-
Bug
-
Resolution: Won't Fix
-
Major
Environment
- Jenkins 2.46.2
- credentials:2.1.13 'Credentials Plugin'
- workflow-aggregator:2.5 'Pipeline'
- workflow-api:2.12 'Pipeline: API'
- workflow-basic-steps:2.4 'Pipeline: Basic Steps'
- workflow-cps:2.29 'Pipeline: Groovy'
- workflow-cps-checkpoint:2.4 'CloudBees Pipeline: Groovy Checkpoint Plugin'
- workflow-cps-global-lib:2.7 'Pipeline: Shared Groovy Libraries'
- workflow-durable-task-step:2.10 'Pipeline: Nodes and Processes'
- workflow-job:2.10 'Pipeline: Job'
- workflow-multibranch:2.14 'Pipeline: Multibranch'
- workflow-scm-step:2.4 'Pipeline: SCM Step'
- workflow-step-api:2.9 'Pipeline: Step API'
- workflow-support:2.14 'Pipeline: Supporting APIs'
Description
When using the authorize project plugin,
- User Scoped Credentials are not found by the "git" pipeline step.
- Global Credentials overwritten by user scoped credentials are not overwritten by the "git" pipeline step.
Reproduce
- Install the Project Authorize Plugin and configure it "Run as user who triggered the build"
- Create a global credential "global-bitbucket-credentials-intended-to-be-overwritten-at-the-user-scope" with valid credentials for a bitbucket server
- Create user scoped credentials "global-bitbucket-credentials-intended-to-be-overwritten-at-the-user-scope" with invalid username and invalid password
- create a pipeline with "git credentialsId: 'global-bitbucket-credentials-intended-to-be-overwritten-at-the-user-scope', url: 'https://bitbucket.example.com/.....git'"
- run the build, it will succeed and logs will show that the global creds have been used, a log message will show the valid username, proving that the user credentials have been ignored
- Create user scoped credentials "user-scoped-bitbucket-creds" with valid credentials for a bitbucket server
- Create a pipeline with "git credentialsId: 'user-scoped-bitbucket-cred', url: 'https://bitbucket.example.com/.....git'"
- job will fail with "authentication failed"
node {
// verify that the build is properly impersonated by the https://wiki.jenkins-ci.org/display/JENKINS/Authorize+Project+plugin
echo "Build is running as user " + org.acegisecurity.context.SecurityContextHolder.getContext().getAuthentication().toString()
stage ("Global Credentials Overwritten at the user scope") {
// credentials declared globally and overwritten by a user scoped credentials
git credentialsId: 'global-bitbucket-credentials-intended-to-be-overwritten-at-the-user-scope', url: 'https://bitbucket.example.com/scm/pet/spring-petclinic.git'
}
stage ("User Scoped Credentials") {
// user scoped credentials
git credentialsId: 'user-scoped-bitbucket-creds', url: 'https://bitbucket.example.com/scm/pet/spring-petclinic.git'
}
}
Started by user admin
[Pipeline] node
Running on agent-1 in /home/ubuntu/agent-home/workspace/tests/user-scoped-credentials-pipeline-step-git
[Pipeline] {
[Pipeline] echo
Build is running as user org.acegisecurity.providers.UsernamePasswordAuthenticationToken@965748a4: Username: admin; Password: [PROTECTED]; Authenticated: true; Details: null; Granted Authorities: authenticated
[Pipeline] stage
[Pipeline] { (Global Credentials Overwritten at the user scope)
[Pipeline] git
> git rev-parse --is-inside-work-tree # timeout=10
Fetching changes from the remote Git repository
> git config remote.origin.url https://bitbucket.example.com/scm/pet/spring-petclinic.git # timeout=10
Fetching upstream changes from https://bitbucket.example.com/scm/pet/spring-petclinic.git
> git --version # timeout=10
using GIT_ASKPASS to set credentials QAh4dAzetrEp global creds, not overwritten
> git fetch --tags --progress https://bitbucket.example.com/scm/pet/spring-petclinic.git +refs/heads/*:refs/remotes/origin/*
> git rev-parse refs/remotes/origin/master^{commit} # timeout=10
> git rev-parse refs/remotes/origin/origin/master^{commit} # timeout=10
Checking out Revision fd1c742d4f8d193eb935519909c15302b783cd52 (refs/remotes/origin/master)
> git config core.sparsecheckout # timeout=10
> git checkout -f fd1c742d4f8d193eb935519909c15302b783cd52
> git branch -a -v --no-abbrev # timeout=10
> git branch -D master # timeout=10
> git checkout -b master fd1c742d4f8d193eb935519909c15302b783cd52
> git rev-list fd1c742d4f8d193eb935519909c15302b783cd52 # timeout=10
[Pipeline] }
[Pipeline] // stage
[Pipeline] stage
[Pipeline] { (User Scoped Credentials)
[Pipeline] git
> git rev-parse --is-inside-work-tree # timeout=10
Fetching changes from the remote Git repository
> git config remote.origin.url https://bitbucket.example.com/scm/pet/spring-petclinic.git # timeout=10
Fetching upstream changes from https://bitbucket.example.com/scm/pet/spring-petclinic.git
> git --version # timeout=10
> git fetch --tags --progress https://bitbucket.example.com/scm/pet/spring-petclinic.git +refs/heads/*:refs/remotes/origin/*
ERROR: Error fetching remote repo 'origin'
hudson.plugins.git.GitException: Failed to fetch from https://bitbucket.example.com/scm/pet/spring-petclinic.git
at hudson.plugins.git.GitSCM.fetchFrom(GitSCM.java:806)
at hudson.plugins.git.GitSCM.retrieveChanges(GitSCM.java:1070)
at hudson.plugins.git.GitSCM.checkout(GitSCM.java:1101)
at org.jenkinsci.plugins.workflow.steps.scm.SCMStep.checkout(SCMStep.java:109)
at org.jenkinsci.plugins.workflow.steps.scm.SCMStep$StepExecutionImpl.run(SCMStep.java:83)
at org.jenkinsci.plugins.workflow.steps.scm.SCMStep$StepExecutionImpl.run(SCMStep.java:73)
at org.jenkinsci.plugins.workflow.steps.AbstractSynchronousNonBlockingStepExecution$1$1.call(AbstractSynchronousNonBlockingStepExecution.java:47)
at hudson.security.ACL.impersonate(ACL.java:260)
at org.jenkinsci.plugins.workflow.steps.AbstractSynchronousNonBlockingStepExecution$1.run(AbstractSynchronousNonBlockingStepExecution.java:44)
at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:511)
at java.util.concurrent.FutureTask.run(FutureTask.java:266)
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
at java.lang.Thread.run(Thread.java:745)
Caused by: hudson.plugins.git.GitException: Command "git fetch --tags --progress https://bitbucket.example.com/scm/pet/spring-petclinic.git +refs/heads/*:refs/remotes/origin/*" returned status code 128:
stdout:
stderr: fatal: Authentication failed for 'https://bitbucket.example.com/scm/pet/spring-petclinic.git/'
at org.jenkinsci.plugins.gitclient.CliGitAPIImpl.launchCommandIn(CliGitAPIImpl.java:1793)
at org.jenkinsci.plugins.gitclient.CliGitAPIImpl.launchCommandWithCredentials(CliGitAPIImpl.java:1519)
at org.jenkinsci.plugins.gitclient.CliGitAPIImpl.access$300(CliGitAPIImpl.java:64)
at org.jenkinsci.plugins.gitclient.CliGitAPIImpl$1.execute(CliGitAPIImpl.java:315)
at org.jenkinsci.plugins.gitclient.RemoteGitImpl$CommandInvocationHandler$1.call(RemoteGitImpl.java:153)
at org.jenkinsci.plugins.gitclient.RemoteGitImpl$CommandInvocationHandler$1.call(RemoteGitImpl.java:146)
at hudson.remoting.UserRequest.perform(UserRequest.java:153)
at hudson.remoting.UserRequest.perform(UserRequest.java:50)
at hudson.remoting.Request$2.run(Request.java:336)
at hudson.remoting.InterceptingExecutorService$1.call(InterceptingExecutorService.java:68)
at java.util.concurrent.FutureTask.run(FutureTask.java:266)
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
at java.lang.Thread.run(Thread.java:745)
at ......remote call to agent-1(Native Method)
at hudson.remoting.Channel.attachCallSiteStackTrace(Channel.java:1545)
at hudson.remoting.UserResponse.retrieve(UserRequest.java:253)
at hudson.remoting.Channel.call(Channel.java:830)
at org.jenkinsci.plugins.gitclient.RemoteGitImpl$CommandInvocationHandler.execute(RemoteGitImpl.java:146)
at sun.reflect.GeneratedMethodAccessor769.invoke(Unknown Source)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:498)
at org.jenkinsci.plugins.gitclient.RemoteGitImpl$CommandInvocationHandler.invoke(RemoteGitImpl.java:132)
at com.sun.proxy.$Proxy120.execute(Unknown Source)
at hudson.plugins.git.GitSCM.fetchFrom(GitSCM.java:804)
... 13 more
[Pipeline] }
[Pipeline] // stage
[Pipeline] }
[Pipeline] // node
[Pipeline] End of Pipeline
ERROR: null
Finished: FAILURE
- is related to
-
-
- Closed
-
-
-
- Open
-
-
-
- Resolved
-
- relates to
-
JENKINS-58170 Allow credential parameters to shadow credential ids in lookup
-
- Resolved
-
- links to
