-
Bug
-
Resolution: Fixed
-
Critical
-
Powered by SuggestiMate -
github-oauth-0.31
When updating to Jenkins 2.146 the "GitHub Committer Authorization strategy" no longer works.
Users can log in but get granted no permissions at all.
Downgrading to Jenkins 2.145 fixes the issue (but due to security advisories being present isn't a good solution at all)
Setting logging to FINEST shows the plugin "tries" to grant the correct permissions, but Jenkins does not seem to respect them.
- is duplicated by
-
JENKINS-54990 404 on jenkins lts 2.138.2/3 github org workflow/multibranch jobs with github authorization
-
- Closed
-
[JENKINS-54031] GitHub OAuth plugin fails with Jenkins 2.146
(Note that my comment was originally written for a different report, so it might not only affect allowAnonymousReadPermission.
Amending 2.138.2 upgrade guide in https://github.com/jenkins-infra/jenkins.io/pull/1835
For us, the workaround didn't work fully - it restored the ability for a regular user to browse and navigate each repository/branch etc., but when they tried to view individual jobs, they were 404'd, and the following is dumped to the jenkins.log:
Oct 15, 2018 3:51:08 PM hudson.init.impl.InstallUncaughtExceptionHandler lambda$init$0 WARNING: null java.lang.IllegalStateException: Committed at org.eclipse.jetty.server.HttpChannel.resetBuffer(HttpChannel.java:853) at org.eclipse.jetty.server.HttpOutput.resetBuffer(HttpOutput.java:960) at org.eclipse.jetty.server.Response.resetBuffer(Response.java:1312) at org.eclipse.jetty.server.Response.sendRedirect(Response.java:720) at org.eclipse.jetty.server.Response.sendRedirect(Response.java:729) at javax.servlet.http.HttpServletResponseWrapper.sendRedirect(HttpServletResponseWrapper.java:176) at javax.servlet.http.HttpServletResponseWrapper.sendRedirect(HttpServletResponseWrapper.java:176) at org.acegisecurity.context.HttpSessionContextIntegrationFilter$OnRedirectUpdateSessionResponseWrapper.sendRedirect(HttpSessionContextIntegrationFilter.java:525) at javax.servlet.http.HttpServletResponseWrapper.sendRedirect(HttpServletResponseWrapper.java:176) at javax.servlet.http.HttpServletResponseWrapper.sendRedirect(HttpServletResponseWrapper.java:176) at org.kohsuke.stapler.ResponseImpl.sendRedirect(ResponseImpl.java:138) at org.kohsuke.stapler.ResponseImpl.sendRedirect2(ResponseImpl.java:153) at org.kohsuke.stapler.DirectoryishDispatcher.dispatch(DirectoryishDispatcher.java:28) at org.kohsuke.stapler.Stapler.tryInvoke(Stapler.java:734) at org.kohsuke.stapler.Stapler.invoke(Stapler.java:864) at org.kohsuke.stapler.MetaClass$10.dispatch(MetaClass.java:374) at org.kohsuke.stapler.Stapler.tryInvoke(Stapler.java:734) at org.kohsuke.stapler.Stapler.invoke(Stapler.java:864) at org.kohsuke.stapler.MetaClass$5.doDispatch(MetaClass.java:248) at org.kohsuke.stapler.NameBasedDispatcher.dispatch(NameBasedDispatcher.java:58) at org.kohsuke.stapler.Stapler.tryInvoke(Stapler.java:734) at org.kohsuke.stapler.Stapler.invoke(Stapler.java:864) at org.kohsuke.stapler.MetaClass$5.doDispatch(MetaClass.java:248) at org.kohsuke.stapler.NameBasedDispatcher.dispatch(NameBasedDispatcher.java:58) at org.kohsuke.stapler.Stapler.tryInvoke(Stapler.java:734) at org.kohsuke.stapler.Stapler.invoke(Stapler.java:864) at org.kohsuke.stapler.MetaClass$5.doDispatch(MetaClass.java:248) at org.kohsuke.stapler.NameBasedDispatcher.dispatch(NameBasedDispatcher.java:58) at org.kohsuke.stapler.Stapler.tryInvoke(Stapler.java:734) at org.kohsuke.stapler.Stapler.invoke(Stapler.java:864) at org.kohsuke.stapler.Stapler.invoke(Stapler.java:668) at org.kohsuke.stapler.Stapler.service(Stapler.java:238) at javax.servlet.http.HttpServlet.service(HttpServlet.java:790) at org.eclipse.jetty.servlet.ServletHolder.handle(ServletHolder.java:865) at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1655) at hudson.util.PluginServletFilter$1.doFilter(PluginServletFilter.java:154) at org.jenkinsci.plugins.ssegateway.Endpoint$SSEListenChannelFilter.doFilter(Endpoint.java:243) at hudson.util.PluginServletFilter$1.doFilter(PluginServletFilter.java:151) at io.jenkins.blueocean.ResourceCacheControl.doFilter(ResourceCacheControl.java:134) at hudson.util.PluginServletFilter$1.doFilter(PluginServletFilter.java:151) at io.jenkins.blueocean.auth.jwt.impl.JwtAuthenticationFilter.doFilter(JwtAuthenticationFilter.java:61) at hudson.util.PluginServletFilter$1.doFilter(PluginServletFilter.java:151) at jenkins.metrics.impl.MetricsFilter.doFilter(MetricsFilter.java:125) at hudson.util.PluginServletFilter$1.doFilter(PluginServletFilter.java:151) at hudson.util.PluginServletFilter.doFilter(PluginServletFilter.java:157) at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1642) at hudson.security.csrf.CrumbFilter.doFilter(CrumbFilter.java:105) at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1642) at hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:84) at hudson.security.UnwrapSecurityExceptionFilter.doFilter(UnwrapSecurityExceptionFilter.java:51) at hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:87) at jenkins.security.ExceptionTranslationFilter.doFilter(ExceptionTranslationFilter.java:117) at hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:87) at org.acegisecurity.providers.anonymous.AnonymousProcessingFilter.doFilter(AnonymousProcessingFilter.java:125) at hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:87) at org.acegisecurity.ui.rememberme.RememberMeProcessingFilter.doFilter(RememberMeProcessingFilter.java:142) at hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:87) at org.acegisecurity.ui.AbstractProcessingFilter.doFilter(AbstractProcessingFilter.java:271) at hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:87) at jenkins.security.BasicHeaderProcessor.doFilter(BasicHeaderProcessor.java:93) at hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:87) at org.acegisecurity.context.HttpSessionContextIntegrationFilter.doFilter(HttpSessionContextIntegrationFilter.java:249) at hudson.security.HttpSessionContextIntegrationFilter2.doFilter(HttpSessionContextIntegrationFilter2.java:67) at hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:87) at hudson.security.ChainedServletFilter.doFilter(ChainedServletFilter.java:90) at hudson.security.HudsonFilter.doFilter(HudsonFilter.java:171) at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1642) at org.kohsuke.stapler.compression.CompressionFilter.doFilter(CompressionFilter.java:49) at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1642) at hudson.util.CharacterEncodingFilter.doFilter(CharacterEncodingFilter.java:82) at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1642) at org.kohsuke.stapler.DiagnosticThreadNameFilter.doFilter(DiagnosticThreadNameFilter.java:30) at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1642) at org.eclipse.jetty.servlet.ServletHandler.doHandle(ServletHandler.java:533) at org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:146) at org.eclipse.jetty.security.SecurityHandler.handle(SecurityHandler.java:524) at org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:132) at org.eclipse.jetty.server.handler.ScopedHandler.nextHandle(ScopedHandler.java:257) at org.eclipse.jetty.server.session.SessionHandler.doHandle(SessionHandler.java:1595) at org.eclipse.jetty.server.handler.ScopedHandler.nextHandle(ScopedHandler.java:255) at org.eclipse.jetty.server.handler.ContextHandler.doHandle(ContextHandler.java:1317) at org.eclipse.jetty.server.handler.ScopedHandler.nextScope(ScopedHandler.java:203) at org.eclipse.jetty.servlet.ServletHandler.doScope(ServletHandler.java:473) at org.eclipse.jetty.server.session.SessionHandler.doScope(SessionHandler.java:1564) at org.eclipse.jetty.server.handler.ScopedHandler.nextScope(ScopedHandler.java:201) at org.eclipse.jetty.server.handler.ContextHandler.doScope(ContextHandler.java:1219) at org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:144) at org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:132) at org.eclipse.jetty.server.Server.handle(Server.java:531) at org.eclipse.jetty.server.HttpChannel.handle(HttpChannel.java:352) at org.eclipse.jetty.server.HttpConnection.onFillable(HttpConnection.java:260) at org.eclipse.jetty.io.AbstractConnection$ReadCallback.succeeded(AbstractConnection.java:281) at org.eclipse.jetty.io.FillInterest.fillable(FillInterest.java:102) at org.eclipse.jetty.io.ChannelEndPoint$2.run(ChannelEndPoint.java:118) at org.eclipse.jetty.util.thread.strategy.EatWhatYouKill.runTask(EatWhatYouKill.java:333) at org.eclipse.jetty.util.thread.strategy.EatWhatYouKill.doProduce(EatWhatYouKill.java:310) at org.eclipse.jetty.util.thread.strategy.EatWhatYouKill.tryProduce(EatWhatYouKill.java:168) at org.eclipse.jetty.util.thread.strategy.EatWhatYouKill.run(EatWhatYouKill.java:126) at org.eclipse.jetty.util.thread.ReservedThreadExecutor$ReservedThread.run(ReservedThreadExecutor.java:366) at org.eclipse.jetty.util.thread.QueuedThreadPool.runJob(QueuedThreadPool.java:762) at org.eclipse.jetty.util.thread.QueuedThreadPool$2.run(QueuedThreadPool.java:680) at java.lang.Thread.run(Thread.java:748)
Is there anything else we need to do/enable to restore full functionality?
This was after an upgrade from 2.121.3 -> 2.138.2
We experienced all of the above issues. Finally to fix the issue fully we downgraded to 2.138.1
Hope this is fixed in the ubuntu pkg before long. Thank you.
I posted a PR with a potential fix here: https://github.com/jenkinsci/github-oauth-plugin/pull/101
Could use some guidance on what the proper set of permissions to allow when "allow authenticated user to create jobs" is enabled.
Also could use some actual usage/testing in a real install, since I haven't actually tried my own fix yet.
Downgrading to Jenkins 2.145 fixed the issue for me. Poor long-term solution.
Hoping this is fixed sooner rather than later. Thanks!
Has there been a fix on this yet? We seem to have the same issue on 2.138.2
We run an open source software, and its quite important for our external contributors to be able to view their build progress. This bugs Priority was on Moderate but i increased it to Critical. I hope thats fine.
It prevents us from upgrading Jenkins from a version that has security issues. I'd call that critical also.
Could I get confirmation that setting the system property I mentioned in a previous comment works in fact for nobody who's affected? Because that would be a related core bug.
Setting the property only partially fixed the issue for us. We downgraded to get back full functionality.
IIRC, it allowed access to the summary page for a build, but not to things like console log.
Oh, right. That makes sense. That's controlled by a different system property: hudson.model.Run.skipPermissionCheck. You'll need to set both to true.
Amending upgrade guide in https://github.com/jenkins-infra/jenkins.io/pull/1843 – would appreciate if someone could try the amended instructions so we know these are a complete workaround.
Can also be done while Jenkins is running (until the next restart) by running the following script console script:
hudson.model.AbstractItem.SKIP_PERMISSION_CHECK = true hudson.model.Run.SKIP_PERMISSION_CHECK = true
jkmatt fyi, the upgrade guide referenced in above PR against this ticket adds;
As a workaround, it is possible to temporarily disable part of the security hardening by setting the https://wiki.jenkins.io/display/JENKINS/Features+controlled+by+system+properties[Java system properties] `hudson.model.AbstractItem.skipPermissionCheck` and `hudson.model.Run.skipPermissionCheck` to `true`.
On Ubuntu 16.04 with 2.138.2 (as packaged by Canonical) setting the two properties does indeed appear to resolve: non-admin-in-jenkins github users are able to browse projects, see console logs for builds
steph Thanks! Merged the doc update and will lower priority to reflect the presence of a workaround.
Does setting those skip permission check options to true (re)introduce a security issue? Thank you.
Any update on this? The workaround seems like it could become a concern.
Per today's security advisory, it is indeed not safe to apply the workaround that disables the additional permission check. Previously published documentation has been updated.
https://jenkins.io/security/advisory/2018-12-05/#SECURITY-595
https://jenkins.io/doc/upgrade-guide/2.138/#security-hardening-impacts-use-of-github-oauth-plugin
A few minutes ago I released 0.31 which includes https://github.com/jenkinsci/github-oauth-plugin/pull/103. This should be resolved. Please re-open if not.
sag47 and doridian, this is still an issue all the way from 2.131.2 to LTS (2.164.2). We are stuck on 2.131.1 and unable to move forwards until this is resolved. Could you please revisit this issue?
It seems that GitHub OAuth plugin ignores permission relationships, specifically permissions implied by Item/Read with allowAnonymousReadPermission set.
Item/Discover is declared to be implied by Item/Read: https://github.com/jenkinsci/jenkins/blob/371b9c134681e3e04f52a5e0bb39c747e6d44c45/core/src/main/java/hudson/model/Item.java#L258
That's what the Stapler routing hardening in 2.138.2 and 2.146 assumes to be the case to make this nice and succinct: https://github.com/jenkinsci/jenkins/blob/371b9c134681e3e04f52a5e0bb39c747e6d44c45/core/src/main/java/hudson/model/AbstractItem.java#L942...L949 (This slightly more readable code that'll make it into 2.147 after https://github.com/jenkinsci/jenkins/pull/3690 but functionally in this regard identical to what's in 2.138.2)
GitHub OAuth needs to handle permissions implied by those it grants, at least Item/Discover. I'm pretty OK with the behavior in core.
Meanwhile, you could set the system property hudson.model.AbstractItem.skipPermissionCheck to true ( https://wiki.jenkins.io/display/JENKINS/Features+controlled+by+system+properties ), but note that this disables a security improvement.