Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-47839

crowd2 Jenkins plugin crashes if user not found

    XMLWordPrintable

    Details

    • Similar Issues:

      Description

      I am trying to configure groups support in Crowd2 plugin for Jenkins.

      Let's say we have two groups in our JIRA: systems and developers. As stated in documentation, I put both in 'Restrict Groups' section, separated by commas: systems,developers . It works if user sys (a member of systems group) is trying to login and does not work if user dev (a member of developers group). If I change the order and put developers,systems, then dev can login and sys cannot_._ The problem is that JIRA Crowd2 API returns 404 when the plugin asks if user dev is a member of systems (and he is not):

      and the exceptions is thrown:

      Checking group membership for user 'dev' and group 'systems'...
      Nov 06, 2017 11:15:58 AM SEVERE de.theit.jenkins.crowd.CrowdConfigurationService isGroupMember
      The connection check failed.
      com.atlassian.crowd.exception.InvalidCrowdServiceException: The following URL does not specify a valid Crowd User Management REST service: https://myjira.net/rest/usermanagement/1/group/user/direct?groupname=systems&username=dev    at com.atlassian.crowd.integration.rest.service.RestExecutor$MethodExecutor.executeCrowdServiceMethod(RestExecutor.java:455)
          at com.atlassian.crowd.integration.rest.service.RestExecutor$MethodExecutor.doesExist(RestExecutor.java:374)
          at com.atlassian.crowd.integration.rest.service.RestCrowdClient.isUserDirectGroupMember(RestCrowdClient.java:384)
          at de.theit.jenkins.crowd.CrowdConfigurationService.isGroupMember(CrowdConfigurationService.java:187)
          at de.theit.jenkins.crowd.CrowdConfigurationService.isGroupMember(CrowdConfigurationService.java:138)
          at de.theit.jenkins.crowd.CrowdAuthenticationManager.authenticate(CrowdAuthenticationManager.java:116)
      

      The exception is not handled correctly, so the plugin even does not try to check if dev is a member of developers group after.

      Since, the exception is thrown by Client Integration Client of v2.7.1 I tried to rebuild the plugin against v2.8.3, however it did not help.

      Posted in StackOverflow as well: https://stackoverflow.com/questions/47136248/crowd2-jenkins-plugin-crashes-if-user-not-found

        Attachments

          Activity

          cyril Cyril Burd created issue -
          cyril Cyril Burd made changes -
          Field Original Value New Value
          Description I am trying to configure groups support in Crowd2 plugin for Jenkins.

          Let's say we have two groups in our JIRA: _systems_ and _developers_. As stated in documentation, I put both in 'Restrict Groups' section, separated by commas: _systems,developers_ . It works if user _sys_ (a member of _systems_ group) is trying to login and does not work if user _dev_ (a member of _developers_ group). If I change the order and put _developers,systems_, then _dev_ can login and _sys_cannot. The problem is that JIRA Crowd2 API returns 404 when the plugin asks if user _dev_ is a member of _systems_ (and he is not):

          and the exceptions is thrown:
          {code:java}
          Checking group membership for user 'dev' and group 'systems'...
          Nov 06, 2017 11:15:58 AM SEVERE de.theit.jenkins.crowd.CrowdConfigurationService isGroupMember
          The connection check failed.
          com.atlassian.crowd.exception.InvalidCrowdServiceException: The following URL does not specify a valid Crowd User Management REST service: https://myjira.net/rest/usermanagement/1/group/user/direct?groupname=systems&username=dev at com.atlassian.crowd.integration.rest.service.RestExecutor$MethodExecutor.executeCrowdServiceMethod(RestExecutor.java:455)
              at com.atlassian.crowd.integration.rest.service.RestExecutor$MethodExecutor.doesExist(RestExecutor.java:374)
              at com.atlassian.crowd.integration.rest.service.RestCrowdClient.isUserDirectGroupMember(RestCrowdClient.java:384)
              at de.theit.jenkins.crowd.CrowdConfigurationService.isGroupMember(CrowdConfigurationService.java:187)
              at de.theit.jenkins.crowd.CrowdConfigurationService.isGroupMember(CrowdConfigurationService.java:138)
              at de.theit.jenkins.crowd.CrowdAuthenticationManager.authenticate(CrowdAuthenticationManager.java:116)
          {code}
          The exception is not handled correctly, so the plugin even does not try to check if _dev_ is a member of _developers_ group after.

