Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-43802

Shared Library using folder-scoped credential fails to authenticate

      In my GitHub Org job (using GitHub Enterprise), I added a pipeline lib source that is in GitHub.  If the scan credential is scoped to the job (created in the job, vs created in the global credential store), there are two problems:

      1) The config page under branch shows an error instead of "Currently maps to revision: $SHA".

      2) If using a job-scoped credential, the "git fetch" in the job execution does not contain a line saying "Setting GIT_ASKPASS ..."

      If I switch to the identical credential stored in the global scope, both the config page and the git fetch (GIT_ASKPASS) works.

      I can give more details or try to isolate the problem if needed (standalone, minimal sets of plugins).

          [JENKINS-43802] Shared Library using folder-scoped credential fails to authenticate

          Gregory PICOT added a comment -

          Also waiting on this issue to be resolved. The 'Legacy SCM' doesn't work for us, because it doesn't able us to use 'system' scoped credentials. The goal for us is to able people using exposed shared library without having the access to the repository itself.

          Gregory PICOT added a comment - Also waiting on this issue to be resolved. The 'Legacy SCM' doesn't work for us, because it doesn't able us to use 'system' scoped credentials. The goal for us is to able people using exposed shared library without having the access to the repository itself.

          Jesse Glick added a comment -

          Reproduced. The attached JENKINS-43802.diff solves the issue in the reported case and so confirms my hypothesis of 2017-08-21, but it is not thread-safe, and will not work for non-multibranch projects. The thread safety could be addressed with some hacks, but the extension to plain projects seems possible only with some API changes and their use in various SCM plugins.

          Jesse Glick added a comment - Reproduced. The attached JENKINS-43802.diff solves the issue in the reported case and so confirms my hypothesis of 2017-08-21, but it is not thread-safe, and will not work for non-multibranch projects. The thread safety could be addressed with some hacks, but the extension to plain projects seems possible only with some API changes and their use in various SCM plugins.

          Also regular GIT checkouts using "Modern SCM > GIT" are affected by this! Are there any plans on fixing this bug in the near future?

          Matthias Balke added a comment - Also regular GIT checkouts using "Modern SCM > GIT" are affected by this! Are there any plans on fixing this bug in the near future?

          Mark Waite added a comment -

          Fixed in git plugin 3.11.0 released July 27, 2019

          Mark Waite added a comment - Fixed in git plugin 3.11.0 released July 27, 2019

          Jesse Glick added a comment -

          markewaite is there a reason you just marked this issue (and another one similar to it) FIXED BUT UNRELEASED when there is in fact a release with the fix?

          Jesse Glick added a comment - markewaite is there a reason you just marked this issue (and another one similar to it) FIXED BUT UNRELEASED when there is in fact a release with the fix?

          Mark Waite added a comment -

          Sorry about that mistake. I failed to read the comment which says that it was released in git plugin 3.11.0. Returning to CLOSED since it is resolved.

          Mark Waite added a comment - Sorry about that mistake. I failed to read the comment which says that it was released in git plugin 3.11.0. Returning to CLOSED since it is resolved.

          Benjamin Asbach added a comment - - edited

          matthiasbalke, can you confirm that the issue is fixed for "Modern SCM > GIT"?

          I get a quite similar issue for linked Pipeline Libraries where branch references can authenticate, but tag references are unable to.

          Benjamin Asbach added a comment - - edited matthiasbalke , can you confirm that the issue is fixed for "Modern SCM > GIT"? I get a quite similar issue for linked Pipeline Libraries where branch references can authenticate, but tag references are unable to.

          Marian Degel added a comment - - edited

          We got the same problem as asbachb describes.

          While using "Modern SCM > GIT", trying to fetch tag references fails like this:

          ...
          12:51:26  Fetching origin...
          12:51:26  Fetching upstream changes from origin
          12:51:26   > git --version # timeout=10
          12:51:26   > git --version # 'git version 2.11.0'
          12:51:26   > git config --get remote.origin.url # timeout=10
          12:51:26   > git fetch --tags --progress -- origin +refs/heads/*:refs/remotes/origin/* # timeout=10
          12:51:26  ERROR: Checkout failed
          12:51:26  hudson.plugins.git.GitException: Command "git fetch --tags --progress -- origin +refs/heads/*:refs/remotes/origin/*" returned status code 128:
          12:51:26  stdout: 
          12:51:26  stderr: remote: HTTP Basic: Access denied
          ...
          

          In case we use a branch it works. In case we use a tag, it doesn't.

          When specifying the credential in the global scope instead of folder scope, we can also checkout the tag as intended.

          Currently we're using: workflow-cps-global-lib-plugin 2.17

          Marian Degel added a comment - - edited We got the same problem as asbachb  describes. While using "Modern SCM > GIT", trying to fetch tag references fails like this: ... 12:51:26 Fetching origin... 12:51:26 Fetching upstream changes from origin 12:51:26 > git --version # timeout=10 12:51:26 > git --version # 'git version 2.11.0' 12:51:26 > git config --get remote.origin.url # timeout=10 12:51:26 > git fetch --tags --progress -- origin +refs/heads/*:refs/remotes/origin/* # timeout=10 12:51:26 ERROR: Checkout failed 12:51:26 hudson.plugins.git.GitException: Command "git fetch --tags --progress -- origin +refs/heads/*:refs/remotes/origin/*" returned status code 128: 12:51:26 stdout: 12:51:26 stderr: remote: HTTP Basic: Access denied ... In case we use a branch it works. In case we use a tag, it doesn't. When specifying the credential in the global scope instead of folder scope, we can also checkout the tag as intended. Currently we're using: workflow-cps-global-lib-plugin 2.17

          Jesse Glick added a comment -

          degelma please do not reopen issues in general. You can file a fresh issue in git-plugin with a Link to this one and complete, self-contained, minimal steps to reproduce from scratch.

          Jesse Glick added a comment - degelma please do not reopen issues in general. You can file a fresh issue in git-plugin with a Link to this one and complete, self-contained, minimal steps to reproduce from scratch.

          Marian Degel added a comment -

          jglick: Thanks for the info, I'll do that.

          Marian Degel added a comment - jglick : Thanks for the info, I'll do that.

            Unassigned Unassigned
            vallon Justin Vallon
            Votes:
            24 Vote for this issue
            Watchers:
            30 Start watching this issue

              Created:
              Updated:
              Resolved: