Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-42707

ReverseBuildTrigger can throw AccessDeniedException

    XMLWordPrintable

    Details

    • Type: Bug
    • Status: Resolved (View Workflow)
    • Priority: Major
    • Resolution: Fixed
    • Component/s: core
    • Labels:
    • Environment:
      Jenkins 2.32.3
    • Similar Issues:

      Description

      Noticed in a console logs of an upstream job:

      Notifying upstream projects of job completion 
      FATAL: Please login to access job upstream 
      org.acegisecurity.AccessDeniedException: Please login to access job upstream 
      at jenkins.model.Jenkins.getItem(Jenkins.java:2724) 
      at jenkins.model.Jenkins.getItem(Jenkins.java:324) 
      at jenkins.model.Jenkins.getItemByFullName(Jenkins.java:2830) 
      at jenkins.model.Jenkins.getItemByFullName(Jenkins.java:2849) 
      at jenkins.triggers.ReverseBuildTrigger.shouldTrigger(ReverseBuildTrigger.java:116) 
      at jenkins.triggers.ReverseBuildTrigger.access$000(ReverseBuildTrigger.java:89) 
      at jenkins.triggers.ReverseBuildTrigger$1.shouldTriggerBuild(ReverseBuildTrigger.java:146) 
      at hudson.tasks.BuildTrigger.execute(BuildTrigger.java:247) 
      at hudson.model.AbstractBuild$AbstractBuildExecution.cleanUp(AbstractBuild.java:681) 
      at hudson.model.Build$BuildExecution.cleanUp(Build.java:200) 
      at hudson.model.Run.execute(Run.java:1775) 
      at hudson.model.FreeStyleBuild.run(FreeStyleBuild.java:43) 
      at hudson.model.ResourceController.execute(ResourceController.java:98) 
      at hudson.model.Executor.run(Executor.java:404) 
      Notifying upstream projects of job completion 
      FATAL: Please login to access job <foldername> 
      org.acegisecurity.AccessDeniedException: Please login to access job upstream 
      at jenkins.model.Jenkins.getItem(Jenkins.java:2724) 
      at jenkins.model.Jenkins.getItem(Jenkins.java:324) 
      at jenkins.model.Jenkins.getItemByFullName(Jenkins.java:2830) 
      at jenkins.model.Jenkins.getItemByFullName(Jenkins.java:2849) 
      at jenkins.triggers.ReverseBuildTrigger.shouldTrigger(ReverseBuildTrigger.java:116) 
      at jenkins.triggers.ReverseBuildTrigger.access$000(ReverseBuildTrigger.java:89) 
      at jenkins.triggers.ReverseBuildTrigger$1.shouldTriggerBuild(ReverseBuildTrigger.java:146) 
      at hudson.tasks.BuildTrigger.execute(BuildTrigger.java:247) 
      at hudson.model.AbstractBuild$AbstractBuildExecution.cleanUp(AbstractBuild.java:681) 
      at hudson.model.Build$BuildExecution.cleanUp(Build.java:200) 
      at hudson.model.Run.execute(Run.java:1775) 
      at hudson.model.FreeStyleBuild.run(FreeStyleBuild.java:43) 
      at hudson.model.ResourceController.execute(ResourceController.java:98) 
      at hudson.model.Executor.run(Executor.java:404)
      

      ReverseBuildTrigger.shouldTrigger should be impersonating SYSTEM.

      This seems to happen because the anonymous user has Overall/Read and Item/Discover permission. The workaround is to remove the Item/Discover permission for the anonymous user.

        Attachments

          Issue Links

            Activity

            allan_burdajewicz Allan BURDAJEWICZ created issue -
            allan_burdajewicz Allan BURDAJEWICZ made changes -
            Field Original Value New Value
            Description Noticed in a console logs of an upstream job:

             

            ```

            Notifying upstream projects of job completion
            FATAL: Please login to access job upstream 
            org.acegisecurity.AccessDeniedException: Please login to access job upstream 
            at jenkins.model.Jenkins.getItem(Jenkins.java:2724)
            at jenkins.model.Jenkins.getItem(Jenkins.java:324)
            at jenkins.model.Jenkins.getItemByFullName(Jenkins.java:2830)
            at jenkins.model.Jenkins.getItemByFullName(Jenkins.java:2849)
            at jenkins.triggers.ReverseBuildTrigger.shouldTrigger(ReverseBuildTrigger.java:116)
            at jenkins.triggers.ReverseBuildTrigger.access$000(ReverseBuildTrigger.java:89)
            at jenkins.triggers.ReverseBuildTrigger$1.shouldTriggerBuild(ReverseBuildTrigger.java:146)
            at hudson.tasks.BuildTrigger.execute(BuildTrigger.java:247)
            at hudson.model.AbstractBuild$AbstractBuildExecution.cleanUp(AbstractBuild.java:681)
            at hudson.model.Build$BuildExecution.cleanUp(Build.java:200)
            at hudson.model.Run.execute(Run.java:1775)
            at hudson.model.FreeStyleBuild.run(FreeStyleBuild.java:43)
            at hudson.model.ResourceController.execute(ResourceController.java:98)
            at hudson.model.Executor.run(Executor.java:404)
            Notifying upstream projects of job completion
            FATAL: Please login to access job <foldername>
            org.acegisecurity.AccessDeniedException: Please login to access job upstream 
            at jenkins.model.Jenkins.getItem(Jenkins.java:2724)
            at jenkins.model.Jenkins.getItem(Jenkins.java:324)
            at jenkins.model.Jenkins.getItemByFullName(Jenkins.java:2830)
            at jenkins.model.Jenkins.getItemByFullName(Jenkins.java:2849)
            at jenkins.triggers.ReverseBuildTrigger.shouldTrigger(ReverseBuildTrigger.java:116)
            at jenkins.triggers.ReverseBuildTrigger.access$000(ReverseBuildTrigger.java:89)
            at jenkins.triggers.ReverseBuildTrigger$1.shouldTriggerBuild(ReverseBuildTrigger.java:146)
            at hudson.tasks.BuildTrigger.execute(BuildTrigger.java:247)
            at hudson.model.AbstractBuild$AbstractBuildExecution.cleanUp(AbstractBuild.java:681)
            at hudson.model.Build$BuildExecution.cleanUp(Build.java:200)
            at hudson.model.Run.execute(Run.java:1775)
            at hudson.model.FreeStyleBuild.run(FreeStyleBuild.java:43)
            at hudson.model.ResourceController.execute(ResourceController.java:98)
            at hudson.model.Executor.run(Executor.java:404)

            ```

            [ReverseBuildTrigger.shouldTrigger|https://github.com/jenkinsci/jenkins/blob/jenkins-2.50/core/src/main/java/jenkins/triggers/ReverseBuildTrigger.java#L116] should be impersonating {{SYSTEM}}.

            This seems to happen because the _anonymous__ user has _Overall/Read_ and _Item/Discover_ permission. The workaround is to remove the _Item/Discover_ permission for the _anonymous_ user.
            Noticed in a console logs of an upstream job:

             

            {code}

            Notifying upstream projects of job completion
            FATAL: Please login to access job upstream 
            org.acegisecurity.AccessDeniedException: Please login to access job upstream 
            at jenkins.model.Jenkins.getItem(Jenkins.java:2724)
            at jenkins.model.Jenkins.getItem(Jenkins.java:324)
            at jenkins.model.Jenkins.getItemByFullName(Jenkins.java:2830)
            at jenkins.model.Jenkins.getItemByFullName(Jenkins.java:2849)
            at jenkins.triggers.ReverseBuildTrigger.shouldTrigger(ReverseBuildTrigger.java:116)
            at jenkins.triggers.ReverseBuildTrigger.access$000(ReverseBuildTrigger.java:89)
            at jenkins.triggers.ReverseBuildTrigger$1.shouldTriggerBuild(ReverseBuildTrigger.java:146)
            at hudson.tasks.BuildTrigger.execute(BuildTrigger.java:247)
            at hudson.model.AbstractBuild$AbstractBuildExecution.cleanUp(AbstractBuild.java:681)
            at hudson.model.Build$BuildExecution.cleanUp(Build.java:200)
            at hudson.model.Run.execute(Run.java:1775)
            at hudson.model.FreeStyleBuild.run(FreeStyleBuild.java:43)
            at hudson.model.ResourceController.execute(ResourceController.java:98)
            at hudson.model.Executor.run(Executor.java:404)
            Notifying upstream projects of job completion
            FATAL: Please login to access job <foldername>
            org.acegisecurity.AccessDeniedException: Please login to access job upstream 
            at jenkins.model.Jenkins.getItem(Jenkins.java:2724)
            at jenkins.model.Jenkins.getItem(Jenkins.java:324)
            at jenkins.model.Jenkins.getItemByFullName(Jenkins.java:2830)
            at jenkins.model.Jenkins.getItemByFullName(Jenkins.java:2849)
            at jenkins.triggers.ReverseBuildTrigger.shouldTrigger(ReverseBuildTrigger.java:116)
            at jenkins.triggers.ReverseBuildTrigger.access$000(ReverseBuildTrigger.java:89)
            at jenkins.triggers.ReverseBuildTrigger$1.shouldTriggerBuild(ReverseBuildTrigger.java:146)
            at hudson.tasks.BuildTrigger.execute(BuildTrigger.java:247)
            at hudson.model.AbstractBuild$AbstractBuildExecution.cleanUp(AbstractBuild.java:681)
            at hudson.model.Build$BuildExecution.cleanUp(Build.java:200)
            at hudson.model.Run.execute(Run.java:1775)
            at hudson.model.FreeStyleBuild.run(FreeStyleBuild.java:43)
            at hudson.model.ResourceController.execute(ResourceController.java:98)
            at hudson.model.Executor.run(Executor.java:404)

            {code}

            [ReverseBuildTrigger.shouldTrigger|https://github.com/jenkinsci/jenkins/blob/jenkins-2.50/core/src/main/java/jenkins/triggers/ReverseBuildTrigger.java#L116] should be impersonating {{SYSTEM}}.

            This seems to happen because the _anonymous__ user has _Overall/Read_ and _Item/Discover_ permission. The workaround is to remove the _Item/Discover_ permission for the _anonymous_ user.
            allan_burdajewicz Allan BURDAJEWICZ made changes -
            Description Noticed in a console logs of an upstream job:

             

            {code}

            Notifying upstream projects of job completion
            FATAL: Please login to access job upstream 
            org.acegisecurity.AccessDeniedException: Please login to access job upstream 
            at jenkins.model.Jenkins.getItem(Jenkins.java:2724)
            at jenkins.model.Jenkins.getItem(Jenkins.java:324)
            at jenkins.model.Jenkins.getItemByFullName(Jenkins.java:2830)
            at jenkins.model.Jenkins.getItemByFullName(Jenkins.java:2849)
            at jenkins.triggers.ReverseBuildTrigger.shouldTrigger(ReverseBuildTrigger.java:116)
            at jenkins.triggers.ReverseBuildTrigger.access$000(ReverseBuildTrigger.java:89)
            at jenkins.triggers.ReverseBuildTrigger$1.shouldTriggerBuild(ReverseBuildTrigger.java:146)
            at hudson.tasks.BuildTrigger.execute(BuildTrigger.java:247)
            at hudson.model.AbstractBuild$AbstractBuildExecution.cleanUp(AbstractBuild.java:681)
            at hudson.model.Build$BuildExecution.cleanUp(Build.java:200)
            at hudson.model.Run.execute(Run.java:1775)
            at hudson.model.FreeStyleBuild.run(FreeStyleBuild.java:43)
            at hudson.model.ResourceController.execute(ResourceController.java:98)
            at hudson.model.Executor.run(Executor.java:404)
            Notifying upstream projects of job completion
            FATAL: Please login to access job <foldername>
            org.acegisecurity.AccessDeniedException: Please login to access job upstream 
            at jenkins.model.Jenkins.getItem(Jenkins.java:2724)
            at jenkins.model.Jenkins.getItem(Jenkins.java:324)
            at jenkins.model.Jenkins.getItemByFullName(Jenkins.java:2830)
            at jenkins.model.Jenkins.getItemByFullName(Jenkins.java:2849)
            at jenkins.triggers.ReverseBuildTrigger.shouldTrigger(ReverseBuildTrigger.java:116)
            at jenkins.triggers.ReverseBuildTrigger.access$000(ReverseBuildTrigger.java:89)
            at jenkins.triggers.ReverseBuildTrigger$1.shouldTriggerBuild(ReverseBuildTrigger.java:146)
            at hudson.tasks.BuildTrigger.execute(BuildTrigger.java:247)
            at hudson.model.AbstractBuild$AbstractBuildExecution.cleanUp(AbstractBuild.java:681)
            at hudson.model.Build$BuildExecution.cleanUp(Build.java:200)
            at hudson.model.Run.execute(Run.java:1775)
            at hudson.model.FreeStyleBuild.run(FreeStyleBuild.java:43)
            at hudson.model.ResourceController.execute(ResourceController.java:98)
            at hudson.model.Executor.run(Executor.java:404)

            {code}

            [ReverseBuildTrigger.shouldTrigger|https://github.com/jenkinsci/jenkins/blob/jenkins-2.50/core/src/main/java/jenkins/triggers/ReverseBuildTrigger.java#L116] should be impersonating {{SYSTEM}}.

            This seems to happen because the _anonymous__ user has _Overall/Read_ and _Item/Discover_ permission. The workaround is to remove the _Item/Discover_ permission for the _anonymous_ user.
            Noticed in a console logs of an upstream job:

             

            {code}
            Notifying upstream projects of job completion
            FATAL: Please login to access job upstream 
            org.acegisecurity.AccessDeniedException: Please login to access job upstream 
            at jenkins.model.Jenkins.getItem(Jenkins.java:2724)
            at jenkins.model.Jenkins.getItem(Jenkins.java:324)
            at jenkins.model.Jenkins.getItemByFullName(Jenkins.java:2830)
            at jenkins.model.Jenkins.getItemByFullName(Jenkins.java:2849)
            at jenkins.triggers.ReverseBuildTrigger.shouldTrigger(ReverseBuildTrigger.java:116)
            at jenkins.triggers.ReverseBuildTrigger.access$000(ReverseBuildTrigger.java:89)
            at jenkins.triggers.ReverseBuildTrigger$1.shouldTriggerBuild(ReverseBuildTrigger.java:146)
            at hudson.tasks.BuildTrigger.execute(BuildTrigger.java:247)
            at hudson.model.AbstractBuild$AbstractBuildExecution.cleanUp(AbstractBuild.java:681)
            at hudson.model.Build$BuildExecution.cleanUp(Build.java:200)
            at hudson.model.Run.execute(Run.java:1775)
            at hudson.model.FreeStyleBuild.run(FreeStyleBuild.java:43)
            at hudson.model.ResourceController.execute(ResourceController.java:98)
            at hudson.model.Executor.run(Executor.java:404)
            Notifying upstream projects of job completion
            FATAL: Please login to access job <foldername>
            org.acegisecurity.AccessDeniedException: Please login to access job upstream 
            at jenkins.model.Jenkins.getItem(Jenkins.java:2724)
            at jenkins.model.Jenkins.getItem(Jenkins.java:324)
            at jenkins.model.Jenkins.getItemByFullName(Jenkins.java:2830)
            at jenkins.model.Jenkins.getItemByFullName(Jenkins.java:2849)
            at jenkins.triggers.ReverseBuildTrigger.shouldTrigger(ReverseBuildTrigger.java:116)
            at jenkins.triggers.ReverseBuildTrigger.access$000(ReverseBuildTrigger.java:89)
            at jenkins.triggers.ReverseBuildTrigger$1.shouldTriggerBuild(ReverseBuildTrigger.java:146)
            at hudson.tasks.BuildTrigger.execute(BuildTrigger.java:247)
            at hudson.model.AbstractBuild$AbstractBuildExecution.cleanUp(AbstractBuild.java:681)
            at hudson.model.Build$BuildExecution.cleanUp(Build.java:200)
            at hudson.model.Run.execute(Run.java:1775)
            at hudson.model.FreeStyleBuild.run(FreeStyleBuild.java:43)
            at hudson.model.ResourceController.execute(ResourceController.java:98)
            at hudson.model.Executor.run(Executor.java:404)
            {code}

            [ReverseBuildTrigger.shouldTrigger|https://github.com/jenkinsci/jenkins/blob/jenkins-2.50/core/src/main/java/jenkins/triggers/ReverseBuildTrigger.java#L116] should be impersonating {{SYSTEM}}.

            This seems to happen because the _anonymous__ user has _Overall/Read_ and _Item/Discover_ permission. The workaround is to remove the _Item/Discover_ permission for the _anonymous_ user.
            allan_burdajewicz Allan BURDAJEWICZ made changes -
            Link This issue is related to JENKINS-42586 [ JENKINS-42586 ]
            allan_burdajewicz Allan BURDAJEWICZ made changes -
            Link This issue is related to JENKINS-42556 [ JENKINS-42556 ]
            allan_burdajewicz Allan BURDAJEWICZ made changes -
            Description Noticed in a console logs of an upstream job:

             