          Since, the exception is thrown by *[Client Integration Client|https://mvnrepository.com/artifact/com.atlassian.crowd/crowd-integration-client-rest]* of v2.7.1 I tried to rebuild the plugin against v2.8.3, however it did not help.

          Posted in StackOverflow as well: https://stackoverflow.com/questions/47136248/crowd2-jenkins-plugin-crashes-if-user-not-found
          I am trying to configure groups support in Crowd2 plugin for Jenkins.

          Let's say we have two groups in our JIRA: _systems_ and _developers_. As stated in documentation, I put both in 'Restrict Groups' section, separated by commas: _systems,developers_ . It works if user _sys_ (a member of _systems_ group) is trying to login and does not work if user _dev_ (a member of _developers_ group). If I change the order and put _developers,systems_, then _dev_ can login and _sys_ cannot_._ The problem is that JIRA Crowd2 API returns 404 when the plugin asks if user _dev_ is a member of _systems_ (and he is not):

          and the exceptions is thrown:
          {code:java}
          Checking group membership for user 'dev' and group 'systems'...
          Nov 06, 2017 11:15:58 AM SEVERE de.theit.jenkins.crowd.CrowdConfigurationService isGroupMember
          The connection check failed.
          com.atlassian.crowd.exception.InvalidCrowdServiceException: The following URL does not specify a valid Crowd User Management REST service: https://myjira.net/rest/usermanagement/1/group/user/direct?groupname=systems&username=dev at com.atlassian.crowd.integration.rest.service.RestExecutor$MethodExecutor.executeCrowdServiceMethod(RestExecutor.java:455)
              at com.atlassian.crowd.integration.rest.service.RestExecutor$MethodExecutor.doesExist(RestExecutor.java:374)
              at com.atlassian.crowd.integration.rest.service.RestCrowdClient.isUserDirectGroupMember(RestCrowdClient.java:384)
              at de.theit.jenkins.crowd.CrowdConfigurationService.isGroupMember(CrowdConfigurationService.java:187)
              at de.theit.jenkins.crowd.CrowdConfigurationService.isGroupMember(CrowdConfigurationService.java:138)
              at de.theit.jenkins.crowd.CrowdAuthenticationManager.authenticate(CrowdAuthenticationManager.java:116)
          {code}
          The exception is not handled correctly, so the plugin even does not try to check if _dev_ is a member of _developers_ group after.

          Since, the exception is thrown by *[Client Integration Client|https://mvnrepository.com/artifact/com.atlassian.crowd/crowd-integration-client-rest]* of v2.7.1 I tried to rebuild the plugin against v2.8.3, however it did not help.

          Posted in StackOverflow as well: [https://stackoverflow.com/questions/47136248/crowd2-jenkins-plugin-crashes-if-user-not-found]
          Hide
          oleg_nenashev Oleg Nenashev added a comment -
          Show
          oleg_nenashev Oleg Nenashev added a comment - Removing the assignee according to https://groups.google.com/forum/#!topic/jenkinsci-dev/sFejhRvZiIM
          oleg_nenashev Oleg Nenashev made changes -
          Assignee Kanstantsin Shautsou [ integer ]
          Hide
          gmshake Zhenlei Huang added a comment -

          Cyril Burd Hi, I tried to reproduce this issue on my local environment, JIRA 7.1.7, but without luck. Both works regardless the order of groups in 'Restrict Groups' section.
          The exception

          com.atlassian.crowd.exception.InvalidCrowdServiceException
          

          is thrown when the called REST API endpoint is not an valid url, indicates that

          1. Jenkins configured with wrong crowd / JIRA(with embedded crowd) instance (not likely in this case)
          2. Bad configured proxies between jenkins and crowd that does not enforce HTTP RFCs
          3. Bugs in crowd / JIRA. (not likely since I've tested with the same version JIRA 7.1.7)

          Would you please verify that there is no proxies between your Jenkins instance and JIRA server, including reverse proxies such as Nginx / Apache HTTP Server?

          Show
          gmshake Zhenlei Huang added a comment - Cyril Burd Hi, I tried to reproduce this issue on my local environment, JIRA 7.1.7, but without luck. Both works regardless the order of groups in 'Restrict Groups' section. The exception com.atlassian.crowd.exception.InvalidCrowdServiceException is thrown when the called REST API endpoint is not an valid url, indicates that Jenkins configured with wrong crowd / JIRA(with embedded crowd) instance (not likely in this case) Bad configured proxies between jenkins and crowd that does not enforce HTTP RFCs Bugs in crowd / JIRA. (not likely since I've tested with the same version JIRA 7.1.7) Would you please verify that there is no proxies between your Jenkins instance and JIRA server, including reverse proxies such as Nginx / Apache HTTP Server?
          Hide
          cyril Cyril Burd added a comment - - edited

          Hi Zhenlei Huang

          Thanks for your response. Hereinafter my points:

          1. Jenkins is configured correct with JIRA. We are able to authenticate and login, this is not an issue.
          2. We do not use any proxies
          3. Here is the fix that solved the problem on our side, made by our developers. Hope it helps.
          diff -r jenkins-crowd2-plugin/src/main/java/de/theit/jenkins/crowd/CrowdConfigurationService.java crowd2-plugin/src/main/java/de/theit/jenkins/crowd/CrowdConfigurationService.java
          115c115
          < this.allowedGroupNames.add(group.trim());
          ---
          > this.allowedGroupNames.add(group);
          187,199c187,197
          < try {
          < if (this.crowdClient.isUserDirectGroupMember(username, group)) {
          < retval = true;
          < if (LOG.isLoggable(Level.FINER)) {
          < LOG.finer("=> user is a direct group member");
          < }
          < } else if (this.nestedGroups
          < && this.crowdClient
          < .isUserNestedGroupMember(username, group)) {
          < retval = true;
          < if (LOG.isLoggable(Level.FINER)) {
          < LOG.finer("=> user is a nested group member");
          < }
          ---
          > if (this.crowdClient.isUserDirectGroupMember(username, group)) {
          > retval = true;
          > if (LOG.isLoggable(Level.FINER)) {
          > LOG.finer("=> user is a direct group member");
          > }
          > } else if (this.nestedGroups
          > && this.crowdClient
          > .isUserNestedGroupMember(username, group)) {
          > retval = true;
          > if (LOG.isLoggable(Level.FINER)) {
          > LOG.finer("=> user is a nested group member");
          201,202d198
          < } catch (Exception e) {
          < LOG.warning(e.getMessage());
          246,247d241
          < } catch (Exception e) {
          < LOG.warning(e.getMessage());
          
          
          Show
          cyril Cyril Burd added a comment - - edited Hi  Zhenlei Huang Thanks for your response. Hereinafter my points: Jenkins is configured correct with JIRA. We are able to authenticate and login, this is not an issue. We do not use any proxies Here is the fix that solved the problem on our side, made by our developers. Hope it helps. diff -r jenkins-crowd2-plugin/src/main/java/de/theit/jenkins/crowd/CrowdConfigurationService.java crowd2-plugin/src/main/java/de/theit/jenkins/crowd/CrowdConfigurationService.java 115c115 < this .allowedGroupNames.add(group.trim()); --- > this .allowedGroupNames.add(group); 187,199c187,197 < try { < if ( this .crowdClient.isUserDirectGroupMember(username, group)) { < retval = true ; < if (LOG.isLoggable(Level.FINER)) { < LOG.finer( "=> user is a direct group member" ); < } < } else if ( this .nestedGroups < && this .crowdClient < .isUserNestedGroupMember(username, group)) { < retval = true ; < if (LOG.isLoggable(Level.FINER)) { < LOG.finer( "=> user is a nested group member" ); < } --- > if ( this .crowdClient.isUserDirectGroupMember(username, group)) { > retval = true ; > if (LOG.isLoggable(Level.FINER)) { > LOG.finer( "=> user is a direct group member" ); > } > } else if ( this .nestedGroups > && this .crowdClient > .isUserNestedGroupMember(username, group)) { > retval = true ; > if (LOG.isLoggable(Level.FINER)) { > LOG.finer( "=> user is a nested group member" ); 201,202d198 < } catch (Exception e) { < LOG.warning(e.getMessage()); 246,247d241 < } catch (Exception e) { < LOG.warning(e.getMessage());
          Hide
          gmshake Zhenlei Huang added a comment - - edited

          Cyril Burd Your patch works but it covers some important failures such as network / configuration problems, as it catches all exceptions including that it should not, i.e.

          com.atlassian.crowd.exception.OperationFailedException
          

          It's weird that the URL of JIRA REST API looks good but fails on remote invoke,

           

          com.atlassian.crowd.exception.InvalidCrowdServiceException: The following URL does not specify a valid Crowd User Management REST service: https://myjira.net/rest/usermanagement/1/group/user/direct?groupname=systems&username=dev    at com.atlassian.crowd.integration.rest.service.RestExecutor$MethodExecutor.executeCrowdServiceMethod(RestExecutor.java:455)
          

           

          Can you please run this command snip on your jenkins master instance and post the result? It will be much helpful.

          curl -D- -u application:password -X GET "https://myjira.net/rest/usermanagement/1/group/user/direct?groupname=systems&username=dev" 
          

          Please note change application and password, and mask out sensitive information in the result, e.g. cookies, ASEN

          Show
          gmshake Zhenlei Huang added a comment - - edited Cyril Burd Your patch works but it covers some important failures such as network / configuration problems, as it catches all exceptions including that it should not, i.e. com.atlassian.crowd.exception.OperationFailedException It's weird that the URL of JIRA REST API looks good but fails on remote invoke,   com.atlassian.crowd.exception.InvalidCrowdServiceException: The following URL does not specify a valid Crowd User Management REST service: https: //myjira.net/ rest /usermanagement/1/group/user/direct?groupname=systems&username=dev at com.atlassian.crowd.integration. rest .service.RestExecutor$MethodExecutor.executeCrowdServiceMethod(RestExecutor.java:455)   Can you please run this command snip on your jenkins master instance and post the result? It will be much helpful. curl -D- -u application:password -X GET "https://myjira.net/rest/usermanagement/1/group/user/direct?groupname=systems&username=dev" Please note change application and password , and mask out sensitive information in the result, e.g. cookies, ASEN
          Hide
          cyril Cyril Burd added a comment -

          Hi Zhenlei Huang

          Upon your request: (dev is not in systems group)

          curl D -u user:pass -X GET "https://myjira.net/rest/usermanagement/1/group/user/direct?groupname=systems&username=dev"
          HTTP/1.1 404 Not Found
          Date: Thu, 14 Jun 2018 08:42:33 GMT
          Server: Apache
          Vary: Accept-Encoding
          Content-Length: 237
          Content-Type: text/html; charset=iso-8859-1

          <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
          <html><head>
          <title>404 Not Found</title>
          </head><body>
          <h1>Not Found</h1>
          <p>The requested URL /rest/usermanagement/1/group/user/direct was not found on this server.</p>
          </body></html>

           

          However, when user sys is in systems group:

          curl D -u user:pass -X GET "https://myjira.net/rest/usermanagement/1/group/user/direct?groupname=systems&username=sys"
          HTTP/1.1 200 200
          Date: Thu, 14 Jun 2018 08:42:22 GMT
          Server: Apache
          X-AREQUESTID: 522x36860744x2
          X-XSS-Protection: 1; mode=block
          X-Content-Type-Options: nosniff
          X-Frame-Options: SAMEORIGIN
          Content-Security-Policy: frame-ancestors 'self'
          X-Embedded-Crowd-Version: JIRA/7.6.1
          X-Crowd-User-Management-Version: 1.4
          X-ASEN: SEN-2075590
          Set-Cookie: JSESSIONID=BLABLASESSION;path=/;Secure;HttpOnly
          Set-Cookie: atlassian.xsrf.token=BLABLATOKEN|lout;path=/;Secure
          X-ASESSIONID: 4ioxjr
          X-AUSERNAME: anonymous
          Cache-Control: no-cache, no-store, no-transform
          Content-Length: 182
          Content-Type: application/xml;charset=UTF-8

          As I said JIRA returns 404 instead of proper response.

          Thanks.

          Show
          cyril Cyril Burd added a comment - Hi Zhenlei Huang Upon your request: (dev is not in systems group) curl D -u user:pass -X GET "https://myjira.net/rest/usermanagement/1/group/user/direct?groupname=systems&username=dev" HTTP/1.1 404 Not Found Date: Thu, 14 Jun 2018 08:42:33 GMT Server: Apache Vary: Accept-Encoding Content-Length: 237 Content-Type: text/html; charset=iso-8859-1 <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>404 Not Found</title> </head><body> <h1>Not Found</h1> <p>The requested URL /rest/usermanagement/1/group/user/direct was not found on this server.</p> </body></html>   However, when user sys is in systems group: curl D -u user:pass -X GET "https://myjira.net/rest/usermanagement/1/group/user/direct?groupname=systems&username=sys" HTTP/1.1 200 200 Date: Thu, 14 Jun 2018 08:42:22 GMT Server: Apache X-AREQUESTID: 522x36860744x2 X-XSS-Protection: 1; mode=block X-Content-Type-Options: nosniff X-Frame-Options: SAMEORIGIN Content-Security-Policy: frame-ancestors 'self' X-Embedded-Crowd-Version: JIRA/7.6.1 X-Crowd-User-Management-Version: 1.4 X-ASEN: SEN-2075590 Set-Cookie: JSESSIONID=BLABLASESSION;path=/;Secure;HttpOnly Set-Cookie: atlassian.xsrf.token=BLABLATOKEN|lout;path=/;Secure X-ASESSIONID: 4ioxjr X-AUSERNAME: anonymous Cache-Control: no-cache, no-store, no-transform Content-Length: 182 Content-Type: application/xml;charset=UTF-8 As I said JIRA returns 404 instead of proper response. Thanks.
          Hide
          gmshake Zhenlei Huang added a comment - - edited

          Cyril Burd I've noticed that your JIRA instance is behind a proxy. That probably causing this issue.

           

          curl D -u user:pass -X GET "https://myjira.net/rest/usermanagement/1/group/user/direct?groupname=systems&username=dev" 
          HTTP/1.1 404 Not Found
          Date: Thu, 14 Jun 2018 08:42:33 GMT
          Server: Apache
          Vary: Accept-Encoding
          Content-Length: 237
          Content-Type: text/html; charset=iso-8859-1
          <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
          <html><head>
          <title>404 Not Found</title>
          </head><body>
          <h1>Not Found</h1>
          <p>The requested URL /rest/usermanagement/1/group/user/direct was not found on this server.</p>
          </body></html>
          

           

           

          curl D -u user:pass -X GET "https://myjira.net/rest/usermanagement/1/group/user/direct?groupname=systems&username=sys" 
          HTTP/1.1 200 200
          Date: Thu, 14 Jun 2018 08:42:22 GMT
          Server: Apache
          X-AREQUESTID: 522x36860744x2
          X-XSS-Protection: 1; mode=block
          X-Content-Type-Options: nosniff
          X-Frame-Options: SAMEORIGIN
          Content-Security-Policy: frame-ancestors 'self'
          X-Embedded-Crowd-Version: JIRA/7.6.1
          X-Crowd-User-Management-Version: 1.4
          X-ASEN: SEN-2075590
          Set-Cookie: JSESSIONID=BLABLASESSION;path=/;Secure;HttpOnly
          Set-Cookie: atlassian.xsrf.token=BLABLATOKEN|lout;path=/;Secure
          X-ASESSIONID: 4ioxjr
          X-AUSERNAME: anonymous
          Cache-Control: no-cache, no-store, no-transform
          Content-Length: 182
          Content-Type: application/xml;charset=UTF-8
          

           

          See the response header

          Server: Apache

          .

           

          From my local setup with not proxies, response from JIRA server contains almost the same headers regardless of the error code.

          curl -D- -u test:test -X GET "http://localhost:8080/rest/usermanagement/1/group/user/direct?groupname=developers&username=admin"
          HTTP/1.1 200 OK
          Server: Apache-Coyote/1.1
          X-AREQUESTID: 1033x5x1
          X-Embedded-Crowd-Version: JIRA/7.1.7
          X-Crowd-User-Management-Version: 1.4
          X-ASEN: SEN-...
          Set-Cookie: JSESSIONID=...; Path=/; HttpOnly
          Set-Cookie: atlassian.xsrf.token=...|lout; Path=/
          X-ASESSIONID: 4114ft
          X-AUSERNAME: anonymous
          Cache-Control: no-cache, no-store, no-transform
          X-Content-Type-Options: nosniff
          Content-Type: application/xml;charset=UTF-8
          Content-Length: 170
          Date: Thu, 14 Jun 2018 09:13:33 GMT
          
          <?xml version="1.0" encoding="UTF-8" standalone="yes"?><user name="admin"><link href="http://localhost:8080/rest/usermanagement/1/user?username=admin" rel="self"/></user>
          

          and

          curl -D- -u test:test -X GET "http://localhost:8080/rest/usermanagement/1/group/user/direct?groupname=developers&username=foo"
          HTTP/1.1 404 Not Found
          Server: Apache-Coyote/1.1
          X-AREQUESTID: 1036x6x1
          X-Embedded-Crowd-Version: JIRA/7.1.7
          X-Crowd-User-Management-Version: 1.4
          X-ASEN: SEN-...
          Set-Cookie: JSESSIONID=...; Path=/; HttpOnly
          Set-Cookie: atlassian.xsrf.token=...|lout; Path=/
          X-ASESSIONID: 5t0jxu
          X-AUSERNAME: anonymous
          Cache-Control: no-cache, no-store, no-transform
          X-Content-Type-Options: nosniff
          Content-Type: application/xml;charset=UTF-8
          Content-Length: 203
          Date: Thu, 14 Jun 2018 09:16:23 GMT
          
          <?xml version="1.0" encoding="UTF-8" standalone="yes"?><error><reason>MEMBERSHIP_NOT_FOUND</reason><message>The child entity &lt;foo&gt; is not a member of the parent &lt;developers&gt;</message></error>
          

           

          It seems that Apache HTTP Server is trimming response from upstreams when the response HTTP error code is 404. Check your Apache proxy configuration first and this need further investigation.

          Show
          gmshake Zhenlei Huang added a comment - - edited Cyril Burd I've noticed that your JIRA instance is behind a proxy. That probably causing this issue.   curl D -u user:pass -X GET "https://myjira.net/rest/usermanagement/1/group/user/direct?groupname=systems&username=dev" HTTP/1.1 404 Not Found Date: Thu, 14 Jun 2018 08:42:33 GMT Server: Apache Vary: Accept-Encoding Content-Length: 237 Content-Type: text/html; charset=iso-8859-1 <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>404 Not Found</title> </head><body> <h1>Not Found</h1> <p>The requested URL /rest/usermanagement/1/group/user/direct was not found on this server.</p> </body></html>     curl D -u user:pass -X GET "https://myjira.net/rest/usermanagement/1/group/user/direct?groupname=systems&username=sys" HTTP/1.1 200 200 Date: Thu, 14 Jun 2018 08:42:22 GMT Server: Apache X-AREQUESTID: 522x36860744x2 X-XSS-Protection: 1; mode=block X-Content-Type-Options: nosniff X-Frame-Options: SAMEORIGIN Content-Security-Policy: frame-ancestors 'self' X-Embedded-Crowd-Version: JIRA/7.6.1 X-Crowd-User-Management-Version: 1.4 X-ASEN: SEN-2075590 Set-Cookie: JSESSIONID=BLABLASESSION;path=/;Secure;HttpOnly Set-Cookie: atlassian.xsrf.token=BLABLATOKEN|lout;path=/;Secure X-ASESSIONID: 4ioxjr X-AUSERNAME: anonymous Cache-Control: no-cache, no-store, no-transform Content-Length: 182 Content-Type: application/xml;charset=UTF-8   See the response header Server: Apache .   From my local setup with not proxies, response from JIRA server contains almost the same headers regardless of the error code. curl -D- -u test:test -X GET "http://localhost:8080/rest/usermanagement/1/group/user/direct?groupname=developers&username=admin" HTTP/1.1 200 OK Server: Apache-Coyote/1.1 X-AREQUESTID: 1033x5x1 X-Embedded-Crowd-Version: JIRA/7.1.7 X-Crowd-User-Management-Version: 1.4 X-ASEN: SEN-... Set-Cookie: JSESSIONID=...; Path=/; HttpOnly Set-Cookie: atlassian.xsrf.token=...|lout; Path=/ X-ASESSIONID: 4114ft X-AUSERNAME: anonymous Cache-Control: no-cache, no-store, no-transform X-Content-Type-Options: nosniff Content-Type: application/xml;charset=UTF-8 Content-Length: 170 Date: Thu, 14 Jun 2018 09:13:33 GMT <?xml version="1.0" encoding="UTF-8" standalone="yes"?><user name="admin"><link href="http://localhost:8080/rest/usermanagement/1/user?username=admin" rel="self"/></user> and curl -D- -u test:test -X GET "http://localhost:8080/rest/usermanagement/1/group/user/direct?groupname=developers&username=foo" HTTP/1.1 404 Not Found Server: Apache-Coyote/1.1 X-AREQUESTID: 1036x6x1 X-Embedded-Crowd-Version: JIRA/7.1.7 X-Crowd-User-Management-Version: 1.4 X-ASEN: SEN-... Set-Cookie: JSESSIONID=...; Path=/; HttpOnly Set-Cookie: atlassian.xsrf.token=...|lout; Path=/ X-ASESSIONID: 5t0jxu X-AUSERNAME: anonymous Cache-Control: no-cache, no-store, no-transform X-Content-Type-Options: nosniff Content-Type: application/xml;charset=UTF-8 Content-Length: 203 Date: Thu, 14 Jun 2018 09:16:23 GMT <?xml version="1.0" encoding="UTF-8" standalone="yes"?><error><reason>MEMBERSHIP_NOT_FOUND</reason><message>The child entity &lt;foo&gt; is not a member of the parent &lt;developers&gt;</message></error>   It seems that Apache HTTP Server is trimming response from upstreams when the response HTTP error code is 404. Check your Apache proxy configuration first and this need further investigation.
          Hide
          gmshake Zhenlei Huang added a comment - - edited

          Cyril Burd Take care of this config, ProxyErrorOverride Directive . The default value is Off. It would cause problems like this issue if ProxyErrorOverride is turned on.

          I've set up an Apache HTTP Server reverse proxy, referring https://confluence.atlassian.com/adminjiraserver070/integrating-jira-with-apache-749383658.html

          LoadModule proxy_module ....
          LoadModule proxy_http_module ....
          <Location />
              ProxyPreserveHost On
              ProxyPass http://jira.internal:8080/
              ProxyPassReverse http://jira.internal:8080/
              ProxyErrorOverride On
              ErrorDocument 404 "Not Found"
          </Location>
          

          and reproduced the issue as yours.

          curl -D- -u test:test -X GET "http://192.168.11.153/rest/usermanagement/1/group/user/directabc?groupname=developers&username=foo"
          HTTP/1.1 404 Not Found
          Date: Thu, 14 Jun 2018 11:00:29 GMT
          Server: Apache/2.4.33 (FreeBSD)
          Content-Length: 9
          Content-Type: text/html; charset=iso-8859-1
          
          Not found
          

          From a developer's point of view,

                  int executeCrowdServiceMethod(HttpMethod method) throws InvalidCrowdServiceException, IOException {
                      int statusCode = RestExecutor.this.client.executeMethod(method);
                      if(!this.isCrowdRestService(method)) {
                          throw new InvalidCrowdServiceException(String.format("The following URL does not specify a valid Crowd User Management REST service: %s", new Object[]{method.getURI().toString()}));
                      } else {
                          return statusCode;
                      }
                  }
          
                  private boolean isCrowdRestService(HttpMethod method) {
                      return method.getResponseHeader("X-Embedded-Crowd-Version") != null;
                  }
          

          In this case, any response of REST API from proxy without header "X-Embedded-Crowd-Version" would certainly raise an InvalidCrowdServiceException. So be careful with proxy configuration in production environment not to violate the designed feature, esp REST API upstreams.

          For short, enforce HTTP RFCs, less problems.

          Show
          gmshake Zhenlei Huang added a comment - - edited Cyril Burd Take care of this config, ProxyErrorOverride Directive . The default value is Off. It would cause problems like this issue if ProxyErrorOverride is turned on. I've set up an Apache HTTP Server reverse proxy, referring https://confluence.atlassian.com/adminjiraserver070/integrating-jira-with-apache-749383658.html LoadModule proxy_module .... LoadModule proxy_http_module .... <Location /> ProxyPreserveHost On ProxyPass http://jira.internal:8080/ ProxyPassReverse http://jira.internal:8080/ ProxyErrorOverride On ErrorDocument 404 "Not Found" </Location> and reproduced the issue as yours. curl -D- -u test:test -X GET "http://192.168.11.153/rest/usermanagement/1/group/user/directabc?groupname=developers&username=foo" HTTP/1.1 404 Not Found Date: Thu, 14 Jun 2018 11:00:29 GMT Server: Apache/2.4.33 (FreeBSD) Content-Length: 9 Content-Type: text/html; charset=iso-8859-1 Not found From a developer's point of view, int executeCrowdServiceMethod(HttpMethod method) throws InvalidCrowdServiceException, IOException { int statusCode = RestExecutor. this .client.executeMethod(method); if (! this .isCrowdRestService(method)) { throw new InvalidCrowdServiceException( String .format( "The following URL does not specify a valid Crowd User Management REST service: %s" , new Object []{method.getURI().toString()})); } else { return statusCode; } } private boolean isCrowdRestService(HttpMethod method) { return method.getResponseHeader( "X-Embedded-Crowd-Version" ) != null ; } In this case, any response of REST API from proxy without header "X-Embedded-Crowd-Version" would certainly raise an InvalidCrowdServiceException. So be careful with proxy configuration in production environment not to violate the designed feature, esp REST API upstreams. For short, enforce HTTP RFCs, less problems.
          Hide
          cyril Cyril Burd added a comment -

          Oh... Thanks a lot!

          Show
          cyril Cyril Burd added a comment - Oh... Thanks a lot!
          Hide
          gmshake Zhenlei Huang added a comment -

          Cyril Burd You’re welcome 
          Have you solved the problem? I'd close this issue since Crowd2 plugin works as expected.

          Show
          gmshake Zhenlei Huang added a comment - Cyril Burd You’re welcome  Have you solved the problem? I'd close this issue since Crowd2 plugin works as expected.
          Hide
          cyril Cyril Burd added a comment -

          I have not tested it yet, but I guess you can close the ticket. Thanks again.

          Show
          cyril Cyril Burd added a comment - I have not tested it yet, but I guess you can close the ticket. Thanks again.
          Hide
          gmshake Zhenlei Huang added a comment -
          Show
          gmshake Zhenlei Huang added a comment - Cyril Burd
          gmshake Zhenlei Huang made changes -
          Resolution Not A Defect [ 7 ]
          Status Open [ 1 ] Resolved [ 5 ]
          pingunaut Martin Spielmann made changes -
          Assignee Martin Spielmann [ pingunaut ]
          pingunaut Martin Spielmann made changes -
          Status Resolved [ 5 ] Closed [ 6 ]
          Hide
          pascalhofmann Pascal Hofmann added a comment -

          I just ran into the same problem.

           

          Zhenlei Huang: I guess this is the RFC that you are referring to?

          "A proxy MUST forward unrecognized header fields[…]"
          https://tools.ietf.org/html/rfc7230#section-3.2.1

           

          Show
          pascalhofmann Pascal Hofmann added a comment - I just ran into the same problem.   Zhenlei Huang : I guess this is the RFC that you are referring to? "A proxy MUST forward unrecognized header fields […] " -  https://tools.ietf.org/html/rfc7230#section-3.2.1  
          Hide
          gmshake Zhenlei Huang added a comment -

          Pascal Hofmann There's no more detailed info that can help me figure out the the problem you encounter. But I guess probably there're bad proxies between your Jenkins instance and JIRA/Crowd.

          I'd suggest your debugging the REST API response using curl / postman before further investigation.

          For the RFC, yes, exactly.
          "A proxy MUST forward unrecognized header fields[…]"

          Show
          gmshake Zhenlei Huang added a comment - Pascal Hofmann There's no more detailed info that can help me figure out the the problem you encounter. But I guess probably there're bad proxies between your Jenkins instance and JIRA/Crowd. I'd suggest your debugging the REST API response using curl / postman before further investigation. For the RFC, yes, exactly. "A proxy MUST forward unrecognized header fields […] " https://tools.ietf.org/html/rfc7230#section-3.2.1

            People

            Assignee:
            pingunaut Martin Spielmann
            Reporter:
            cyril Cyril Burd
            Votes:
            0 Vote for this issue
            Watchers:
            4 Start watching this issue

              Dates

              Created:
              Updated:
              Resolved: