Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-44773

User Scoped credentials are not used by the "git" pipeline step

    XMLWordPrintable

    Details

    • Similar Issues:

      Description

      Environment

      • Jenkins 2.46.2
      • credentials:2.1.13 'Credentials Plugin'
      • workflow-aggregator:2.5 'Pipeline'
      • workflow-api:2.12 'Pipeline: API'
      • workflow-basic-steps:2.4 'Pipeline: Basic Steps'
      • workflow-cps:2.29 'Pipeline: Groovy'
      • workflow-cps-checkpoint:2.4 'CloudBees Pipeline: Groovy Checkpoint Plugin'
      • workflow-cps-global-lib:2.7 'Pipeline: Shared Groovy Libraries'
      • workflow-durable-task-step:2.10 'Pipeline: Nodes and Processes'
      • workflow-job:2.10 'Pipeline: Job'
      • workflow-multibranch:2.14 'Pipeline: Multibranch'
      • workflow-scm-step:2.4 'Pipeline: SCM Step'
      • workflow-step-api:2.9 'Pipeline: Step API'
      • workflow-support:2.14 'Pipeline: Supporting APIs'

      Description

      When using the authorize project plugin,

      • User Scoped Credentials are not found by the "git" pipeline step.
      • Global Credentials overwritten by user scoped credentials are not overwritten by the "git" pipeline step.

      Reproduce

      • Install the Project Authorize Plugin and configure it "Run as user who triggered the build"
      • Create a global credential "global-bitbucket-credentials-intended-to-be-overwritten-at-the-user-scope" with valid credentials for a bitbucket server
      • Create user scoped credentials "global-bitbucket-credentials-intended-to-be-overwritten-at-the-user-scope" with invalid username and invalid password
      • create a pipeline with "git credentialsId: 'global-bitbucket-credentials-intended-to-be-overwritten-at-the-user-scope', url: 'https://bitbucket.example.com/.....git'"
      • run the build, it will succeed and logs will show that the global creds have been used, a log message will show the valid username, proving that the user credentials have been ignored
      • Create user scoped credentials "user-scoped-bitbucket-creds" with valid credentials for a bitbucket server
      • Create a pipeline with "git credentialsId: 'user-scoped-bitbucket-cred', url: 'https://bitbucket.example.com/.....git'"
      • job will fail with "authentication failed"

       

      node {
          // verify that the build is properly impersonated by the https://wiki.jenkins-ci.org/display/JENKINS/Authorize+Project+plugin
          echo "Build is running as user " + org.acegisecurity.context.SecurityContextHolder.getContext().getAuthentication().toString()
          
          stage ("Global Credentials Overwritten at the user scope") {
              // credentials declared globally and overwritten by a user scoped credentials
              git credentialsId: 'global-bitbucket-credentials-intended-to-be-overwritten-at-the-user-scope', url: 'https://bitbucket.example.com/scm/pet/spring-petclinic.git'
          }
          
          stage ("User Scoped Credentials") {
              // user scoped credentials
              git credentialsId: 'user-scoped-bitbucket-creds', url: 'https://bitbucket.example.com/scm/pet/spring-petclinic.git'
          }
      }
      
      Started by user admin
      [Pipeline] node
      Running on agent-1 in /home/ubuntu/agent-home/workspace/tests/user-scoped-credentials-pipeline-step-git
      [Pipeline] {
      [Pipeline] echo
      Build is running as user org.acegisecurity.providers.UsernamePasswordAuthenticationToken@965748a4: Username: admin; Password: [PROTECTED]; Authenticated: true; Details: null; Granted Authorities: authenticated
      [Pipeline] stage
      [Pipeline] { (Global Credentials Overwritten at the user scope)
      [Pipeline] git
       > git rev-parse --is-inside-work-tree # timeout=10
      Fetching changes from the remote Git repository
       > git config remote.origin.url https://bitbucket.example.com/scm/pet/spring-petclinic.git # timeout=10
      Fetching upstream changes from https://bitbucket.example.com/scm/pet/spring-petclinic.git
       > git --version # timeout=10
      using GIT_ASKPASS to set credentials QAh4dAzetrEp global creds, not overwritten
       > git fetch --tags --progress https://bitbucket.example.com/scm/pet/spring-petclinic.git +refs/heads/*:refs/remotes/origin/*
       > git rev-parse refs/remotes/origin/master^{commit} # timeout=10
       > git rev-parse refs/remotes/origin/origin/master^{commit} # timeout=10
      Checking out Revision fd1c742d4f8d193eb935519909c15302b783cd52 (refs/remotes/origin/master)
       > git config core.sparsecheckout # timeout=10
       > git checkout -f fd1c742d4f8d193eb935519909c15302b783cd52
       > git branch -a -v --no-abbrev # timeout=10
       > git branch -D master # timeout=10
       > git checkout -b master fd1c742d4f8d193eb935519909c15302b783cd52
       > git rev-list fd1c742d4f8d193eb935519909c15302b783cd52 # timeout=10
      [Pipeline] }
      [Pipeline] // stage
      [Pipeline] stage
      [Pipeline] { (User Scoped Credentials)
      [Pipeline] git
       > git rev-parse --is-inside-work-tree # timeout=10
      Fetching changes from the remote Git repository
       > git config remote.origin.url https://bitbucket.example.com/scm/pet/spring-petclinic.git # timeout=10
      Fetching upstream changes from https://bitbucket.example.com/scm/pet/spring-petclinic.git
       > git --version # timeout=10
       > git fetch --tags --progress https://bitbucket.example.com/scm/pet/spring-petclinic.git +refs/heads/*:refs/remotes/origin/*
      ERROR: Error fetching remote repo 'origin'
      hudson.plugins.git.GitException: Failed to fetch from https://bitbucket.example.com/scm/pet/spring-petclinic.git
      	at hudson.plugins.git.GitSCM.fetchFrom(GitSCM.java:806)
      	at hudson.plugins.git.GitSCM.retrieveChanges(GitSCM.java:1070)
      	at hudson.plugins.git.GitSCM.checkout(GitSCM.java:1101)
      	at org.jenkinsci.plugins.workflow.steps.scm.SCMStep.checkout(SCMStep.java:109)
      	at org.jenkinsci.plugins.workflow.steps.scm.SCMStep$StepExecutionImpl.run(SCMStep.java:83)
      	at org.jenkinsci.plugins.workflow.steps.scm.SCMStep$StepExecutionImpl.run(SCMStep.java:73)
      	at org.jenkinsci.plugins.workflow.steps.AbstractSynchronousNonBlockingStepExecution$1$1.call(AbstractSynchronousNonBlockingStepExecution.java:47)
      	at hudson.security.ACL.impersonate(ACL.java:260)
      	at org.jenkinsci.plugins.workflow.steps.AbstractSynchronousNonBlockingStepExecution$1.run(AbstractSynchronousNonBlockingStepExecution.java:44)
      	at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:511)
      	at java.util.concurrent.FutureTask.run(FutureTask.java:266)
      	at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
      	at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
      	at java.lang.Thread.run(Thread.java:745)
      Caused by: hudson.plugins.git.GitException: Command "git fetch --tags --progress https://bitbucket.example.com/scm/pet/spring-petclinic.git +refs/heads/*:refs/remotes/origin/*" returned status code 128:
      stdout: 
      stderr: fatal: Authentication failed for 'https://bitbucket.example.com/scm/pet/spring-petclinic.git/'
      
      	at org.jenkinsci.plugins.gitclient.CliGitAPIImpl.launchCommandIn(CliGitAPIImpl.java:1793)
      	at org.jenkinsci.plugins.gitclient.CliGitAPIImpl.launchCommandWithCredentials(CliGitAPIImpl.java:1519)
      	at org.jenkinsci.plugins.gitclient.CliGitAPIImpl.access$300(CliGitAPIImpl.java:64)
      	at org.jenkinsci.plugins.gitclient.CliGitAPIImpl$1.execute(CliGitAPIImpl.java:315)
      	at org.jenkinsci.plugins.gitclient.RemoteGitImpl$CommandInvocationHandler$1.call(RemoteGitImpl.java:153)
      	at org.jenkinsci.plugins.gitclient.RemoteGitImpl$CommandInvocationHandler$1.call(RemoteGitImpl.java:146)
      	at hudson.remoting.UserRequest.perform(UserRequest.java:153)
      	at hudson.remoting.UserRequest.perform(UserRequest.java:50)
      	at hudson.remoting.Request$2.run(Request.java:336)
      	at hudson.remoting.InterceptingExecutorService$1.call(InterceptingExecutorService.java:68)
      	at java.util.concurrent.FutureTask.run(FutureTask.java:266)
      	at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
      	at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
      	at java.lang.Thread.run(Thread.java:745)
      	at ......remote call to agent-1(Native Method)
      	at hudson.remoting.Channel.attachCallSiteStackTrace(Channel.java:1545)
      	at hudson.remoting.UserResponse.retrieve(UserRequest.java:253)
      	at hudson.remoting.Channel.call(Channel.java:830)
      	at org.jenkinsci.plugins.gitclient.RemoteGitImpl$CommandInvocationHandler.execute(RemoteGitImpl.java:146)
      	at sun.reflect.GeneratedMethodAccessor769.invoke(Unknown Source)
      	at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
      	at java.lang.reflect.Method.invoke(Method.java:498)
      	at org.jenkinsci.plugins.gitclient.RemoteGitImpl$CommandInvocationHandler.invoke(RemoteGitImpl.java:132)
      	at com.sun.proxy.$Proxy120.execute(Unknown Source)
      	at hudson.plugins.git.GitSCM.fetchFrom(GitSCM.java:804)
      	... 13 more
      [Pipeline] }
      [Pipeline] // stage
      [Pipeline] }
      [Pipeline] // node
      [Pipeline] End of Pipeline
      ERROR: null
      Finished: FAILURE
      

        Attachments

          Issue Links

            Activity

            Hide
            xjg6yzl John Zerbe added a comment -

            This issue is a Blocker for us. We need to use user scoped credentials for maven releases. We cannot use pipelines for release builds until this is resolved.

            Show
            xjg6yzl John Zerbe added a comment - This issue is a Blocker for us. We need to use user scoped credentials for maven releases. We cannot use pipelines for release builds until this is resolved.
            Hide
            jglick Jesse Glick added a comment -

            Why was this filed under credentials? And remember that the git step is semi-deprecated syntax sugar; you almost surely mean the checkout step generally with its GitSCM delegate.

            Show
            jglick Jesse Glick added a comment - Why was this filed under credentials ? And remember that the git step is semi-deprecated syntax sugar; you almost surely mean the checkout step generally with its GitSCM  delegate.
            Hide
            cleclerc Cyrille Le Clerc added a comment -

            > Why was this filed under credentials?

            Jesse Glick i assumed that it was the credentials plugin that was providing the high level abstraction to retrieve credentials. I didn't think that each plugin that consumes credentials will have to be checked.

            Show
            cleclerc Cyrille Le Clerc added a comment - > Why was this filed under credentials? Jesse Glick i assumed that it was the credentials plugin that was providing the high level abstraction to retrieve credentials. I didn't think that each plugin that consumes credentials will have to be checked.
            Hide
            markewaite Mark Waite added a comment -

            If this problem is visible in pipeline, I suspect a similar problem exists outside pipeline as well. Refer to JENKINS-43022 for another bug in git plugin credential scope handling.

            Show
            markewaite Mark Waite added a comment - If this problem is visible in pipeline, I suspect a similar problem exists outside pipeline as well. Refer to JENKINS-43022 for another bug in git plugin credential scope handling.
            Hide
            jglick Jesse Glick added a comment -

             i assumed that it was the credentials plugin that was providing the high level abstraction to retrieve credentials

            It does. But it is up to each plugin using credentials to make the correct API calls. Some do, some do not.

            Show
            jglick Jesse Glick added a comment -  i assumed that it was the credentials plugin that was providing the high level abstraction to retrieve credentials It does. But it is up to each plugin using credentials to make the correct API calls. Some do, some do not.
            Hide
            hrmpw Patrick Wolf added a comment -

            Does the checkout step behave properly? This is the most important question since this is the preferred way of doing checkouts. Can we reproduce same behavior?

            Show
            hrmpw Patrick Wolf added a comment - Does the checkout step behave properly? This is the most important question since this is the preferred way of doing checkouts. Can we reproduce same behavior?
            Hide
            jglick Jesse Glick added a comment -

            The behavior of checkout is almost certainly the same, since the git step is merely syntactic sugar and winds up calling the same code.

            Show
            jglick Jesse Glick added a comment - The behavior of checkout is almost certainly the same, since the git step is merely syntactic sugar and winds up calling the same code.
            Hide
            hvdbrand Hugo van den Brand added a comment -

            We are experiencing a similar issue with Folder scoped credentials.

            Anyone trying to fix this?

            Show
            hvdbrand Hugo van den Brand added a comment - We are experiencing a similar issue with Folder scoped credentials. Anyone trying to fix this?
            Hide
            markewaite Mark Waite added a comment -

            I am not trying to fix this at this time Hugo van den Brand.

            Show
            markewaite Mark Waite added a comment - I am not trying to fix this at this time Hugo van den Brand .
            Hide
            jvz Matt Sicker added a comment -

            This feature can be replaced by JENKINS-58170 which provides a more standardized approach to granting user-scoped credentials to builds.

            Show
            jvz Matt Sicker added a comment - This feature can be replaced by JENKINS-58170 which provides a more standardized approach to granting user-scoped credentials to builds.
            Hide
            jvz Matt Sicker added a comment -

            There is now a new way to access user-scoped credentials detailed in JENKINS-58170 which uses credentials build parameters. These allow user-scoped credentials to be referenced in any context where you'd normally use the credentials id.

            Show
            jvz Matt Sicker added a comment - There is now a new way to access user-scoped credentials detailed in JENKINS-58170 which uses credentials build parameters. These allow user-scoped credentials to be referenced in any context where you'd normally use the credentials id.

              People

              Assignee:
              Unassigned Unassigned
              Reporter:
              cleclerc Cyrille Le Clerc
              Votes:
              6 Vote for this issue
              Watchers:
              12 Start watching this issue

                Dates

                Created:
                Updated:
                Resolved: