Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-48983

Artifactory Plugin is affected by JEP-200 in Jenkins 2.102+

    XMLWordPrintable

    Details

    • Similar Issues:

      Description

      got the following error while deploy artifact in a freestyle job using generic-artifactory integration.
      ERROR: Rejected: org.jfrog.build.api.Artifact
      java.lang.SecurityException: Rejected: org.jfrog.build.api.Artifact
      at hudson.remoting.ClassFilter.check(ClassFilter.java:75)
      at hudson.remoting.MultiClassLoaderSerializer$Input.resolveClass(MultiClassLoaderSerializer.java:129)
      at java.io.ObjectInputStream.readNonProxyDesc(ObjectInputStream.java:1863)
      at java.io.ObjectInputStream.readClassDesc(ObjectInputStream.java:1746)
      at java.io.ObjectInputStream.readOrdinaryObject(ObjectInputStream.java:2037)
      at java.io.ObjectInputStream.readObject0(ObjectInputStream.java:1568)
      at java.io.ObjectInputStream.readObject(ObjectInputStream.java:428)
      at java.util.ArrayList.readObject(ArrayList.java:797)
      at sun.reflect.GeneratedMethodAccessor18.invoke(Unknown Source)
      at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
      at java.lang.reflect.Method.invoke(Method.java:498)
      at java.io.ObjectStreamClass.invokeReadObject(ObjectStreamClass.java:1158)
      at java.io.ObjectInputStream.readSerialData(ObjectInputStream.java:2173)
      at java.io.ObjectInputStream.readOrdinaryObject(ObjectInputStream.java:2064)
      at java.io.ObjectInputStream.readObject0(ObjectInputStream.java:1568)
      at java.io.ObjectInputStream.readObject(ObjectInputStream.java:428)
      at hudson.remoting.UserRequest.deserialize(UserRequest.java:277)
      at hudson.remoting.UserResponse.retrieve(UserRequest.java:310)
      at hudson.remoting.Channel.call(Channel.java:909)
      at hudson.FilePath.act(FilePath.java:998)
      at hudson.FilePath.act(FilePath.java:987)
      at org.jfrog.hudson.generic.GenericArtifactsDeployer.deploy(GenericArtifactsDeployer.java:76)
      at org.jfrog.hudson.generic.ArtifactoryGenericConfigurator$1.tearDown(ArtifactoryGenericConfigurator.java:401)
      at hudson.model.Build$BuildExecution.doRun(Build.java:174)
      at hudson.model.AbstractBuild$AbstractBuildExecution.run(AbstractBuild.java:504)
      at hudson.model.Run.execute(Run.java:1727)
      at hudson.model.FreeStyleBuild.run(FreeStyleBuild.java:43)
      at hudson.model.ResourceController.execute(ResourceController.java:97)
      at hudson.model.Executor.run(Executor.java:429)

        Attachments

          Issue Links

            Activity

            maksonlee Makson Lee created issue -
            oleg_nenashev Oleg Nenashev made changes -
            Field Original Value New Value
            Labels jep-200
            oleg_nenashev Oleg Nenashev made changes -
            Assignee Eyal Ben Moshe [ eyalbe ] Oleg Nenashev [ oleg_nenashev ]
            oleg_nenashev Oleg Nenashev made changes -
            Status Open [ 1 ] In Progress [ 3 ]
            Hide
            oleg_nenashev Oleg Nenashev added a comment -

            During JEP-200 testing before the release I was unable to test Artifactory plugin due to its old codebase and dependencies. Clearly I need to finish the effort

            Show
            oleg_nenashev Oleg Nenashev added a comment - During JEP-200 testing before the release I was unable to test Artifactory plugin due to its old codebase and dependencies. Clearly I need to finish the effort
            oleg_nenashev Oleg Nenashev made changes -
            Status In Progress [ 3 ] In Review [ 10005 ]
            Hide
            oleg_nenashev Oleg Nenashev added a comment -

            https://github.com/jenkinsci/artifactory-plugin/pull/30 should close the issue with Remoting serialization.

            So far I do not see obvious issues with serialization of 3rd-party classes in XStream, but the codebase it too big to say for sure. Almost all build actions persist build references, so the plugin needs a cleanup anyway.

            Show
            oleg_nenashev Oleg Nenashev added a comment - https://github.com/jenkinsci/artifactory-plugin/pull/30 should close the issue with Remoting serialization. So far I do not see obvious issues with serialization of 3rd-party classes in XStream, but the codebase it too big to say for sure. Almost all build actions persist build references, so the plugin needs a cleanup anyway.
            oleg_nenashev Oleg Nenashev made changes -
            Remote Link This issue links to "https://github.com/jenkinsci/artifactory-plugin/pull/30 (Web Link)" [ 19868 ]
            oleg_nenashev Oleg Nenashev made changes -
            Link This issue is related to JENKINS-48991 [ JENKINS-48991 ]
            oleg_nenashev Oleg Nenashev made changes -
            Link This issue is duplicated by JENKINS-49001 [ JENKINS-49001 ]
            jglick Jesse Glick made changes -
            Labels jep-200 JEP-200
            putpix Andrei S made changes -
            Comment [  Are there any estimates when this issue will be fixed or workaround for this problem?

            At the moment all integrations with Artifactory were broken. ]
            Hide
            putpix Andrei S added a comment -

            For clarification, this task pops up first in google when searching for problem.

            Workaround is -Djenkins.security.ClassFilterImpl.SUPPRESS_WHITELIST=true

            Show
            putpix Andrei S added a comment - For clarification, this task pops up first in google when searching for problem. Workaround is -Djenkins.security.ClassFilterImpl.SUPPRESS_WHITELIST=true
            Hide
            jglick Jesse Glick added a comment -

            Yes, in that mode violations will only be logged but execution will proceed. Use at your own risk. This flag is best used to collect a set of entries which should then be added to the hudson.remoting.ClassFilter system property.

            Show
            jglick Jesse Glick added a comment - Yes, in that mode violations will only be logged but execution will proceed. Use at your own risk. This flag is best used to collect a set of entries which should then be added to the hudson.remoting.ClassFilter system property.
            Hide
            oleg_nenashev Oleg Nenashev added a comment -

            I have pinged JFrog about the issue

            Show
            oleg_nenashev Oleg Nenashev added a comment - I have pinged JFrog about the issue
            Hide
            psk1987 Prachi Khadke added a comment - - edited

            Is there a workaround for generic artifactory pushes for Jenkins Pipeline As a Code? I'm seeing this issue while uploading my build artifacts via Jenkinsfile. It doesn't even show up in in-script approval.

             

            java.lang.SecurityException: Rejected: org.jfrog.build.api.Artifact
            at hudson.remoting.ClassFilter.check(ClassFilter.java:75)
            at hudson.remoting.MultiClassLoaderSerializer$Input.resolveClass(MultiClassLoaderSerializer.java:129)
            at java.io.ObjectInputStream.readNonProxyDesc(ObjectInputStream.java:1868)
            at java.io.ObjectInputStream.readClassDesc(ObjectInputStream.java:1751)
            at java.io.ObjectInputStream.readOrdinaryObject(ObjectInputStream.java:2042)
            at java.io.ObjectInputStream.readObject0(ObjectInputStream.java:1573)
            at java.io.ObjectInputStream.readObject(ObjectInputStream.java:433)
            at java.util.ArrayList.readObject(ArrayList.java:797)
            at sun.reflect.GeneratedMethodAccessor70.invoke(Unknown Source)
            at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
            at java.lang.reflect.Method.invoke(Method.java:498)
            at java.io.ObjectStreamClass.invokeReadObject(ObjectStreamClass.java:1158)
            at java.io.ObjectInputStream.readSerialData(ObjectInputStream.java:2178)
            at java.io.ObjectInputStream.readOrdinaryObject(ObjectInputStream.java:2069)
            at java.io.ObjectInputStream.readObject0(ObjectInputStream.java:1573)
            at java.io.ObjectInputStream.readObject(ObjectInputStream.java:433)
            at hudson.remoting.UserRequest.deserialize(UserRequest.java:277)
            at hudson.remoting.UserResponse.retrieve(UserRequest.java:310)
            at hudson.remoting.Channel.call(Channel.java:909)
            at hudson.FilePath.act(FilePath.java:998)
            at hudson.FilePath.act(FilePath.java:987)
            at org.jfrog.hudson.pipeline.executors.GenericUploadExecutor.execution(GenericUploadExecutor.java:52)
            at org.jfrog.hudson.pipeline.steps.UploadStep$Execution.run(UploadStep.java:65)
            at org.jfrog.hudson.pipeline.steps.UploadStep$Execution.run(UploadStep.java:46)
            at org.jenkinsci.plugins.workflow.steps.AbstractSynchronousNonBlockingStepExecution$1$1.call(AbstractSynchronousNonBlockingStepExecution.java:47)
            at hudson.security.ACL.impersonate(ACL.java:274)
            at org.jenkinsci.plugins.workflow.steps.AbstractSynchronousNonBlockingStepExecution$1.run(AbstractSynchronousNonBlockingStepExecution.java:44)
            at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:511)
            at java.util.concurrent.FutureTask.run(FutureTask.java:266)
            at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
            at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
            at java.lang.Thread.run(Thread.java:748)
            Finished: FAILURE
            
            Show
            psk1987 Prachi Khadke added a comment - - edited Is there a workaround for generic artifactory pushes for Jenkins Pipeline As a Code? I'm seeing this issue while uploading my build artifacts via Jenkinsfile. It doesn't even show up in in-script approval.   java.lang.SecurityException: Rejected: org.jfrog.build.api.Artifact at hudson.remoting.ClassFilter.check(ClassFilter.java:75) at hudson.remoting.MultiClassLoaderSerializer$Input.resolveClass(MultiClassLoaderSerializer.java:129) at java.io.ObjectInputStream.readNonProxyDesc(ObjectInputStream.java:1868) at java.io.ObjectInputStream.readClassDesc(ObjectInputStream.java:1751) at java.io.ObjectInputStream.readOrdinaryObject(ObjectInputStream.java:2042) at java.io.ObjectInputStream.readObject0(ObjectInputStream.java:1573) at java.io.ObjectInputStream.readObject(ObjectInputStream.java:433) at java.util.ArrayList.readObject(ArrayList.java:797) at sun.reflect.GeneratedMethodAccessor70.invoke(Unknown Source) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.lang.reflect.Method.invoke(Method.java:498) at java.io.ObjectStreamClass.invokeReadObject(ObjectStreamClass.java:1158) at java.io.ObjectInputStream.readSerialData(ObjectInputStream.java:2178) at java.io.ObjectInputStream.readOrdinaryObject(ObjectInputStream.java:2069) at java.io.ObjectInputStream.readObject0(ObjectInputStream.java:1573) at java.io.ObjectInputStream.readObject(ObjectInputStream.java:433) at hudson.remoting.UserRequest.deserialize(UserRequest.java:277) at hudson.remoting.UserResponse.retrieve(UserRequest.java:310) at hudson.remoting.Channel.call(Channel.java:909) at hudson.FilePath.act(FilePath.java:998) at hudson.FilePath.act(FilePath.java:987) at org.jfrog.hudson.pipeline.executors.GenericUploadExecutor.execution(GenericUploadExecutor.java:52) at org.jfrog.hudson.pipeline.steps.UploadStep$Execution.run(UploadStep.java:65) at org.jfrog.hudson.pipeline.steps.UploadStep$Execution.run(UploadStep.java:46) at org.jenkinsci.plugins.workflow.steps.AbstractSynchronousNonBlockingStepExecution$1$1.call(AbstractSynchronousNonBlockingStepExecution.java:47) at hudson.security.ACL.impersonate(ACL.java:274) at org.jenkinsci.plugins.workflow.steps.AbstractSynchronousNonBlockingStepExecution$1.run(AbstractSynchronousNonBlockingStepExecution.java:44) at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:511) at java.util.concurrent.FutureTask.run(FutureTask.java:266) at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149) at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624) at java.lang. Thread .run( Thread .java:748) Finished: FAILURE
            Hide
            oleg_nenashev Oleg Nenashev added a comment -

            It won't, JEP-200 behaves differently. See the offered patch, which is the best best available workaround now

            Show
            oleg_nenashev Oleg Nenashev added a comment - It won't, JEP-200 behaves differently. See the offered patch, which is the best best available workaround now
            Hide
            jglick Jesse Glick added a comment -

            Is there a workaround for generic artifactory pushes for Jenkins Pipeline As a Code?

            Uninstall the plugin and

            sh 'mvn deploy'
            
            Show
            jglick Jesse Glick added a comment - Is there a workaround for generic artifactory pushes for Jenkins Pipeline As a Code? Uninstall the plugin and sh 'mvn deploy'
            Hide
            cdenneen Chris Denneen added a comment -

            Jesse Glick What do you mean uninstall plugin and "mvn deploy"? Build artifactory plugin from source?

            Show
            cdenneen Chris Denneen added a comment - Jesse Glick What do you mean uninstall plugin and "mvn deploy"? Build artifactory plugin from source?
            Hide
            jglick Jesse Glick added a comment -

            Chris Denneen no, I mean deploy your artifacts to Artifactory using plain Maven commands rather than going through the plugin.

            Show
            jglick Jesse Glick added a comment - Chris Denneen no, I mean deploy your artifacts to Artifactory using plain Maven commands rather than going through the plugin.
            Hide
            cdenneen Chris Denneen added a comment -

            Jesse Glick yeah we aren't doing maven builds. We use the artifactory plugin to upload and download array of assets to jobs... ranging from rpm builds to simple text files. So not sure mvn deploy will work for non-Maven repositories.

             

            Show
            cdenneen Chris Denneen added a comment - Jesse Glick yeah we aren't doing maven builds. We use the artifactory plugin to upload and download array of assets to jobs... ranging from rpm builds to simple text files. So not sure mvn deploy will work for non-Maven repositories.  
            Hide
            jglick Jesse Glick added a comment -

            Chris Denneen well, I was using mvn deploy as an example only. Presumably there is some documented REST API for uploading and downloading artifacts in general repository formats, which you could invoke from curl or the like, given suitable withCredentials.

            Show
            jglick Jesse Glick added a comment - Chris Denneen well, I was using mvn deploy as an example only. Presumably there is some documented REST API for uploading and downloading artifacts in general repository formats, which you could invoke from curl or the like, given suitable withCredentials .
            Hide
            oleg_nenashev Oleg Nenashev added a comment -

            Chris Denneen if you are a JFrog customer, submit a ticket to them. I have submitted my one, but more tickets would raise the priority I'd guess

            Show
            oleg_nenashev Oleg Nenashev added a comment - Chris Denneen if you are a JFrog customer, submit a ticket to them. I have submitted my one, but more tickets would raise the priority I'd guess
            Hide
            cdenneen Chris Denneen added a comment -

            Oleg Nenashev We are but a PRO customer which doesn't have "support". So best I could do is open issue on their public board. Hopefully your ticket will get some traction.

            Until then does the snapshot of the plugin work or the sysconfig changes work for now as work around enough?

            Show
            cdenneen Chris Denneen added a comment - Oleg Nenashev We are but a PRO customer which doesn't have "support". So best I could do is open issue on their public board. Hopefully your ticket will get some traction. Until then does the snapshot of the plugin work or the sysconfig changes work for now as work around enough?
            Hide
            oleg_nenashev Oleg Nenashev added a comment - - edited

            Chris Denneen the Snapshot will work in some case, e.g. Maven publishing.
            I cannot guarantee stability of other case (most likely "no"), but I am happy to update the pull request according to the feedback.

            The plugin has no tests, and JEP-200 maintainers have no time to setup a test environment for every case

            Show
            oleg_nenashev Oleg Nenashev added a comment - - edited Chris Denneen the Snapshot will work in some case, e.g. Maven publishing. I cannot guarantee stability of other case (most likely "no"), but I am happy to update the pull request according to the feedback. The plugin has no tests, and JEP-200 maintainers have no time to setup a test environment for every case
            Hide
            cdenneen Chris Denneen added a comment -

            Oleg Nenashev looks like 2.104 might have added the whitelists?

            Any idea what could be causing this?

            java.lang.SecurityException: Rejected: org.jfrog.build.api.Dependency
            Show
            cdenneen Chris Denneen added a comment - Oleg Nenashev looks like 2.104 might have added the whitelists? Any idea what could be causing this? java.lang.SecurityException: Rejected: org.jfrog.build.api.Dependency
            Hide
            oleg_nenashev Oleg Nenashev added a comment -

            > looks like 2.104 might have added the whitelists?

            It has added only few basic types which impact the plugin, but not the 3rd-party libraries.
            So the patch on the core's side is not going to resolve the issue

            Show
            oleg_nenashev Oleg Nenashev added a comment - > looks like 2.104 might have added the whitelists? It has added only few basic types which impact the plugin, but not the 3rd-party libraries. So the patch on the core's side is not going to resolve the issue
            oleg_nenashev Oleg Nenashev made changes -
            Link This issue is duplicated by JENKINS-48991 [ JENKINS-48991 ]
            cdenneen Chris Denneen made changes -
            Comment [ OK can Dependency be added to your PR for whitelisting? ]
            Hide
            ajitsurana Ajit Surana added a comment -

            Is this JIRA resolved? I'm facing the same issue.

            I'm trying to use the command -Djenkins.security.ClassFilterImpl.SUPPRESS_WHITELIST=true but don't know how to use it. It would be helpful if you provide the resolution or workaround step in little more detail.

            Show
            ajitsurana Ajit Surana added a comment - Is this JIRA resolved? I'm facing the same issue. I'm trying to use the command -Djenkins.security.ClassFilterImpl.SUPPRESS_WHITELIST=true but don't know how to use it. It would be helpful if you provide the resolution or workaround step in little more detail.
            Hide
            oleg_nenashev Oleg Nenashev added a comment -

            The fix has been finally released in 2.15.0

            Show
            oleg_nenashev Oleg Nenashev added a comment - The fix has been finally released in 2.15.0
            oleg_nenashev Oleg Nenashev made changes -
            Resolution Fixed [ 1 ]
            Status In Review [ 10005 ] Resolved [ 5 ]
            oleg_nenashev Oleg Nenashev made changes -
            Link This issue is duplicated by JENKINS-50175 [ JENKINS-50175 ]

              People

              Assignee:
              oleg_nenashev Oleg Nenashev
              Reporter:
              maksonlee Makson Lee
              Votes:
              14 Vote for this issue
              Watchers:
              20 Start watching this issue

                Dates

                Created:
                Updated:
                Resolved: