[JENKINS-28964] Stack trace if you set Unix user/group database & Logged-in users can do anything then hit save

Type: Bug
Resolution: Unresolved
Priority: Minor
Component/s: core
Labels:
Environment:
Jenkins ver. 1.615
3.13.0-53-generic #89-Ubuntu x86_64 GNU/Linux
ubuntu 14.04 LTS

Similar Issues:
Powered by SuggestiMate

Show

I connected to the Jenkins server. Went to configuration. Clicked the setup security option and chose Unix user/group database, Logged-in users can do anything (read only for everyone else).

When I clicked the save button I was taken to a page that presented me with the following message:

Oops!

A problem occurred while processing the request. Please check our bug tracker to see if a similar problem has already been reported. If it is already reported, please vote and put a comment on it to let us gauge the impact of the problem. If you think this is a new issue, please file a new issue. When you file an issue, make sure to add the entire stack trace, along with the version of Jenkins and relevant plugins. The users list might be also useful in understanding what has happened.

Stack trace

javax.servlet.ServletException: hudson.security.AccessDeniedException2: anonymous is missing the Overall/RunScripts permission
at org.kohsuke.stapler.Stapler.tryInvoke(Stapler.java:796)
at org.kohsuke.stapler.Stapler.invoke(Stapler.java:876)
at org.kohsuke.stapler.MetaClass$13.dispatch(MetaClass.java:411)
at org.kohsuke.stapler.Stapler.tryInvoke(Stapler.java:746)
at org.kohsuke.stapler.Stapler.invoke(Stapler.java:876)
at org.kohsuke.stapler.Stapler.invoke(Stapler.java:649)
at org.kohsuke.stapler.Stapler.service(Stapler.java:238)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:848)
at org.eclipse.jetty.servlet.ServletHolder.handle(ServletHolder.java:686)
at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1494)
at hudson.util.PluginServletFilter$1.doFilter(PluginServletFilter.java:123)
at hudson.util.PluginServletFilter.doFilter(PluginServletFilter.java:114)
at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1482)
at hudson.security.csrf.CrumbFilter.doFilter(CrumbFilter.java:48)
at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1482)
at hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:84)
at hudson.security.ChainedServletFilter.doFilter(ChainedServletFilter.java:76)
at hudson.security.HudsonFilter.doFilter(HudsonFilter.java:171)
at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1482)
at org.kohsuke.stapler.compression.CompressionFilter.doFilter(CompressionFilter.java:49)
at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1482)
at hudson.util.CharacterEncodingFilter.doFilter(CharacterEncodingFilter.java:81)
at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1482)
at org.kohsuke.stapler.DiagnosticThreadNameFilter.doFilter(DiagnosticThreadNameFilter.java:30)
at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1474)
at org.eclipse.jetty.servlet.ServletHandler.doHandle(ServletHandler.java:499)
at org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:137)
at org.eclipse.jetty.security.SecurityHandler.handle(SecurityHandler.java:533)
at org.eclipse.jetty.server.session.SessionHandler.doHandle(SessionHandler.java:231)
at org.eclipse.jetty.server.handler.ContextHandler.doHandle(ContextHandler.java:1086)
at org.eclipse.jetty.servlet.ServletHandler.doScope(ServletHandler.java:428)
at org.eclipse.jetty.server.session.SessionHandler.doScope(SessionHandler.java:193)
at org.eclipse.jetty.server.handler.ContextHandler.doScope(ContextHandler.java:1020)
at org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:135)
at org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:116)
at org.eclipse.jetty.server.Server.handle(Server.java:370)
at org.eclipse.jetty.server.AbstractHttpConnection.handleRequest(AbstractHttpConnection.java:489)
at org.eclipse.jetty.server.AbstractHttpConnection.content(AbstractHttpConnection.java:960)
at org.eclipse.jetty.server.AbstractHttpConnection$RequestHandler.content(AbstractHttpConnection.java:1021)
at org.eclipse.jetty.http.HttpParser.parseNext(HttpParser.java:865)
at org.eclipse.jetty.http.HttpParser.parseAvailable(HttpParser.java:240)
at org.eclipse.jetty.server.AsyncHttpConnection.handle(AsyncHttpConnection.java:82)
at org.eclipse.jetty.io.nio.SelectChannelEndPoint.handle(SelectChannelEndPoint.java:668)
at org.eclipse.jetty.io.nio.SelectChannelEndPoint$1.run(SelectChannelEndPoint.java:52)
at winstone.BoundedExecutorService$1.run(BoundedExecutorService.java:77)
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615)
at java.lang.Thread.run(Thread.java:745)
Caused by: hudson.security.AccessDeniedException2: anonymous is missing the Overall/RunScripts permission
at hudson.security.ACL.checkPermission(ACL.java:63)
at hudson.model.Node.checkPermission(Node.java:441)
at jenkins.security.s2m.AdminWhitelistRule.setMasterKillSwitch(AdminWhitelistRule.java:210)
at jenkins.security.s2m.MasterKillSwitchConfiguration.configure(MasterKillSwitchConfiguration.java:40)
at hudson.security.GlobalSecurityConfiguration.configureDescriptor(GlobalSecurityConfiguration.java:126)
at hudson.security.GlobalSecurityConfiguration.configure(GlobalSecurityConfiguration.java:115)
at hudson.security.GlobalSecurityConfiguration.doConfigure(GlobalSecurityConfiguration.java:79)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:606)
at org.kohsuke.stapler.Function$InstanceFunction.invoke(Function.java:298)
at org.kohsuke.stapler.Function.bindAndInvoke(Function.java:161)
at org.kohsuke.stapler.Function.bindAndInvokeAndServeResponse(Function.java:96)
at org.kohsuke.stapler.MetaClass$1.doDispatch(MetaClass.java:121)
at org.kohsuke.stapler.NameBasedDispatcher.dispatch(NameBasedDispatcher.java:53)
at org.kohsuke.stapler.Stapler.tryInvoke(Stapler.java:746)
... 47 more

I tried to search for this issue but I could not get any hits from parts of the first line and if I put the whole text in things started to complain about tabs being unescaped and needing replaced with \t. I also tried to search the user and dev lists but nothing was returned when I searched for the first line.

A quick internet search only turned up http://stackoverflow.com/questions/30279853/jenkins-reconfiguring-security-access-permissions A StackOverflow question on Jenkins - reconfiguring security access permissions which may provide a way to get me back to no security if needed by setting:
<useSecurity>false</useSecurity>
in /var/lib/jenkis/config.xml

Browsing back to the main dashboard in Jenkin's does not allow me to make any changes, which is as expected if I am not logged in. I then try to login with my unix credentials local to that machine and I am rejected. That would pose another problem, but I am able to revert the behaviour by setting useSecurity to false and restarting the jenkins service.

If I try to reproduce the issue but leave the Authorization field set to Anyone can do anything I do not see the error repeat.

Work Around
If after trying the above I set Logged-in users can do anything and click save I do not see a problem (other than I cannot login).

Would Working Security Help?
If I reset again and click the Test button I get a message stating "User 'jenkins' needs to belong to group shadow to read /etc/shadow". Fixing this might also work around the issue:
$ sudo adduser jenkins shadow
Adding user `jenkins' to group `shadow' ...
Adding user jenkins to group shadow
Done.
$ sudo service jenkins restart #Equivilent of user logout & login
Login and press Test. This now reports success.
Howerver the issue is still reproducable

javax.servlet.ServletException: hudson.security.AccessDeniedException2: anonymous is missing the Overall/RunScripts permission
at org.kohsuke.stapler.Stapler.tryInvoke(Stapler.java:796)
at org.kohsuke.stapler.Stapler.invoke(Stapler.java:876)
at org.kohsuke.stapler.MetaClass$13.dispatch(MetaClass.java:411)
at org.kohsuke.stapler.Stapler.tryInvoke(Stapler.java:746)
at org.kohsuke.stapler.Stapler.invoke(Stapler.java:876)
at org.kohsuke.stapler.Stapler.invoke(Stapler.java:649)
at org.kohsuke.stapler.Stapler.service(Stapler.java:238)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:848)
...

So a working or nonworking security method still hits the stack trace.
I am able to login to the system as me after this though, so it is not so bad as the completely foolish thing I did before.

Reproduction
If I try to repeat the setting of Unix user/group database and Logged-in users can do anything I seem able to reliably cause the error page to come back.

Daniel Beck added a comment - 2015-06-18 13:23

Right, basically directly follows from the options you set, as without a security realm set up first, you cannot be logged in.

You've figured out workarounds already, and the login failures come from insufficient permissions.

What's left is a minor UI issue, it should present a login screen rather than error out.

Daniel Beck added a comment - 2015-06-18 13:23 Right, basically directly follows from the options you set, as without a security realm set up first, you cannot be logged in. You've figured out workarounds already, and the login failures come from insufficient permissions. What's left is a minor UI issue, it should present a login screen rather than error out.

Jenkins

Details

Description

Attachments

Activity

Collapse comment: Daniel Beck added a comment - 2015-06-18 13:23

Expand comment: Daniel Beck added a comment - 2015-06-18 13:23

People

Dates