)
      at org.eclipse.jetty.io.nio.SelectChannelEndPoint$1.run(SelectChannelEndPoint.java:52)
      at winstone.BoundedExecutorService$1.run(BoundedExecutorService.java:77)
      at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145)
      at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615)
      at java.lang.Thread.run(Thread.java:745)
      Caused by: org.acegisecurity.userdetails.UsernameNotFoundException: Authentication was successful but cannot locate the user information for ci_dev_test
      at hudson.plugins.active_directory.ActiveDirectoryUnixAuthenticationProvider.retrieveUser(ActiveDirectoryUnixAuthenticationProvider.java:273)
      at hudson.plugins.active_directory.ActiveDirectoryUnixAuthenticationProvider.retrieveUser(ActiveDirectoryUnixAuthenticationProvider.java:196)
      at hudson.plugins.active_directory.ActiveDirectoryUnixAuthenticationProvider.retrieveUser(ActiveDirectoryUnixAuthenticationProvider.java:140)
      at hudson.plugins.active_directory.AbstractActiveDirectoryAuthenticationProvider.loadUserByUsername(AbstractActiveDirectoryAuthenticationProvider.java:30)
      at jenkins.security.ImpersonatingUserDetailsService.loadUserByUsername(ImpersonatingUserDetailsService.java:32)
      at hudson.model.User.impersonate(User.java:282)
      at jenkins.security.BasicHeaderApiTokenAuthenticator.authenticate(BasicHeaderApiTokenAuthenticator.java:31)
      ... 35 more

      Help us localize this page
      Page generated: 1-Oct-2014 5:11:08 PMREST APIJenkins ver. 1.582

          [JENKINS-24958] UsernameNotFoundException when ActiveDirectory used for API and token authentication

          Matthew Bells created issue -

          Daniel Beck added a comment -

          Issue report needs to show this is an issue with Jenkins. Get rid of JenkinsAPI, use only what Jenkins provides.

          Provide complete and precise steps to reproduce the problem. How is Active Directory configured? What version of the plugin are you using? (Are both instances using the same plugin version? What happens when you configure the older Jenkins version to use Active Directory?)

          In the affected instance, are you able to use the CLI (with authentication)? The XML/JSON API (using e.g. curl)? The Web UI? What is shown on the /whoAmI web page?

          Configure a log recorder with logger hudson.plugins.active_directory.ActiveDirectoryUnixAuthenticationProvider on level FINE. What gets logged around the time the error occurs?

          Daniel Beck added a comment - Issue report needs to show this is an issue with Jenkins. Get rid of JenkinsAPI, use only what Jenkins provides. Provide complete and precise steps to reproduce the problem. How is Active Directory configured? What version of the plugin are you using? (Are both instances using the same plugin version? What happens when you configure the older Jenkins version to use Active Directory?) In the affected instance, are you able to use the CLI (with authentication)? The XML/JSON API (using e.g. curl)? The Web UI? What is shown on the /whoAmI web page? Configure a log recorder with logger hudson.plugins.active_directory.ActiveDirectoryUnixAuthenticationProvider on level FINE . What gets logged around the time the error occurs?

          Martin Blankenstein added a comment - - edited

          Maybe really a bug in Jenkins??,

          I also get this exception.
          We use Jenkins 1.580.1 and an active directory plugin.
          When we use the api/xml with an apitoken I get this exception every 2nd request. I don't know why, but my work around is to do each request twice.
          Maybe this helps...

          Martin Blankenstein added a comment - - edited Maybe really a bug in Jenkins??, I also get this exception. We use Jenkins 1.580.1 and an active directory plugin. When we use the api/xml with an apitoken I get this exception every 2nd request. I don't know why, but my work around is to do each request twice. Maybe this helps...

          Felix Hassert added a comment -

          I have a similar problem. we use

          • Jenkins LTS 1.580.1
          • project based matrix acls
          • authentication via ldap

          reproduce:

          • create dummy job
          • project based access-control forbids anonymous users
          • add a user with read and build permissions
          • get an API token for that user
          • (I also have a build trigger token, but I don't know if that matters)
          • (optional: activate "Build User Vars" plugin and echo ${BUILD_USER} in a bash script)
          • trigger the job with curl --user me:apitoken https://server/job/test/build?token=ASDF
          • (I have a parameterized build, but again I don't know if that matters)

          Expected Result:

          • build triggers
          • build info contains "Started by <user>"
          • (bash script shows <user> as $BUILD_USER)

          Actual Result:

          • build triggers (i.e. authentication was granted)
          • build infos says "started from remote computer <IP>"
          • ($BUILD_USER not set in bash script)

          To me, this sounds related to the original issue description. Although access via the API token is granted (and no exceptions are thrown), the user data itself is not known to core (build info) or plugins (build user vars).

          I consider this functionality critical, because it gives us an easily readable protocol of users that have triggered a certain job (i.e. traceability).

          Felix Hassert added a comment - I have a similar problem. we use Jenkins LTS 1.580.1 project based matrix acls authentication via ldap reproduce: create dummy job project based access-control forbids anonymous users add a user with read and build permissions get an API token for that user (I also have a build trigger token, but I don't know if that matters) (optional: activate "Build User Vars" plugin and echo ${BUILD_USER} in a bash script) trigger the job with curl --user me:apitoken https://server/job/test/build?token=ASDF (I have a parameterized build, but again I don't know if that matters) Expected Result: build triggers build info contains "Started by <user>" (bash script shows <user> as $BUILD_USER) Actual Result: build triggers (i.e. authentication was granted) build infos says "started from remote computer <IP>" ($BUILD_USER not set in bash script) To me, this sounds related to the original issue description. Although access via the API token is granted (and no exceptions are thrown), the user data itself is not known to core (build info) or plugins (build user vars). I consider this functionality critical, because it gives us an easily readable protocol of users that have triggered a certain job (i.e. traceability).

          Daniel Beck added a comment - - edited

          Felix: You're just doing it wrong. Leave out token=ASDF, that's only needed if read access to the job is available and you want to build without being allowed by your authentication. Basically,

          (I also have a build trigger token, but I don't know if that matters)

          that is the reason Expected and Actual are different.

          Daniel Beck added a comment - - edited Felix: You're just doing it wrong. Leave out token=ASDF , that's only needed if read access to the job is available and you want to build without being allowed by your authentication. Basically, (I also have a build trigger token, but I don't know if that matters) that is the reason Expected and Actual are different.

          Daniel Beck added a comment -

          Resolving as incomplete as requested additional information has not been provided in months.

          Daniel Beck added a comment - Resolving as incomplete as requested additional information has not been provided in months.
          Daniel Beck made changes -
          Resolution New: Incomplete [ 4 ]
          Status Original: Open [ 1 ] New: Resolved [ 5 ]

          Keith Davis added a comment -

          I'm having this same problem. What info exactly do you need?

          Keith Davis added a comment - I'm having this same problem. What info exactly do you need?
          Keith Davis made changes -
          Resolution Original: Incomplete [ 4 ]
          Status Original: Resolved [ 5 ] New: Reopened [ 4 ]

          Daniel Beck added a comment -

          See first comment.

          Daniel Beck added a comment - See first comment.

            Unassigned Unassigned
            mbells Matthew Bells
            Votes:
            0 Vote for this issue
            Watchers:
            8 Start watching this issue

              Created:
              Updated: