[JENKINS-45129] Unable to scan branches in multibranch plugin when user has two-step verification enabled

Type: Bug
Resolution: Cannot Reproduce
Priority: Critical
Component/s: bitbucket-branch-source-plugin
Labels:
- technical-debt
- triaged-2018-11

Similar Issues:
Powered by SuggestiMate

Show

When trying to scan for branches using the user which has two-step verification enabled, I get the following error:

Started
[Mon Jun 26 11:04:33 CEST 2017] Starting branch indexing...
ERROR: [Mon Jun 26 11:04:33 CEST 2017] Could not update folder level actions from source 85788dfe-8acb-4d5b-b6c5-64622c0ae982
com.cloudbees.jenkins.plugins.bitbucket.api.BitbucketRequestException: HTTP request error. Status: 403: Forbidden.
To make an API call, you need to use an app password.
at com.cloudbees.jenkins.plugins.bitbucket.client.BitbucketCloudApiClient.getRequest(BitbucketCloudApiClient.java:572)
at com.cloudbees.jenkins.plugins.bitbucket.client.BitbucketCloudApiClient.getRepository(BitbucketCloudApiClient.java:236)
at com.cloudbees.jenkins.plugins.bitbucket.BitbucketSCMSource.retrieveActions(BitbucketSCMSource.java:689)
at jenkins.scm.api.SCMSource.fetchActions(SCMSource.java:691)
at jenkins.branch.MultiBranchProject.computeChildren(MultiBranchProject.java:587)
at com.cloudbees.hudson.plugins.folder.computed.ComputedFolder.updateChildren(ComputedFolder.java:266)
at com.cloudbees.hudson.plugins.folder.computed.FolderComputation.run(FolderComputation.java:162)
at jenkins.branch.MultiBranchProject$BranchIndexing.run(MultiBranchProject.java:969)
at hudson.model.ResourceController.execute(ResourceController.java:97)
at hudson.model.Executor.run(Executor.java:415)
[Mon Jun 26 11:04:33 CEST 2017] Finished branch indexing. Indexing took 0.35 sec
FATAL: Failed to recompute children of ocr-engine
com.cloudbees.jenkins.plugins.bitbucket.api.BitbucketRequestException: HTTP request error. Status: 403: Forbidden.
To make an API call, you need to use an app password.
at com.cloudbees.jenkins.plugins.bitbucket.client.BitbucketCloudApiClient.getRequest(BitbucketCloudApiClient.java:572)
at com.cloudbees.jenkins.plugins.bitbucket.client.BitbucketCloudApiClient.getRepository(BitbucketCloudApiClient.java:236)
at com.cloudbees.jenkins.plugins.bitbucket.BitbucketSCMSource.retrieveActions(BitbucketSCMSource.java:689)
at jenkins.scm.api.SCMSource.fetchActions(SCMSource.java:691)
at jenkins.branch.MultiBranchProject.computeChildren(MultiBranchProject.java:587)
at com.cloudbees.hudson.plugins.folder.computed.ComputedFolder.updateChildren(ComputedFolder.java:266)
at com.cloudbees.hudson.plugins.folder.computed.FolderComputation.run(FolderComputation.java:162)
at jenkins.branch.MultiBranchProject$BranchIndexing.run(MultiBranchProject.java:969)
at hudson.model.ResourceController.execute(ResourceController.java:97)
at hudson.model.Executor.run(Executor.java:415)
Finished: FAILURE

We would like to enable enforcement for all our developers to use two-step verification for logging into BitBucket, but are unable to do so until Bitbucket branch source plugin gets the ability to use app password for making API calls.

Nenad Miksa added a comment - 2017-06-26 09:18

If I enable enforcement for two-step verification, scanning results with following error:

[Mon Jun 26 11:15:54 CEST 2017] Starting branch indexing...
ERROR: [Mon Jun 26 11:15:54 CEST 2017] Could not update folder level actions from source 85788dfe-8acb-4d5b-b6c5-64622c0ae982
com.cloudbees.jenkins.plugins.bitbucket.api.BitbucketRequestException: HTTP request error. Status: 403: Forbidden.
{"type": "error", "error": {"message": "To access this repository, enable two-step verification."}}
	at com.cloudbees.jenkins.plugins.bitbucket.client.BitbucketCloudApiClient.getRequest(BitbucketCloudApiClient.java:572)
	at com.cloudbees.jenkins.plugins.bitbucket.client.BitbucketCloudApiClient.getRepository(BitbucketCloudApiClient.java:236)
	at com.cloudbees.jenkins.plugins.bitbucket.BitbucketSCMSource.retrieveActions(BitbucketSCMSource.java:689)
	at jenkins.scm.api.SCMSource.fetchActions(SCMSource.java:691)
	at jenkins.branch.MultiBranchProject.computeChildren(MultiBranchProject.java:587)
	at com.cloudbees.hudson.plugins.folder.computed.ComputedFolder.updateChildren(ComputedFolder.java:266)
	at com.cloudbees.hudson.plugins.folder.computed.FolderComputation.run(FolderComputation.java:162)
	at jenkins.branch.MultiBranchProject$BranchIndexing.run(MultiBranchProject.java:969)
	at hudson.model.ResourceController.execute(ResourceController.java:97)
	at hudson.model.Executor.run(Executor.java:415)
[Mon Jun 26 11:15:54 CEST 2017] Finished branch indexing. Indexing took 0.16 sec
FATAL: Failed to recompute children of ocr-engine
com.cloudbees.jenkins.plugins.bitbucket.api.BitbucketRequestException: HTTP request error. Status: 403: Forbidden.
{"type": "error", "error": {"message": "To access this repository, enable two-step verification."}}
	at com.cloudbees.jenkins.plugins.bitbucket.client.BitbucketCloudApiClient.getRequest(BitbucketCloudApiClient.java:572)
	at com.cloudbees.jenkins.plugins.bitbucket.client.BitbucketCloudApiClient.getRepository(BitbucketCloudApiClient.java:236)
	at com.cloudbees.jenkins.plugins.bitbucket.BitbucketSCMSource.retrieveActions(BitbucketSCMSource.java:689)
	at jenkins.scm.api.SCMSource.fetchActions(SCMSource.java:691)
	at jenkins.branch.MultiBranchProject.computeChildren(MultiBranchProject.java:587)
	at com.cloudbees.hudson.plugins.folder.computed.ComputedFolder.updateChildren(ComputedFolder.java:266)
	at com.cloudbees.hudson.plugins.folder.computed.FolderComputation.run(FolderComputation.java:162)
	at jenkins.branch.MultiBranchProject$BranchIndexing.run(MultiBranchProject.java:969)
	at hudson.model.ResourceController.execute(ResourceController.java:97)
	at hudson.model.Executor.run(Executor.java:415)
Finished: FAILURE

Nenad Miksa added a comment - 2017-06-26 09:18 If I enable enforcement for two-step verification, scanning results with following error: [Mon Jun 26 11:15:54 CEST 2017] Starting branch indexing... ERROR: [Mon Jun 26 11:15:54 CEST 2017] Could not update folder level actions from source 85788dfe-8acb-4d5b-b6c5-64622c0ae982 com.cloudbees.jenkins.plugins.bitbucket.api.BitbucketRequestException: HTTP request error. Status: 403: Forbidden. { "type" : "error" , "error" : { "message" : "To access this repository, enable two-step verification." }} at com.cloudbees.jenkins.plugins.bitbucket.client.BitbucketCloudApiClient.getRequest(BitbucketCloudApiClient.java:572) at com.cloudbees.jenkins.plugins.bitbucket.client.BitbucketCloudApiClient.getRepository(BitbucketCloudApiClient.java:236) at com.cloudbees.jenkins.plugins.bitbucket.BitbucketSCMSource.retrieveActions(BitbucketSCMSource.java:689) at jenkins.scm.api.SCMSource.fetchActions(SCMSource.java:691) at jenkins.branch.MultiBranchProject.computeChildren(MultiBranchProject.java:587) at com.cloudbees.hudson.plugins.folder.computed.ComputedFolder.updateChildren(ComputedFolder.java:266) at com.cloudbees.hudson.plugins.folder.computed.FolderComputation.run(FolderComputation.java:162) at jenkins.branch.MultiBranchProject$BranchIndexing.run(MultiBranchProject.java:969) at hudson.model.ResourceController.execute(ResourceController.java:97) at hudson.model.Executor.run(Executor.java:415) [Mon Jun 26 11:15:54 CEST 2017] Finished branch indexing. Indexing took 0.16 sec FATAL: Failed to recompute children of ocr-engine com.cloudbees.jenkins.plugins.bitbucket.api.BitbucketRequestException: HTTP request error. Status: 403: Forbidden. { "type" : "error" , "error" : { "message" : "To access this repository, enable two-step verification." }} at com.cloudbees.jenkins.plugins.bitbucket.client.BitbucketCloudApiClient.getRequest(BitbucketCloudApiClient.java:572) at com.cloudbees.jenkins.plugins.bitbucket.client.BitbucketCloudApiClient.getRepository(BitbucketCloudApiClient.java:236) at com.cloudbees.jenkins.plugins.bitbucket.BitbucketSCMSource.retrieveActions(BitbucketSCMSource.java:689) at jenkins.scm.api.SCMSource.fetchActions(SCMSource.java:691) at jenkins.branch.MultiBranchProject.computeChildren(MultiBranchProject.java:587) at com.cloudbees.hudson.plugins.folder.computed.ComputedFolder.updateChildren(ComputedFolder.java:266) at com.cloudbees.hudson.plugins.folder.computed.FolderComputation.run(FolderComputation.java:162) at jenkins.branch.MultiBranchProject$BranchIndexing.run(MultiBranchProject.java:969) at hudson.model.ResourceController.execute(ResourceController.java:97) at hudson.model.Executor.run(Executor.java:415) Finished: FAILURE

Nenad Miksa added a comment - 2018-02-09 10:41

This issue is still present in v2.2.9. Didn't 2.2.5 suppose to move to Bitbucket API v2?

Nenad Miksa added a comment - 2018-02-09 10:41 This issue is still present in v2.2.9. Didn't 2.2.5 suppose to move to Bitbucket API v2?

Chris Hemp added a comment - 2018-11-09 21:39

Having the same issue. With SAML/SSO configured, App Passwords do not work.

Using bitbucket-branch-source-plugin version 2.2.14

Chris Hemp added a comment - 2018-11-09 21:39 Having the same issue. With SAML/SSO configured, App Passwords do not work. Using bitbucket-branch-source-plugin version 2.2.14

Nenad Miksa added a comment - 2018-11-11 16:54

For me it works if I setup the app password using the groovy script, as described here: https://wiki.jenkins.io/display/JENKINS/Bitbucket+Branch+Source+Plugin#BitbucketBranchSourcePlugin-ConfigurepluginviaGroovyscript

However, if I setup the app password using UI, then it is treated as normal password and it doesn't work.

Hope this helps...

Nenad Miksa added a comment - 2018-11-11 16:54 For me it works if I setup the app password using the groovy script, as described here: https://wiki.jenkins.io/display/JENKINS/Bitbucket+Branch+Source+Plugin#BitbucketBranchSourcePlugin-ConfigurepluginviaGroovyscript However, if I setup the app password using UI, then it is treated as normal password and it doesn't work. Hope this helps...

Chris Hemp added a comment - 2018-11-12 13:23

dodoent, thanks for following up with your experiences and leaving a comment

If I understand you correctly, the groovy code you linked is using the Bitbucket username and not the email address (where the Bitbucket username is configurable when logged in under the Profile).

When I originally tried the App Password credential last week, I was using the Bitbucket email-address of the user and NOT the username. Right now, with two-step verification off, I am using email-address/password and things are working. That email-address/username difference might be what caused my issue in trying App Passwords. I'll try to do some testing this week.

In your configuration, are you using the Bitbucket username?

Chris Hemp added a comment - 2018-11-12 13:23 dodoent , thanks for following up with your experiences and leaving a comment If I understand you correctly, the groovy code you linked is using the Bitbucket username and not the email address (where the Bitbucket username is configurable when logged in under the Profile). When I originally tried the App Password credential last week, I was using the Bitbucket email-address of the user and NOT the username. Right now, with two-step verification off, I am using email-address/password and things are working. That email-address/username difference might be what caused my issue in trying App Passwords. I'll try to do some testing this week. In your configuration, are you using the Bitbucket username?

Nenad Miksa added a comment - 2018-11-12 13:38

Yes, I am using Bitbucket username.

Nenad Miksa added a comment - 2018-11-12 13:38 Yes, I am using Bitbucket username.

Chris Hemp added a comment - 2018-11-16 13:26

I tested this out this morning on a local jenkins 2.151 (via docker) with using bitbucket-branch-source-plugin version 2.2.14. Using the Bitbucket `username` with an App Password worked successfully with my SAML/SSO configured user.

This is great! Thanks again dodoent

TLDR:

User without SAML/SSO use: email-address / password

User with SAML/SSO use: bitbucket-user-name / app-password

Chris Hemp added a comment - 2018-11-16 13:26 I tested this out this morning on a local jenkins 2.151 (via docker) with using bitbucket-branch-source-plugin version 2.2.14. Using the Bitbucket `username` with an App Password worked successfully with my SAML/SSO configured user. This is great! Thanks again dodoent TLDR: User without SAML/SSO use: email-address / password User with SAML/SSO use: bitbucket-user-name / app-password

Vivek Pandey added a comment - 2019-01-08 15:37

Groovy script does what you can also do using UI by setting up credentials using bitbucket username and app password and then setup Bitbucket Endpoint/Manage hooks to select that credential from drop down. Given that its unclear what this issue is trying to get fixed. dodoent please confirm if this is still an issue and provide details with step as whats not working.

Vivek Pandey added a comment - 2019-01-08 15:37 Groovy script does what you can also do using UI by setting up credentials using bitbucket username and app password and then setup Bitbucket Endpoint/Manage hooks to select that credential from drop down. Given that its unclear what this issue is trying to get fixed. dodoent please confirm if this is still an issue and provide details with step as whats not working.

Nenad Miksa added a comment - 2019-01-09 09:43

For me this now works, as I said earlier - setting it up with the script does the job for me. The original issue referred to not being able to do even that. So I think it can be closed now.

Thank you for your support and for the development of the requested feature!

Nenad Miksa added a comment - 2019-01-09 09:43 For me this now works, as I said earlier - setting it up with the script does the job for me. The original issue referred to not being able to do even that. So I think it can be closed now. Thank you for your support and for the development of the requested feature!

Vivek Pandey added a comment - 2019-01-10 20:12

Thanks dodoent!

Vivek Pandey added a comment - 2019-01-10 20:12 Thanks dodoent !

Assignee:: Unassigned

Reporter:: Nenad Miksa

Votes:: 1 Vote for this issue

Watchers:: 4 Start watching this issue

Created:: 2017-06-26 09:13

Updated:: 2019-01-10 20:12

Resolved:: 2019-01-10 20:11

Jenkins

Details

Description

Attachments

Activity

Collapse comment: Nenad Miksa added a comment - 2017-06-26 09:18

Expand comment: Nenad Miksa added a comment - 2017-06-26 09:18

Collapse comment: Nenad Miksa added a comment - 2018-02-09 10:41

Expand comment: Nenad Miksa added a comment - 2018-02-09 10:41

Collapse comment: Chris Hemp added a comment - 2018-11-09 21:39

Expand comment: Chris Hemp added a comment - 2018-11-09 21:39

Collapse comment: Nenad Miksa added a comment - 2018-11-11 16:54

Expand comment: Nenad Miksa added a comment - 2018-11-11 16:54

Collapse comment: Chris Hemp added a comment - 2018-11-12 13:23

Expand comment: Chris Hemp added a comment - 2018-11-12 13:23

Collapse comment: Nenad Miksa added a comment - 2018-11-12 13:38

Expand comment: Nenad Miksa added a comment - 2018-11-12 13:38

Collapse comment: Chris Hemp added a comment - 2018-11-16 13:26

Expand comment: Chris Hemp added a comment - 2018-11-16 13:26

Collapse comment: Vivek Pandey added a comment - 2019-01-08 15:37

Expand comment: Vivek Pandey added a comment - 2019-01-08 15:37

Collapse comment: Nenad Miksa added a comment - 2019-01-09 09:43

Expand comment: Nenad Miksa added a comment - 2019-01-09 09:43

Collapse comment: Vivek Pandey added a comment - 2019-01-10 20:12

Expand comment: Vivek Pandey added a comment - 2019-01-10 20:12

People

Dates