            {code}
            Notifying upstream projects of job completion
            FATAL: Please login to access job upstream 
            org.acegisecurity.AccessDeniedException: Please login to access job upstream 
            at jenkins.model.Jenkins.getItem(Jenkins.java:2724)
            at jenkins.model.Jenkins.getItem(Jenkins.java:324)
            at jenkins.model.Jenkins.getItemByFullName(Jenkins.java:2830)
            at jenkins.model.Jenkins.getItemByFullName(Jenkins.java:2849)
            at jenkins.triggers.ReverseBuildTrigger.shouldTrigger(ReverseBuildTrigger.java:116)
            at jenkins.triggers.ReverseBuildTrigger.access$000(ReverseBuildTrigger.java:89)
            at jenkins.triggers.ReverseBuildTrigger$1.shouldTriggerBuild(ReverseBuildTrigger.java:146)
            at hudson.tasks.BuildTrigger.execute(BuildTrigger.java:247)
            at hudson.model.AbstractBuild$AbstractBuildExecution.cleanUp(AbstractBuild.java:681)
            at hudson.model.Build$BuildExecution.cleanUp(Build.java:200)
            at hudson.model.Run.execute(Run.java:1775)
            at hudson.model.FreeStyleBuild.run(FreeStyleBuild.java:43)
            at hudson.model.ResourceController.execute(ResourceController.java:98)
            at hudson.model.Executor.run(Executor.java:404)
            Notifying upstream projects of job completion
            FATAL: Please login to access job <foldername>
            org.acegisecurity.AccessDeniedException: Please login to access job upstream 
            at jenkins.model.Jenkins.getItem(Jenkins.java:2724)
            at jenkins.model.Jenkins.getItem(Jenkins.java:324)
            at jenkins.model.Jenkins.getItemByFullName(Jenkins.java:2830)
            at jenkins.model.Jenkins.getItemByFullName(Jenkins.java:2849)
            at jenkins.triggers.ReverseBuildTrigger.shouldTrigger(ReverseBuildTrigger.java:116)
            at jenkins.triggers.ReverseBuildTrigger.access$000(ReverseBuildTrigger.java:89)
            at jenkins.triggers.ReverseBuildTrigger$1.shouldTriggerBuild(ReverseBuildTrigger.java:146)
            at hudson.tasks.BuildTrigger.execute(BuildTrigger.java:247)
            at hudson.model.AbstractBuild$AbstractBuildExecution.cleanUp(AbstractBuild.java:681)
            at hudson.model.Build$BuildExecution.cleanUp(Build.java:200)
            at hudson.model.Run.execute(Run.java:1775)
            at hudson.model.FreeStyleBuild.run(FreeStyleBuild.java:43)
            at hudson.model.ResourceController.execute(ResourceController.java:98)
            at hudson.model.Executor.run(Executor.java:404)
            {code}

            [ReverseBuildTrigger.shouldTrigger|https://github.com/jenkinsci/jenkins/blob/jenkins-2.50/core/src/main/java/jenkins/triggers/ReverseBuildTrigger.java#L116] should be impersonating {{SYSTEM}}.

            This seems to happen because the _anonymous__ user has _Overall/Read_ and _Item/Discover_ permission. The workaround is to remove the _Item/Discover_ permission for the _anonymous_ user.
            Noticed in a console logs of an upstream job:

            {code}
            Notifying upstream projects of job completion
            FATAL: Please login to access job upstream 
            org.acegisecurity.AccessDeniedException: Please login to access job upstream 
            at jenkins.model.Jenkins.getItem(Jenkins.java:2724)
            at jenkins.model.Jenkins.getItem(Jenkins.java:324)
            at jenkins.model.Jenkins.getItemByFullName(Jenkins.java:2830)
            at jenkins.model.Jenkins.getItemByFullName(Jenkins.java:2849)
            at jenkins.triggers.ReverseBuildTrigger.shouldTrigger(ReverseBuildTrigger.java:116)
            at jenkins.triggers.ReverseBuildTrigger.access$000(ReverseBuildTrigger.java:89)
            at jenkins.triggers.ReverseBuildTrigger$1.shouldTriggerBuild(ReverseBuildTrigger.java:146)
            at hudson.tasks.BuildTrigger.execute(BuildTrigger.java:247)
            at hudson.model.AbstractBuild$AbstractBuildExecution.cleanUp(AbstractBuild.java:681)
            at hudson.model.Build$BuildExecution.cleanUp(Build.java:200)
            at hudson.model.Run.execute(Run.java:1775)
            at hudson.model.FreeStyleBuild.run(FreeStyleBuild.java:43)
            at hudson.model.ResourceController.execute(ResourceController.java:98)
            at hudson.model.Executor.run(Executor.java:404)
            Notifying upstream projects of job completion
            FATAL: Please login to access job <foldername>
            org.acegisecurity.AccessDeniedException: Please login to access job upstream 
            at jenkins.model.Jenkins.getItem(Jenkins.java:2724)
            at jenkins.model.Jenkins.getItem(Jenkins.java:324)
            at jenkins.model.Jenkins.getItemByFullName(Jenkins.java:2830)
            at jenkins.model.Jenkins.getItemByFullName(Jenkins.java:2849)
            at jenkins.triggers.ReverseBuildTrigger.shouldTrigger(ReverseBuildTrigger.java:116)
            at jenkins.triggers.ReverseBuildTrigger.access$000(ReverseBuildTrigger.java:89)
            at jenkins.triggers.ReverseBuildTrigger$1.shouldTriggerBuild(ReverseBuildTrigger.java:146)
            at hudson.tasks.BuildTrigger.execute(BuildTrigger.java:247)
            at hudson.model.AbstractBuild$AbstractBuildExecution.cleanUp(AbstractBuild.java:681)
            at hudson.model.Build$BuildExecution.cleanUp(Build.java:200)
            at hudson.model.Run.execute(Run.java:1775)
            at hudson.model.FreeStyleBuild.run(FreeStyleBuild.java:43)
            at hudson.model.ResourceController.execute(ResourceController.java:98)
            at hudson.model.Executor.run(Executor.java:404)
            {code}

            [ReverseBuildTrigger.shouldTrigger|https://github.com/jenkinsci/jenkins/blob/jenkins-2.50/core/src/main/java/jenkins/triggers/ReverseBuildTrigger.java#L116] should be impersonating {{SYSTEM}}.

            This seems to happen because the _anonymous__ user has _Overall/Read_ and _Item/Discover_ permission. The workaround is to remove the _Item/Discover_ permission for the _anonymous_ user.
            allan_burdajewicz Allan BURDAJEWICZ made changes -
            Description Noticed in a console logs of an upstream job:

            {code}
            Notifying upstream projects of job completion
            FATAL: Please login to access job upstream 
            org.acegisecurity.AccessDeniedException: Please login to access job upstream 
            at jenkins.model.Jenkins.getItem(Jenkins.java:2724)
            at jenkins.model.Jenkins.getItem(Jenkins.java:324)
            at jenkins.model.Jenkins.getItemByFullName(Jenkins.java:2830)
            at jenkins.model.Jenkins.getItemByFullName(Jenkins.java:2849)
            at jenkins.triggers.ReverseBuildTrigger.shouldTrigger(ReverseBuildTrigger.java:116)
            at jenkins.triggers.ReverseBuildTrigger.access$000(ReverseBuildTrigger.java:89)
            at jenkins.triggers.ReverseBuildTrigger$1.shouldTriggerBuild(ReverseBuildTrigger.java:146)
            at hudson.tasks.BuildTrigger.execute(BuildTrigger.java:247)
            at hudson.model.AbstractBuild$AbstractBuildExecution.cleanUp(AbstractBuild.java:681)
            at hudson.model.Build$BuildExecution.cleanUp(Build.java:200)
            at hudson.model.Run.execute(Run.java:1775)
            at hudson.model.FreeStyleBuild.run(FreeStyleBuild.java:43)
            at hudson.model.ResourceController.execute(ResourceController.java:98)
            at hudson.model.Executor.run(Executor.java:404)
            Notifying upstream projects of job completion
            FATAL: Please login to access job <foldername>
            org.acegisecurity.AccessDeniedException: Please login to access job upstream 
            at jenkins.model.Jenkins.getItem(Jenkins.java:2724)
            at jenkins.model.Jenkins.getItem(Jenkins.java:324)
            at jenkins.model.Jenkins.getItemByFullName(Jenkins.java:2830)
            at jenkins.model.Jenkins.getItemByFullName(Jenkins.java:2849)
            at jenkins.triggers.ReverseBuildTrigger.shouldTrigger(ReverseBuildTrigger.java:116)
            at jenkins.triggers.ReverseBuildTrigger.access$000(ReverseBuildTrigger.java:89)
            at jenkins.triggers.ReverseBuildTrigger$1.shouldTriggerBuild(ReverseBuildTrigger.java:146)
            at hudson.tasks.BuildTrigger.execute(BuildTrigger.java:247)
            at hudson.model.AbstractBuild$AbstractBuildExecution.cleanUp(AbstractBuild.java:681)
            at hudson.model.Build$BuildExecution.cleanUp(Build.java:200)
            at hudson.model.Run.execute(Run.java:1775)
            at hudson.model.FreeStyleBuild.run(FreeStyleBuild.java:43)
            at hudson.model.ResourceController.execute(ResourceController.java:98)
            at hudson.model.Executor.run(Executor.java:404)
            {code}

            [ReverseBuildTrigger.shouldTrigger|https://github.com/jenkinsci/jenkins/blob/jenkins-2.50/core/src/main/java/jenkins/triggers/ReverseBuildTrigger.java#L116] should be impersonating {{SYSTEM}}.

            This seems to happen because the _anonymous__ user has _Overall/Read_ and _Item/Discover_ permission. The workaround is to remove the _Item/Discover_ permission for the _anonymous_ user.
            Noticed in a console logs of an upstream job:

            {code}
            Notifying upstream projects of job completion
            FATAL: Please login to access job upstream 
            org.acegisecurity.AccessDeniedException: Please login to access job upstream 
            at jenkins.model.Jenkins.getItem(Jenkins.java:2724)
            at jenkins.model.Jenkins.getItem(Jenkins.java:324)
            at jenkins.model.Jenkins.getItemByFullName(Jenkins.java:2830)
            at jenkins.model.Jenkins.getItemByFullName(Jenkins.java:2849)
            at jenkins.triggers.ReverseBuildTrigger.shouldTrigger(ReverseBuildTrigger.java:116)
            at jenkins.triggers.ReverseBuildTrigger.access$000(ReverseBuildTrigger.java:89)
            at jenkins.triggers.ReverseBuildTrigger$1.shouldTriggerBuild(ReverseBuildTrigger.java:146)
            at hudson.tasks.BuildTrigger.execute(BuildTrigger.java:247)
            at hudson.model.AbstractBuild$AbstractBuildExecution.cleanUp(AbstractBuild.java:681)
            at hudson.model.Build$BuildExecution.cleanUp(Build.java:200)
            at hudson.model.Run.execute(Run.java:1775)
            at hudson.model.FreeStyleBuild.run(FreeStyleBuild.java:43)
            at hudson.model.ResourceController.execute(ResourceController.java:98)
            at hudson.model.Executor.run(Executor.java:404)
            Notifying upstream projects of job completion
            FATAL: Please login to access job <foldername>
            org.acegisecurity.AccessDeniedException: Please login to access job upstream 
            at jenkins.model.Jenkins.getItem(Jenkins.java:2724)
            at jenkins.model.Jenkins.getItem(Jenkins.java:324)
            at jenkins.model.Jenkins.getItemByFullName(Jenkins.java:2830)
            at jenkins.model.Jenkins.getItemByFullName(Jenkins.java:2849)
            at jenkins.triggers.ReverseBuildTrigger.shouldTrigger(ReverseBuildTrigger.java:116)
            at jenkins.triggers.ReverseBuildTrigger.access$000(ReverseBuildTrigger.java:89)
            at jenkins.triggers.ReverseBuildTrigger$1.shouldTriggerBuild(ReverseBuildTrigger.java:146)
            at hudson.tasks.BuildTrigger.execute(BuildTrigger.java:247)
            at hudson.model.AbstractBuild$AbstractBuildExecution.cleanUp(AbstractBuild.java:681)
            at hudson.model.Build$BuildExecution.cleanUp(Build.java:200)
            at hudson.model.Run.execute(Run.java:1775)
            at hudson.model.FreeStyleBuild.run(FreeStyleBuild.java:43)
            at hudson.model.ResourceController.execute(ResourceController.java:98)
            at hudson.model.Executor.run(Executor.java:404)
            {code}

            [ReverseBuildTrigger.shouldTrigger|https://github.com/jenkinsci/jenkins/blob/jenkins-2.50/core/src/main/java/jenkins/triggers/ReverseBuildTrigger.java#L116] should be impersonating {{SYSTEM}}.

            This seems to happen because the _anonymous_ user has _Overall/Read_ and _Item/Discover_ permission. The workaround is to remove the _Item/Discover_ permission for the _anonymous_ user.
            Hide
            danielbeck Daniel Beck added a comment -

            Does the fix for JENKINS-42556 take care of this?

            Show
            danielbeck Daniel Beck added a comment - Does the fix for JENKINS-42556 take care of this?
            Hide
            jglick Jesse Glick added a comment -

            Doubtful. This is an Executor thread, which should not have been affected by that fix.

            Show
            jglick Jesse Glick added a comment - Doubtful. This is an Executor thread, which should not have been affected by that fix.
            allan_burdajewicz Allan BURDAJEWICZ made changes -
            Assignee Allan BURDAJEWICZ [ allan_burdajewicz ]
            allan_burdajewicz Allan BURDAJEWICZ made changes -
            Remote Link This issue links to "core-PR#2846 (Web Link)" [ 16201 ]
            allan_burdajewicz Allan BURDAJEWICZ made changes -
            Status Open [ 1 ] In Progress [ 3 ]
            allan_burdajewicz Allan BURDAJEWICZ made changes -
            Status In Progress [ 3 ] In Review [ 10005 ]
            Hide
            scm_issue_link SCM/JIRA link daemon added a comment -

            Code changed in jenkins
            User: Allan Burdajewicz
            Path:
            core/src/main/java/jenkins/triggers/ReverseBuildTrigger.java
            test/src/test/java/jenkins/triggers/ReverseBuildTriggerTest.java
            http://jenkins-ci.org/commit/jenkins/17eedcfde8043829b247e639ae985ddb97dd0571
            Log:
            JENKINS-42707 AccessDeniedException exception in ReverseBuildTrigger (#2846)

            • JENKINS-42707 AccessDeniedException vulnerability in ReverseBuildTrigger.
            • JENKINS-42707 Log message according to permission (DISCOVER/READ)
            Show
            scm_issue_link SCM/JIRA link daemon added a comment - Code changed in jenkins User: Allan Burdajewicz Path: core/src/main/java/jenkins/triggers/ReverseBuildTrigger.java test/src/test/java/jenkins/triggers/ReverseBuildTriggerTest.java http://jenkins-ci.org/commit/jenkins/17eedcfde8043829b247e639ae985ddb97dd0571 Log: JENKINS-42707 AccessDeniedException exception in ReverseBuildTrigger (#2846) JENKINS-42707 AccessDeniedException vulnerability in ReverseBuildTrigger. JENKINS-42707 Added tests to expose the issue JENKINS-42707 Log message according to permission (DISCOVER/READ) JENKINS-42707 Use MockAuthorizationStrategy JENKINS-42707 Remove internationalization for logger
            jglick Jesse Glick made changes -
            Resolution Fixed [ 1 ]
            Status In Review [ 10005 ] Resolved [ 5 ]
            oleg_nenashev Oleg Nenashev made changes -
            Labels lts-candidate
            olivergondza Oliver Gondža made changes -
            Labels lts-candidate 2.46.3-fixed
            Hide
            scm_issue_link SCM/JIRA link daemon added a comment -

            Code changed in jenkins
            User: Allan Burdajewicz
            Path:
            core/src/main/java/jenkins/triggers/ReverseBuildTrigger.java
            test/src/test/java/jenkins/triggers/ReverseBuildTriggerTest.java
            http://jenkins-ci.org/commit/jenkins/7db9fe95669d426812dd4510b512fcd95ff1a64e
            Log:
            JENKINS-42707 AccessDeniedException exception in ReverseBuildTrigger (#2846)

            • JENKINS-42707 AccessDeniedException vulnerability in ReverseBuildTrigger.
            • JENKINS-42707 Log message according to permission (DISCOVER/READ)

            (cherry picked from commit 17eedcfde8043829b247e639ae985ddb97dd0571)

            Show
            scm_issue_link SCM/JIRA link daemon added a comment - Code changed in jenkins User: Allan Burdajewicz Path: core/src/main/java/jenkins/triggers/ReverseBuildTrigger.java test/src/test/java/jenkins/triggers/ReverseBuildTriggerTest.java http://jenkins-ci.org/commit/jenkins/7db9fe95669d426812dd4510b512fcd95ff1a64e Log: JENKINS-42707 AccessDeniedException exception in ReverseBuildTrigger (#2846) JENKINS-42707 AccessDeniedException vulnerability in ReverseBuildTrigger. JENKINS-42707 Added tests to expose the issue JENKINS-42707 Log message according to permission (DISCOVER/READ) JENKINS-42707 Use MockAuthorizationStrategy JENKINS-42707 Remove internationalization for logger (cherry picked from commit 17eedcfde8043829b247e639ae985ddb97dd0571)
            jamesdumay James Dumay made changes -
            Remote Link This issue links to "CloudBees Internal OSS-2135 (Web Link)" [ 18406 ]
            smasher Daniel Estermann made changes -
            Link This issue is related to JENKINS-63868 [ JENKINS-63868 ]

              People

              Assignee:
              allan_burdajewicz Allan BURDAJEWICZ
              Reporter:
              allan_burdajewicz Allan BURDAJEWICZ
              Votes:
              2 Vote for this issue
              Watchers:
              4 Start watching this issue

                Dates

                Created:
                Updated:
                Resolved: