Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-53188

New jobs created from Blue Ocean are tied with username that created them

    XMLWordPrintable

Details

    • 1.13.1

    Description

      A colleague (let's say, username cadana) created a Multibranch Pipeline job from Blue Ocean, with Github SCM (username for SCM is not tied in any way with cadana) and now he left the company. I had to copy the job manually to "recreate" it, to lose the first owner that no longer exists to fix this error.

      A build log from a job:

      Started by user Laszlo, William Daniel
      [BFA] Scanning build for known causes...
      [BFA] No failure causes found
      [BFA] Done. 0s
      org.acegisecurity.userdetails.UsernameNotFoundException: User cadana not found in directory.
       at org.acegisecurity.ldap.search.FilterBasedLdapUserSearch.searchForUser(FilterBasedLdapUserSearch.java:126)
       at hudson.security.LDAPSecurityRealm$LDAPUserDetailsService.loadUserByUsername(LDAPSecurityRealm.java:1314)
       at hudson.security.LDAPSecurityRealm$LDAPUserDetailsService.loadUserByUsername(LDAPSecurityRealm.java:1251)
       at jenkins.security.ImpersonatingUserDetailsService.loadUserByUsername(ImpersonatingUserDetailsService.java:32)
       at hudson.model.User.getUserDetailsForImpersonation(User.java:349)
       at hudson.model.User.impersonate(User.java:329)
       at io.jenkins.blueocean.rest.impl.pipeline.credential.BlueOceanCredentialsProvider.getCredentials(BlueOceanCredentialsProvider.java:76)
       at com.cloudbees.plugins.credentials.CredentialsProvider.lookupCredentials(CredentialsProvider.java:413)
       at com.cloudbees.plugins.credentials.CredentialsProvider.lookupCredentials(CredentialsProvider.java:532)
       at org.jenkinsci.plugins.github_branch_source.Connector.lookupScanCredentials(Connector.java:234)
       at org.jenkinsci.plugins.github_branch_source.GitHubSCMSource.retrieve(GitHubSCMSource.java:1399)
       at jenkins.scm.api.SCMSource.fetch(SCMSource.java:566)
       at org.jenkinsci.plugins.workflow.multibranch.SCMBinder.create(SCMBinder.java:95)
       at org.jenkinsci.plugins.workflow.job.WorkflowRun.run(WorkflowRun.java:303)
       at hudson.model.ResourceController.execute(ResourceController.java:97)
       at hudson.model.Executor.run(Executor.java:429)
      Finished: FAILURE
      

      Attachments

        Activity

          wlaszlo William Laszlo created issue -
          wlaszlo William Laszlo made changes -
          Field Original Value New Value
          Description An colleague (let's say, username cadana) created a Multibranch Pipeline job from Blue Ocean, with Github SCM (username for SCM is not tied in any way with cadana) and now he left the company. I had to copy the job manually to "recreate" it, to lose the first owner that no longer exists to fix this error.

           
          {noformat}
          Started by user Laszlo, William Daniel
          [BFA] Scanning build for known causes...
          [BFA] No failure causes found
          [BFA] Done. 0s
          org.acegisecurity.userdetails.UsernameNotFoundException: User cadana not found in directory.
           at org.acegisecurity.ldap.search.FilterBasedLdapUserSearch.searchForUser(FilterBasedLdapUserSearch.java:126)
           at hudson.security.LDAPSecurityRealm$LDAPUserDetailsService.loadUserByUsername(LDAPSecurityRealm.java:1314)
           at hudson.security.LDAPSecurityRealm$LDAPUserDetailsService.loadUserByUsername(LDAPSecurityRealm.java:1251)
           at jenkins.security.ImpersonatingUserDetailsService.loadUserByUsername(ImpersonatingUserDetailsService.java:32)
           at hudson.model.User.getUserDetailsForImpersonation(User.java:349)
           at hudson.model.User.impersonate(User.java:329)
           at io.jenkins.blueocean.rest.impl.pipeline.credential.BlueOceanCredentialsProvider.getCredentials(BlueOceanCredentialsProvider.java:76)
           at com.cloudbees.plugins.credentials.CredentialsProvider.lookupCredentials(CredentialsProvider.java:413)
           at com.cloudbees.plugins.credentials.CredentialsProvider.lookupCredentials(CredentialsProvider.java:532)
           at org.jenkinsci.plugins.github_branch_source.Connector.lookupScanCredentials(Connector.java:234)
           at org.jenkinsci.plugins.github_branch_source.GitHubSCMSource.retrieve(GitHubSCMSource.java:1399)
           at jenkins.scm.api.SCMSource.fetch(SCMSource.java:566)
           at org.jenkinsci.plugins.workflow.multibranch.SCMBinder.create(SCMBinder.java:95)
           at org.jenkinsci.plugins.workflow.job.WorkflowRun.run(WorkflowRun.java:303)
           at hudson.model.ResourceController.execute(ResourceController.java:97)
           at hudson.model.Executor.run(Executor.java:429)
          Finished: FAILURE
          {noformat}
          An colleague (let's say, username cadana) created a Multibranch Pipeline job from Blue Ocean, with Github SCM (username for SCM is not tied in any way with cadana) and now he left the company. I had to copy the job manually to "recreate" it, to lose the first owner that no longer exists to fix this error.

          A build log from a job:
          {noformat}
          Started by user Laszlo, William Daniel
          [BFA] Scanning build for known causes...
          [BFA] No failure causes found
          [BFA] Done. 0s
          org.acegisecurity.userdetails.UsernameNotFoundException: User cadana not found in directory.
           at org.acegisecurity.ldap.search.FilterBasedLdapUserSearch.searchForUser(FilterBasedLdapUserSearch.java:126)
           at hudson.security.LDAPSecurityRealm$LDAPUserDetailsService.loadUserByUsername(LDAPSecurityRealm.java:1314)
           at hudson.security.LDAPSecurityRealm$LDAPUserDetailsService.loadUserByUsername(LDAPSecurityRealm.java:1251)
           at jenkins.security.ImpersonatingUserDetailsService.loadUserByUsername(ImpersonatingUserDetailsService.java:32)
           at hudson.model.User.getUserDetailsForImpersonation(User.java:349)
           at hudson.model.User.impersonate(User.java:329)
           at io.jenkins.blueocean.rest.impl.pipeline.credential.BlueOceanCredentialsProvider.getCredentials(BlueOceanCredentialsProvider.java:76)
           at com.cloudbees.plugins.credentials.CredentialsProvider.lookupCredentials(CredentialsProvider.java:413)
           at com.cloudbees.plugins.credentials.CredentialsProvider.lookupCredentials(CredentialsProvider.java:532)
           at org.jenkinsci.plugins.github_branch_source.Connector.lookupScanCredentials(Connector.java:234)
           at org.jenkinsci.plugins.github_branch_source.GitHubSCMSource.retrieve(GitHubSCMSource.java:1399)
           at jenkins.scm.api.SCMSource.fetch(SCMSource.java:566)
           at org.jenkinsci.plugins.workflow.multibranch.SCMBinder.create(SCMBinder.java:95)
           at org.jenkinsci.plugins.workflow.job.WorkflowRun.run(WorkflowRun.java:303)
           at hudson.model.ResourceController.execute(ResourceController.java:97)
           at hudson.model.Executor.run(Executor.java:429)
          Finished: FAILURE
          {noformat}
          wlaszlo William Laszlo made changes -
          Description An colleague (let's say, username cadana) created a Multibranch Pipeline job from Blue Ocean, with Github SCM (username for SCM is not tied in any way with cadana) and now he left the company. I had to copy the job manually to "recreate" it, to lose the first owner that no longer exists to fix this error.

          A build log from a job:
          {noformat}
          Started by user Laszlo, William Daniel
          [BFA] Scanning build for known causes...
          [BFA] No failure causes found
          [BFA] Done. 0s
          org.acegisecurity.userdetails.UsernameNotFoundException: User cadana not found in directory.
           at org.acegisecurity.ldap.search.FilterBasedLdapUserSearch.searchForUser(FilterBasedLdapUserSearch.java:126)
           at hudson.security.LDAPSecurityRealm$LDAPUserDetailsService.loadUserByUsername(LDAPSecurityRealm.java:1314)
           at hudson.security.LDAPSecurityRealm$LDAPUserDetailsService.loadUserByUsername(LDAPSecurityRealm.java:1251)
           at jenkins.security.ImpersonatingUserDetailsService.loadUserByUsername(ImpersonatingUserDetailsService.java:32)
           at hudson.model.User.getUserDetailsForImpersonation(User.java:349)
           at hudson.model.User.impersonate(User.java:329)
           at io.jenkins.blueocean.rest.impl.pipeline.credential.BlueOceanCredentialsProvider.getCredentials(BlueOceanCredentialsProvider.java:76)
           at com.cloudbees.plugins.credentials.CredentialsProvider.lookupCredentials(CredentialsProvider.java:413)
           at com.cloudbees.plugins.credentials.CredentialsProvider.lookupCredentials(CredentialsProvider.java:532)
           at org.jenkinsci.plugins.github_branch_source.Connector.lookupScanCredentials(Connector.java:234)
           at org.jenkinsci.plugins.github_branch_source.GitHubSCMSource.retrieve(GitHubSCMSource.java:1399)
           at jenkins.scm.api.SCMSource.fetch(SCMSource.java:566)
           at org.jenkinsci.plugins.workflow.multibranch.SCMBinder.create(SCMBinder.java:95)
           at org.jenkinsci.plugins.workflow.job.WorkflowRun.run(WorkflowRun.java:303)
           at hudson.model.ResourceController.execute(ResourceController.java:97)
           at hudson.model.Executor.run(Executor.java:429)
          Finished: FAILURE
          {noformat}
          A colleague (let's say, username cadana) created a Multibranch Pipeline job from Blue Ocean, with Github SCM (username for SCM is not tied in any way with cadana) and now he left the company. I had to copy the job manually to "recreate" it, to lose the first owner that no longer exists to fix this error.

          A build log from a job:
          {noformat}
          Started by user Laszlo, William Daniel
          [BFA] Scanning build for known causes...
          [BFA] No failure causes found
          [BFA] Done. 0s
          org.acegisecurity.userdetails.UsernameNotFoundException: User cadana not found in directory.
           at org.acegisecurity.ldap.search.FilterBasedLdapUserSearch.searchForUser(FilterBasedLdapUserSearch.java:126)
           at hudson.security.LDAPSecurityRealm$LDAPUserDetailsService.loadUserByUsername(LDAPSecurityRealm.java:1314)
           at hudson.security.LDAPSecurityRealm$LDAPUserDetailsService.loadUserByUsername(LDAPSecurityRealm.java:1251)
           at jenkins.security.ImpersonatingUserDetailsService.loadUserByUsername(ImpersonatingUserDetailsService.java:32)
           at hudson.model.User.getUserDetailsForImpersonation(User.java:349)
           at hudson.model.User.impersonate(User.java:329)
           at io.jenkins.blueocean.rest.impl.pipeline.credential.BlueOceanCredentialsProvider.getCredentials(BlueOceanCredentialsProvider.java:76)
           at com.cloudbees.plugins.credentials.CredentialsProvider.lookupCredentials(CredentialsProvider.java:413)
           at com.cloudbees.plugins.credentials.CredentialsProvider.lookupCredentials(CredentialsProvider.java:532)
           at org.jenkinsci.plugins.github_branch_source.Connector.lookupScanCredentials(Connector.java:234)
           at org.jenkinsci.plugins.github_branch_source.GitHubSCMSource.retrieve(GitHubSCMSource.java:1399)
           at jenkins.scm.api.SCMSource.fetch(SCMSource.java:566)
           at org.jenkinsci.plugins.workflow.multibranch.SCMBinder.create(SCMBinder.java:95)
           at org.jenkinsci.plugins.workflow.job.WorkflowRun.run(WorkflowRun.java:303)
           at hudson.model.ResourceController.execute(ResourceController.java:97)
           at hudson.model.Executor.run(Executor.java:429)
          Finished: FAILURE
          {noformat}
          halkeye Gavin Mogan made changes -
          Assignee Gavin Mogan [ halkeye ]
          halkeye Gavin Mogan added a comment -

          I haven't been able to reproduce this, but I have one more thing to try.

          What version of blue ocean are you using? what version of jenkins?

          Could credentials have been tied to that user?

          Does it happen on run? on view?

           

          halkeye Gavin Mogan added a comment - I haven't been able to reproduce this, but I have one more thing to try. What version of blue ocean are you using? what version of jenkins? Could credentials have been tied to that user? Does it happen on run? on view?  

          Jenkins 2.121.1
          Blue Ocean 1.9.0

          I'm pretty sure that he (user cadana) created the credentials for SCM which were used. SCM credentials are not tied with his account because everything else was working.
          On run I've got the message from description and on settings view what is in screenshot.

          wlaszlo William Laszlo added a comment - Jenkins 2.121.1 Blue Ocean 1.9.0 I'm pretty sure that he (user cadana) created the credentials for SCM which were used. SCM credentials are not tied with his account because everything else was working. On run I've got the message from description and on settings view what is in screenshot.
          halkeye Gavin Mogan added a comment -

          Okay, I was able to reproduce it with latest master (1.11.1) and jenkins (2.150.2) so not version dependant.

          Looks like when you create a new pipeline with blueocean, it attaches the credentials to that project's folder

          Then it tries to impersonate and grab that credential to be used

          https://github.com/jenkinsci/blueocean-plugin/blob/1944c62bc252253450e15b5eaddd359963118a8b/blueocean-pipeline-scm-api/src/main/java/io/jenkins/blueocean/rest/impl/pipeline/credential/BlueOceanCredentialsProvider.java#L76

          Now that I tracked it down, i'll add a test and try to get it fixed up.

          halkeye Gavin Mogan added a comment - Okay, I was able to reproduce it with latest master (1.11.1) and jenkins (2.150.2) so not version dependant. Looks like when you create a new pipeline with blueocean, it attaches the credentials to that project's folder Then it tries to impersonate and grab that credential to be used https://github.com/jenkinsci/blueocean-plugin/blob/1944c62bc252253450e15b5eaddd359963118a8b/blueocean-pipeline-scm-api/src/main/java/io/jenkins/blueocean/rest/impl/pipeline/credential/BlueOceanCredentialsProvider.java#L76 Now that I tracked it down, i'll add a test and try to get it fixed up.
          halkeye Gavin Mogan added a comment -

          Note, I was able to reproduce this by deleting the folder users/deleteme_6666729664863048313 but the user was still in users.xml

          When i delete the user within the UI, it actually errors out properly.

          Looks like there's a map inside of $JENKINS_HOME/users/users.xml that maps usernames to the files on the disk.

          wlaszlo: from the stacktrace, it looks like ldap is being used. Do you know how the user was actually deleted? Are they still inside users.xml? is the file still on the disk? (I'll see if there's a way to find out if you don't have disk access)

          halkeye Gavin Mogan added a comment - Note, I was able to reproduce this by deleting the folder users/deleteme_6666729664863048313 but the user was still in users.xml When i delete the user within the UI, it actually errors out properly. Looks like there's a map inside of $JENKINS_HOME/users/users.xml that maps usernames to the files on the disk. wlaszlo : from the stacktrace, it looks like ldap is being used. Do you know how the user was actually deleted? Are they still inside users.xml? is the file still on the disk? (I'll see if there's a way to find out if you don't have disk access)
          halkeye Gavin Mogan added a comment -

          (I can catch it, its UsernameNotFoundException, so fixable, but want to know if ldap needs a patch to clean up properly)

          halkeye Gavin Mogan added a comment - (I can catch it, its UsernameNotFoundException, so fixable, but want to know if ldap needs a patch to clean up properly)
          wlaszlo William Laszlo added a comment - - edited

          I don't know how users are deleted from LDAP. I can confirm that it's still existing in $JENKINS_HOME/users/users.xml

          wlaszlo William Laszlo added a comment - - edited I don't know how users are deleted from LDAP. I can confirm that it's still existing in $JENKINS_HOME/users/users.xml
          halkeye Gavin Mogan added a comment - https://github.com/jenkinsci/blueocean-plugin/pull/1915
          halkeye Gavin Mogan made changes -
          Resolution Fixed [ 1 ]
          Status Open [ 1 ] Fixed but Unreleased [ 10203 ]
          halkeye Gavin Mogan made changes -
          Released As 1.13.1
          Status Fixed but Unreleased [ 10203 ] Resolved [ 5 ]
          halkeye Gavin Mogan added a comment -

          wlaszlo this was released on friday, so let me know if you continue to have problems once you upgrade (if you upgrade)

          halkeye Gavin Mogan added a comment - wlaszlo this was released on friday, so let me know if you continue to have problems once you upgrade (if you upgrade)

          Sure, thank you!
          Even if I make the update, I don't know when this would happen again to my team (when someone is deleted from LDAP). I really can't test it when I want. I hope that no-one will have this issue from now.

          I recreated the job when I figured out that I found a bug and I was able to run it. I can't confirm now that it's ok or not because I don't have anymore that original job.

          wlaszlo William Laszlo added a comment - Sure, thank you! Even if I make the update, I don't know when this would happen again to my team (when someone is deleted from LDAP). I really can't test it when I want. I hope that no-one will have this issue from now. I recreated the job when I figured out that I found a bug and I was able to run it. I can't confirm now that it's ok or not because I don't have anymore that original job.
          cjharmath CJ Harmath added a comment -

          I've stumbled up this as I was curious how to setup a pipeline with a global credential instead of a user specific.

          Currently when a user creates a new pipeline at first time, he/she will be asked for a personal access token for github which then gets stored in the users credential.

          Since users can come and go, it would be more practical if an administrator can set the credential.

          This also has an added value of GitHub checks not showing the user who created the pipeline, but the user configured by the admin.

           

          Happy to submit a new issue.

           

          Thanks,

          CJ

          cjharmath CJ Harmath added a comment - I've stumbled up this as I was curious how to setup a pipeline with a global credential instead of a user specific. Currently when a user creates a new pipeline at first time, he/she will be asked for a personal access token for github which then gets stored in the users credential. Since users can come and go, it would be more practical if an administrator can set the credential. This also has an added value of GitHub checks not showing the user who created the pipeline, but the user configured by the admin.   Happy to submit a new issue.   Thanks, CJ
          cjharmath CJ Harmath added a comment -

          This is how my job's config.xml starts

          <?xml version='1.1' encoding='UTF-8'?>
          <org.jenkinsci.plugins.workflow.multibranch.WorkflowMultiBranchProject plugin="workflow-multibranch@2.21">
            <actions/>
            <description>test</description>
            <properties>
              <io.jenkins.blueocean.rest.impl.pipeline.credential.BlueOceanCredentialsProvider_-FolderPropertyImpl plugin="blueocean-pipeline-scm-api@1.14.0">
                <domain plugin="credentials@2.1.19">
                  <name>blueocean-folder-credential-domain</name>
                  <description>Blue Ocean Folder Credentials domain</description>
                  <specifications/>
                </domain>
                <user>testuser</user>
                <id>github-enterprise:bd08318e10264d38792523a9e76b6f818f8ec73616f7b13b99692ed940ce642c</id>
              </io.jenkins.blueocean.rest.impl.pipeline.credential.BlueOceanCredentialsProvider_-FolderPropertyImpl>
              <org.jenkinsci.plugins.pipeline.modeldefinition.config.FolderConfig plugin="pipeline-model-definition@1.3.8">
                <dockerLabel></dockerLabel>
                <registry plugin="docker-commons@1.14"/>
              </org.jenkinsci.plugins.pipeline.modeldefinition.config.FolderConfig>
            </properties>
          

          And I wonder if the BlueOceanCredentialProvider which references the testuser's credential can be changed to use the global credential instead.

          I already have a jenkins level github enterprise access token credential, so i would like to just use that.

          That token btw was issued to a service account which is also added on the GitHub Enterprise side with a nice Jenkins icon, so it looks much better than the pipeline creator's photo next to a Pull request check.

          I've just changed the testuser to jenkins user then updated the user level credential as well and it works, but it's hacky and too involved.

          cjharmath CJ Harmath added a comment - This is how my job's config.xml starts <?xml version= '1.1' encoding= 'UTF-8' ?> <org.jenkinsci.plugins.workflow.multibranch.WorkflowMultiBranchProject plugin= "workflow-multibranch@2.21" > <actions/> <description>test</description> <properties> <io.jenkins.blueocean. rest .impl.pipeline.credential.BlueOceanCredentialsProvider_-FolderPropertyImpl plugin= "blueocean-pipeline-scm-api@1.14.0" > <domain plugin= "credentials@2.1.19" > <name>blueocean-folder-credential-domain</name> <description>Blue Ocean Folder Credentials domain</description> <specifications/> </domain> <user>testuser</user> <id>github-enterprise:bd08318e10264d38792523a9e76b6f818f8ec73616f7b13b99692ed940ce642c</id> </io.jenkins.blueocean. rest .impl.pipeline.credential.BlueOceanCredentialsProvider_-FolderPropertyImpl> <org.jenkinsci.plugins.pipeline.modeldefinition.config.FolderConfig plugin= "pipeline-model-definition@1.3.8" > <dockerLabel></dockerLabel> <registry plugin= "docker-commons@1.14" /> </org.jenkinsci.plugins.pipeline.modeldefinition.config.FolderConfig> </properties> And I wonder if the BlueOceanCredentialProvider which references the testuser's credential can be changed to use the global credential instead. I already have a jenkins level github enterprise access token credential, so i would like to just use that. That token btw was issued to a service account which is also added on the GitHub Enterprise side with a nice Jenkins icon, so it looks much better than the pipeline creator's photo next to a Pull request check. I've just changed the testuser to jenkins user then updated the user level credential as well and it works, but it's hacky and too involved.

          People

            halkeye Gavin Mogan
            wlaszlo William Laszlo
            Votes:
            0 Vote for this issue
            Watchers:
            3 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved: