• github-oauth-0.31

      When updating to Jenkins 2.146 the "GitHub Committer Authorization strategy" no longer works.

      Users can log in but get granted no permissions at all.

      Downgrading to Jenkins 2.145 fixes the issue (but due to security advisories being present isn't a good solution at all)

      Setting logging to FINEST shows the plugin "tries" to grant the correct permissions, but Jenkins does not seem to respect them.

          [JENKINS-54031] GitHub OAuth plugin fails with Jenkins 2.146

          Daniel Beck added a comment -

          It seems that GitHub OAuth plugin ignores permission relationships, specifically permissions implied by Item/Read with allowAnonymousReadPermission set.

          Item/Discover is declared to be implied by Item/Read: https://github.com/jenkinsci/jenkins/blob/371b9c134681e3e04f52a5e0bb39c747e6d44c45/core/src/main/java/hudson/model/Item.java#L258

          That's what the Stapler routing hardening in 2.138.2 and 2.146 assumes to be the case to make this nice and succinct: https://github.com/jenkinsci/jenkins/blob/371b9c134681e3e04f52a5e0bb39c747e6d44c45/core/src/main/java/hudson/model/AbstractItem.java#L942...L949 (This slightly more readable code that'll make it into 2.147 after https://github.com/jenkinsci/jenkins/pull/3690 but functionally in this regard identical to what's in 2.138.2)

          GitHub OAuth needs to handle permissions implied by those it grants, at least Item/Discover. I'm pretty OK with the behavior in core.

          Meanwhile, you could set the system property hudson.model.AbstractItem.skipPermissionCheck to truehttps://wiki.jenkins.io/display/JENKINS/Features+controlled+by+system+properties ), but note that this disables a security improvement.

          Daniel Beck added a comment - It seems that GitHub OAuth plugin ignores permission relationships, specifically permissions implied by  Item/Read with allowAnonymousReadPermission set. Item/Discover  is declared to be implied by Item/Read : https://github.com/jenkinsci/jenkins/blob/371b9c134681e3e04f52a5e0bb39c747e6d44c45/core/src/main/java/hudson/model/Item.java#L258 That's what the Stapler routing hardening in 2.138.2 and 2.146 assumes to be the case to make this nice and succinct: https://github.com/jenkinsci/jenkins/blob/371b9c134681e3e04f52a5e0bb39c747e6d44c45/core/src/main/java/hudson/model/AbstractItem.java#L942...L949 (This slightly more readable code that'll make it into 2.147 after  https://github.com/jenkinsci/jenkins/pull/3690 but functionally in this regard identical to what's in 2.138.2) GitHub OAuth needs to handle permissions implied by those it grants, at least  Item/ Discover . I'm pretty OK with the behavior in core. Meanwhile, you could set the system property hudson.model.AbstractItem.skipPermissionCheck to true (  https://wiki.jenkins.io/display/JENKINS/Features+controlled+by+system+properties ), but note that this disables a security improvement.

          Daniel Beck added a comment -

          (Note that my comment was originally written for a different report, so it might not only affect allowAnonymousReadPermission.

          Daniel Beck added a comment - (Note that my comment was originally written for a different report, so it might not only affect allowAnonymousReadPermission .

          Daniel Beck added a comment -

          Daniel Beck added a comment - Amending 2.138.2 upgrade guide in https://github.com/jenkins-infra/jenkins.io/pull/1835

          Russell Knighton added a comment - - edited

          For us, the workaround didn't work fully - it restored the ability for a regular user to browse and navigate each repository/branch etc., but when they tried to view individual jobs, they were 404'd, and the following is dumped to the jenkins.log:

          Oct 15, 2018 3:51:08 PM hudson.init.impl.InstallUncaughtExceptionHandler lambda$init$0
           WARNING: null
          java.lang.IllegalStateException: Committed
          	at org.eclipse.jetty.server.HttpChannel.resetBuffer(HttpChannel.java:853)
          	at org.eclipse.jetty.server.HttpOutput.resetBuffer(HttpOutput.java:960)
          	at org.eclipse.jetty.server.Response.resetBuffer(Response.java:1312)
          	at org.eclipse.jetty.server.Response.sendRedirect(Response.java:720)
          	at org.eclipse.jetty.server.Response.sendRedirect(Response.java:729)
          	at javax.servlet.http.HttpServletResponseWrapper.sendRedirect(HttpServletResponseWrapper.java:176)
          	at javax.servlet.http.HttpServletResponseWrapper.sendRedirect(HttpServletResponseWrapper.java:176)
          	at org.acegisecurity.context.HttpSessionContextIntegrationFilter$OnRedirectUpdateSessionResponseWrapper.sendRedirect(HttpSessionContextIntegrationFilter.java:525)
          	at javax.servlet.http.HttpServletResponseWrapper.sendRedirect(HttpServletResponseWrapper.java:176)
          	at javax.servlet.http.HttpServletResponseWrapper.sendRedirect(HttpServletResponseWrapper.java:176)
          	at org.kohsuke.stapler.ResponseImpl.sendRedirect(ResponseImpl.java:138)
          	at org.kohsuke.stapler.ResponseImpl.sendRedirect2(ResponseImpl.java:153)
          	at org.kohsuke.stapler.DirectoryishDispatcher.dispatch(DirectoryishDispatcher.java:28)
          	at org.kohsuke.stapler.Stapler.tryInvoke(Stapler.java:734)
          	at org.kohsuke.stapler.Stapler.invoke(Stapler.java:864)
          	at org.kohsuke.stapler.MetaClass$10.dispatch(MetaClass.java:374)
          	at org.kohsuke.stapler.Stapler.tryInvoke(Stapler.java:734)
          	at org.kohsuke.stapler.Stapler.invoke(Stapler.java:864)
          	at org.kohsuke.stapler.MetaClass$5.doDispatch(MetaClass.java:248)
          	at org.kohsuke.stapler.NameBasedDispatcher.dispatch(NameBasedDispatcher.java:58)
          	at org.kohsuke.stapler.Stapler.tryInvoke(Stapler.java:734)
          	at org.kohsuke.stapler.Stapler.invoke(Stapler.java:864)
          	at org.kohsuke.stapler.MetaClass$5.doDispatch(MetaClass.java:248)
          	at org.kohsuke.stapler.NameBasedDispatcher.dispatch(NameBasedDispatcher.java:58)
          	at org.kohsuke.stapler.Stapler.tryInvoke(Stapler.java:734)
          	at org.kohsuke.stapler.Stapler.invoke(Stapler.java:864)
          	at org.kohsuke.stapler.MetaClass$5.doDispatch(MetaClass.java:248)
          	at org.kohsuke.stapler.NameBasedDispatcher.dispatch(NameBasedDispatcher.java:58)
          	at org.kohsuke.stapler.Stapler.tryInvoke(Stapler.java:734)
          	at org.kohsuke.stapler.Stapler.invoke(Stapler.java:864)
          	at org.kohsuke.stapler.Stapler.invoke(Stapler.java:668)
          	at org.kohsuke.stapler.Stapler.service(Stapler.java:238)
          	at javax.servlet.http.HttpServlet.service(HttpServlet.java:790)
          	at org.eclipse.jetty.servlet.ServletHolder.handle(ServletHolder.java:865)
          	at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1655)
          	at hudson.util.PluginServletFilter$1.doFilter(PluginServletFilter.java:154)
          	at org.jenkinsci.plugins.ssegateway.Endpoint$SSEListenChannelFilter.doFilter(Endpoint.java:243)
          	at hudson.util.PluginServletFilter$1.doFilter(PluginServletFilter.java:151)
          	at io.jenkins.blueocean.ResourceCacheControl.doFilter(ResourceCacheControl.java:134)
          	at hudson.util.PluginServletFilter$1.doFilter(PluginServletFilter.java:151)
          	at io.jenkins.blueocean.auth.jwt.impl.JwtAuthenticationFilter.doFilter(JwtAuthenticationFilter.java:61)
          	at hudson.util.PluginServletFilter$1.doFilter(PluginServletFilter.java:151)
          	at jenkins.metrics.impl.MetricsFilter.doFilter(MetricsFilter.java:125)
          	at hudson.util.PluginServletFilter$1.doFilter(PluginServletFilter.java:151)
          	at hudson.util.PluginServletFilter.doFilter(PluginServletFilter.java:157)
          	at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1642)
          	at hudson.security.csrf.CrumbFilter.doFilter(CrumbFilter.java:105)
          	at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1642)
          	at hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:84)
          	at hudson.security.UnwrapSecurityExceptionFilter.doFilter(UnwrapSecurityExceptionFilter.java:51)
          	at hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:87)
          	at jenkins.security.ExceptionTranslationFilter.doFilter(ExceptionTranslationFilter.java:117)
          	at hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:87)
          	at org.acegisecurity.providers.anonymous.AnonymousProcessingFilter.doFilter(AnonymousProcessingFilter.java:125)
          	at hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:87)
          	at org.acegisecurity.ui.rememberme.RememberMeProcessingFilter.doFilter(RememberMeProcessingFilter.java:142)
          	at hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:87)
          	at org.acegisecurity.ui.AbstractProcessingFilter.doFilter(AbstractProcessingFilter.java:271)
          	at hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:87)
          	at jenkins.security.BasicHeaderProcessor.doFilter(BasicHeaderProcessor.java:93)
          	at hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:87)
          	at org.acegisecurity.context.HttpSessionContextIntegrationFilter.doFilter(HttpSessionContextIntegrationFilter.java:249)
          	at hudson.security.HttpSessionContextIntegrationFilter2.doFilter(HttpSessionContextIntegrationFilter2.java:67)
          	at hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:87)
          	at hudson.security.ChainedServletFilter.doFilter(ChainedServletFilter.java:90)
          	at hudson.security.HudsonFilter.doFilter(HudsonFilter.java:171)
          	at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1642)
          	at org.kohsuke.stapler.compression.CompressionFilter.doFilter(CompressionFilter.java:49)
          	at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1642)
          	at hudson.util.CharacterEncodingFilter.doFilter(CharacterEncodingFilter.java:82)
          	at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1642)
          	at org.kohsuke.stapler.DiagnosticThreadNameFilter.doFilter(DiagnosticThreadNameFilter.java:30)
          	at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1642)
          	at org.eclipse.jetty.servlet.ServletHandler.doHandle(ServletHandler.java:533)
          	at org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:146)
          	at org.eclipse.jetty.security.SecurityHandler.handle(SecurityHandler.java:524)
          	at org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:132)
          	at org.eclipse.jetty.server.handler.ScopedHandler.nextHandle(ScopedHandler.java:257)
          	at org.eclipse.jetty.server.session.SessionHandler.doHandle(SessionHandler.java:1595)
          	at org.eclipse.jetty.server.handler.ScopedHandler.nextHandle(ScopedHandler.java:255)
          	at org.eclipse.jetty.server.handler.ContextHandler.doHandle(ContextHandler.java:1317)
          	at org.eclipse.jetty.server.handler.ScopedHandler.nextScope(ScopedHandler.java:203)
          	at org.eclipse.jetty.servlet.ServletHandler.doScope(ServletHandler.java:473)
          	at org.eclipse.jetty.server.session.SessionHandler.doScope(SessionHandler.java:1564)
          	at org.eclipse.jetty.server.handler.ScopedHandler.nextScope(ScopedHandler.java:201)
          	at org.eclipse.jetty.server.handler.ContextHandler.doScope(ContextHandler.java:1219)
          	at org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:144)
          	at org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:132)
          	at org.eclipse.jetty.server.Server.handle(Server.java:531)
          	at org.eclipse.jetty.server.HttpChannel.handle(HttpChannel.java:352)
          	at org.eclipse.jetty.server.HttpConnection.onFillable(HttpConnection.java:260)
          	at org.eclipse.jetty.io.AbstractConnection$ReadCallback.succeeded(AbstractConnection.java:281)
          	at org.eclipse.jetty.io.FillInterest.fillable(FillInterest.java:102)
          	at org.eclipse.jetty.io.ChannelEndPoint$2.run(ChannelEndPoint.java:118)
          	at org.eclipse.jetty.util.thread.strategy.EatWhatYouKill.runTask(EatWhatYouKill.java:333)
          	at org.eclipse.jetty.util.thread.strategy.EatWhatYouKill.doProduce(EatWhatYouKill.java:310)
          	at org.eclipse.jetty.util.thread.strategy.EatWhatYouKill.tryProduce(EatWhatYouKill.java:168)
          	at org.eclipse.jetty.util.thread.strategy.EatWhatYouKill.run(EatWhatYouKill.java:126)
          	at org.eclipse.jetty.util.thread.ReservedThreadExecutor$ReservedThread.run(ReservedThreadExecutor.java:366)
          	at org.eclipse.jetty.util.thread.QueuedThreadPool.runJob(QueuedThreadPool.java:762)
          	at org.eclipse.jetty.util.thread.QueuedThreadPool$2.run(QueuedThreadPool.java:680)
          	at java.lang.Thread.run(Thread.java:748)

           

          Is there anything else we need to do/enable to restore full functionality?

           

          This was after an upgrade from 2.121.3 -> 2.138.2

          Russell Knighton added a comment - - edited For us, the workaround didn't work fully - it restored the ability for a regular user to browse and navigate each repository/branch etc., but when they tried to view individual jobs, they were 404'd, and the following is dumped to the jenkins.log : Oct 15, 2018 3:51:08 PM hudson.init.impl.InstallUncaughtExceptionHandler lambda$init$0 WARNING: null java.lang.IllegalStateException: Committed at org.eclipse.jetty.server.HttpChannel.resetBuffer(HttpChannel.java:853) at org.eclipse.jetty.server.HttpOutput.resetBuffer(HttpOutput.java:960) at org.eclipse.jetty.server.Response.resetBuffer(Response.java:1312) at org.eclipse.jetty.server.Response.sendRedirect(Response.java:720) at org.eclipse.jetty.server.Response.sendRedirect(Response.java:729) at javax.servlet.http.HttpServletResponseWrapper.sendRedirect(HttpServletResponseWrapper.java:176) at javax.servlet.http.HttpServletResponseWrapper.sendRedirect(HttpServletResponseWrapper.java:176) at org.acegisecurity.context.HttpSessionContextIntegrationFilter$OnRedirectUpdateSessionResponseWrapper.sendRedirect(HttpSessionContextIntegrationFilter.java:525) at javax.servlet.http.HttpServletResponseWrapper.sendRedirect(HttpServletResponseWrapper.java:176) at javax.servlet.http.HttpServletResponseWrapper.sendRedirect(HttpServletResponseWrapper.java:176) at org.kohsuke.stapler.ResponseImpl.sendRedirect(ResponseImpl.java:138) at org.kohsuke.stapler.ResponseImpl.sendRedirect2(ResponseImpl.java:153) at org.kohsuke.stapler.DirectoryishDispatcher.dispatch(DirectoryishDispatcher.java:28) at org.kohsuke.stapler.Stapler.tryInvoke(Stapler.java:734) at org.kohsuke.stapler.Stapler.invoke(Stapler.java:864) at org.kohsuke.stapler.MetaClass$10.dispatch(MetaClass.java:374) at org.kohsuke.stapler.Stapler.tryInvoke(Stapler.java:734) at org.kohsuke.stapler.Stapler.invoke(Stapler.java:864) at org.kohsuke.stapler.MetaClass$5.doDispatch(MetaClass.java:248) at org.kohsuke.stapler.NameBasedDispatcher.dispatch(NameBasedDispatcher.java:58) at org.kohsuke.stapler.Stapler.tryInvoke(Stapler.java:734) at org.kohsuke.stapler.Stapler.invoke(Stapler.java:864) at org.kohsuke.stapler.MetaClass$5.doDispatch(MetaClass.java:248) at org.kohsuke.stapler.NameBasedDispatcher.dispatch(NameBasedDispatcher.java:58) at org.kohsuke.stapler.Stapler.tryInvoke(Stapler.java:734) at org.kohsuke.stapler.Stapler.invoke(Stapler.java:864) at org.kohsuke.stapler.MetaClass$5.doDispatch(MetaClass.java:248) at org.kohsuke.stapler.NameBasedDispatcher.dispatch(NameBasedDispatcher.java:58) at org.kohsuke.stapler.Stapler.tryInvoke(Stapler.java:734) at org.kohsuke.stapler.Stapler.invoke(Stapler.java:864) at org.kohsuke.stapler.Stapler.invoke(Stapler.java:668) at org.kohsuke.stapler.Stapler.service(Stapler.java:238) at javax.servlet.http.HttpServlet.service(HttpServlet.java:790) at org.eclipse.jetty.servlet.ServletHolder.handle(ServletHolder.java:865) at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1655) at hudson.util.PluginServletFilter$1.doFilter(PluginServletFilter.java:154) at org.jenkinsci.plugins.ssegateway.Endpoint$SSEListenChannelFilter.doFilter(Endpoint.java:243) at hudson.util.PluginServletFilter$1.doFilter(PluginServletFilter.java:151) at io.jenkins.blueocean.ResourceCacheControl.doFilter(ResourceCacheControl.java:134) at hudson.util.PluginServletFilter$1.doFilter(PluginServletFilter.java:151) at io.jenkins.blueocean.auth.jwt.impl.JwtAuthenticationFilter.doFilter(JwtAuthenticationFilter.java:61) at hudson.util.PluginServletFilter$1.doFilter(PluginServletFilter.java:151) at jenkins.metrics.impl.MetricsFilter.doFilter(MetricsFilter.java:125) at hudson.util.PluginServletFilter$1.doFilter(PluginServletFilter.java:151) at hudson.util.PluginServletFilter.doFilter(PluginServletFilter.java:157) at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1642) at hudson.security.csrf.CrumbFilter.doFilter(CrumbFilter.java:105) at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1642) at hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:84) at hudson.security.UnwrapSecurityExceptionFilter.doFilter(UnwrapSecurityExceptionFilter.java:51) at hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:87) at jenkins.security.ExceptionTranslationFilter.doFilter(ExceptionTranslationFilter.java:117) at hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:87) at org.acegisecurity.providers.anonymous.AnonymousProcessingFilter.doFilter(AnonymousProcessingFilter.java:125) at hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:87) at org.acegisecurity.ui.rememberme.RememberMeProcessingFilter.doFilter(RememberMeProcessingFilter.java:142) at hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:87) at org.acegisecurity.ui.AbstractProcessingFilter.doFilter(AbstractProcessingFilter.java:271) at hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:87) at jenkins.security.BasicHeaderProcessor.doFilter(BasicHeaderProcessor.java:93) at hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:87) at org.acegisecurity.context.HttpSessionContextIntegrationFilter.doFilter(HttpSessionContextIntegrationFilter.java:249) at hudson.security.HttpSessionContextIntegrationFilter2.doFilter(HttpSessionContextIntegrationFilter2.java:67) at hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:87) at hudson.security.ChainedServletFilter.doFilter(ChainedServletFilter.java:90) at hudson.security.HudsonFilter.doFilter(HudsonFilter.java:171) at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1642) at org.kohsuke.stapler.compression.CompressionFilter.doFilter(CompressionFilter.java:49) at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1642) at hudson.util.CharacterEncodingFilter.doFilter(CharacterEncodingFilter.java:82) at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1642) at org.kohsuke.stapler.DiagnosticThreadNameFilter.doFilter(DiagnosticThreadNameFilter.java:30) at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1642) at org.eclipse.jetty.servlet.ServletHandler.doHandle(ServletHandler.java:533) at org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:146) at org.eclipse.jetty.security.SecurityHandler.handle(SecurityHandler.java:524) at org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:132) at org.eclipse.jetty.server.handler.ScopedHandler.nextHandle(ScopedHandler.java:257) at org.eclipse.jetty.server.session.SessionHandler.doHandle(SessionHandler.java:1595) at org.eclipse.jetty.server.handler.ScopedHandler.nextHandle(ScopedHandler.java:255) at org.eclipse.jetty.server.handler.ContextHandler.doHandle(ContextHandler.java:1317) at org.eclipse.jetty.server.handler.ScopedHandler.nextScope(ScopedHandler.java:203) at org.eclipse.jetty.servlet.ServletHandler.doScope(ServletHandler.java:473) at org.eclipse.jetty.server.session.SessionHandler.doScope(SessionHandler.java:1564) at org.eclipse.jetty.server.handler.ScopedHandler.nextScope(ScopedHandler.java:201) at org.eclipse.jetty.server.handler.ContextHandler.doScope(ContextHandler.java:1219) at org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:144) at org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:132) at org.eclipse.jetty.server.Server.handle(Server.java:531) at org.eclipse.jetty.server.HttpChannel.handle(HttpChannel.java:352) at org.eclipse.jetty.server.HttpConnection.onFillable(HttpConnection.java:260) at org.eclipse.jetty.io.AbstractConnection$ReadCallback.succeeded(AbstractConnection.java:281) at org.eclipse.jetty.io.FillInterest.fillable(FillInterest.java:102) at org.eclipse.jetty.io.ChannelEndPoint$2.run(ChannelEndPoint.java:118) at org.eclipse.jetty.util.thread.strategy.EatWhatYouKill.runTask(EatWhatYouKill.java:333) at org.eclipse.jetty.util.thread.strategy.EatWhatYouKill.doProduce(EatWhatYouKill.java:310) at org.eclipse.jetty.util.thread.strategy.EatWhatYouKill.tryProduce(EatWhatYouKill.java:168) at org.eclipse.jetty.util.thread.strategy.EatWhatYouKill.run(EatWhatYouKill.java:126) at org.eclipse.jetty.util.thread.ReservedThreadExecutor$ReservedThread.run(ReservedThreadExecutor.java:366) at org.eclipse.jetty.util.thread.QueuedThreadPool.runJob(QueuedThreadPool.java:762) at org.eclipse.jetty.util.thread.QueuedThreadPool$2.run(QueuedThreadPool.java:680) at java.lang.Thread.run(Thread.java:748)   Is there anything else we need to do/enable to restore full functionality?   This was after an upgrade from 2.121.3 -> 2.138.2

          Matt Friedman added a comment -

          We experienced all of the above issues. Finally to fix the issue fully we downgraded to 2.138.1 

          Hope this is fixed in the ubuntu pkg before long. Thank you. 

          Matt Friedman added a comment - We experienced all of the above issues. Finally to fix the issue fully we downgraded to 2.138.1  Hope this is fixed in the ubuntu pkg before long. Thank you. 

          I posted a PR with a potential fix here: https://github.com/jenkinsci/github-oauth-plugin/pull/101

          Could use some guidance on what the proper set of permissions to allow when "allow authenticated user to create jobs" is enabled.
          Also could use some actual usage/testing in a real install, since I haven't actually tried my own fix yet.

          Chris Williams added a comment - I posted a PR with a potential fix here: https://github.com/jenkinsci/github-oauth-plugin/pull/101 Could use some guidance on what the proper set of permissions to allow when "allow authenticated user to create jobs" is enabled. Also could use some actual usage/testing in a real install, since I haven't actually tried my own fix yet.

          Josh Pollara added a comment -

          Downgrading to Jenkins 2.145 fixed the issue for me. Poor long-term solution.

          Hoping this is fixed sooner rather than later. Thanks!

          Josh Pollara added a comment - Downgrading to Jenkins 2.145 fixed the issue for me. Poor long-term solution. Hoping this is fixed sooner rather than later. Thanks!

          Has there been a fix on this yet? We seem to have the same issue on 2.138.2

          fisnik hajredini added a comment - Has there been a fix on this yet? We seem to have the same issue on 2.138.2

          We're having the same issue with Jenkins 2.138.2

          Alexander Chernaev added a comment - We're having the same issue with Jenkins 2.138.2

          We run an open source software, and its quite important for our external contributors to be able to view their build progress. This bugs Priority was on Moderate but i increased it to Critical.  I hope thats fine.

          fisnik hajredini added a comment - We run an open source software, and its quite important for our external contributors to be able to view their build progress. This bugs Priority was on Moderate but i increased it to Critical.  I hope thats fine.

          Matt Friedman added a comment -

          fhajredini

           

          It prevents us from upgrading Jenkins from a version that has security issues. I'd call that critical also.

          Matt Friedman added a comment - fhajredini   It prevents us from upgrading Jenkins from a version that has security issues. I'd call that critical also.

          Daniel Beck added a comment -

          Could I get confirmation that setting the system property I mentioned in a previous comment works in fact for nobody who's affected? Because that would be a related core bug.

          Daniel Beck added a comment - Could I get confirmation that setting the system property I mentioned in a previous comment works in fact for nobody who's affected? Because that would be a related core bug.

          Matt Friedman added a comment -

          danielbeck

          Setting the property only partially fixed the issue for us. We downgraded to get back full functionality.

          IIRC, it allowed access to the summary page for a build, but not to things like console log.

          Matt Friedman added a comment - danielbeck Setting the property only partially fixed the issue for us. We downgraded to get back full functionality. IIRC, it allowed access to the summary page for a build, but not to things like console log.

          Daniel Beck added a comment -

          Oh, right. That makes sense. That's controlled by a different system property: hudson.model.Run.skipPermissionCheck. You'll need to set both to true.

          Daniel Beck added a comment - Oh, right. That makes sense. That's controlled by a different system property: hudson.model.Run.skipPermissionCheck . You'll need to set both to true .

          Daniel Beck added a comment -

          Amending upgrade guide in https://github.com/jenkins-infra/jenkins.io/pull/1843 – would appreciate if someone could try the amended instructions so we know these are a complete workaround.

          Can also be done while Jenkins is running (until the next restart) by running the following script console script:

          hudson.model.AbstractItem.SKIP_PERMISSION_CHECK = true
          hudson.model.Run.SKIP_PERMISSION_CHECK = true

          Daniel Beck added a comment - Amending upgrade guide in https://github.com/jenkins-infra/jenkins.io/pull/1843 – would appreciate if someone could try the amended instructions so we know these are a complete workaround. Can also be done while Jenkins is running (until the next restart) by running the following script console script: hudson.model.AbstractItem.SKIP_PERMISSION_CHECK = true hudson.model.Run.SKIP_PERMISSION_CHECK = true

          AnneTheAgile added a comment - - edited

          jkmatt fyi, the upgrade guide referenced in above PR against this ticket  adds;

          As a workaround, it is possible to temporarily disable part of the security hardening by setting the https://wiki.jenkins.io/display/JENKINS/Features+controlled+by+system+properties[Java system properties] `hudson.model.AbstractItem.skipPermissionCheck` and `hudson.model.Run.skipPermissionCheck` to `true`. 

          AnneTheAgile added a comment - - edited jkmatt fyi, the upgrade guide referenced in above PR against this ticket  adds; As a workaround, it is possible to temporarily disable part of the security hardening by setting the https: //wiki.jenkins.io/display/JENKINS/Features+controlled+by+system+properties[Java system properties] `hudson.model.AbstractItem.skipPermissionCheck` and `hudson.model.Run.skipPermissionCheck` to ` true `.

          Steph Gosling added a comment - - edited

          On Ubuntu 16.04 with 2.138.2 (as packaged by Canonical) setting the two properties does indeed appear to resolve: non-admin-in-jenkins github users are able to browse projects, see console logs for builds

          Steph Gosling added a comment - - edited On Ubuntu 16.04 with 2.138.2 (as packaged by Canonical) setting the two properties does indeed appear to resolve: non-admin-in-jenkins github users are able to browse projects, see console logs for builds

          Daniel Beck added a comment -

          steph Thanks! Merged the doc update and will lower priority to reflect the presence of a workaround.

          Daniel Beck added a comment - steph Thanks! Merged the doc update and will lower priority to reflect the presence of a workaround.

          Matt Friedman added a comment -

          Does setting those skip permission check options to true (re)introduce a security issue? Thank you. 

          Matt Friedman added a comment - Does setting those skip permission check options to true (re)introduce a security issue? Thank you. 

          Adam Lock added a comment -

          Any update on this?  The workaround seems like it could become a concern.

          Adam Lock added a comment - Any update on this?  The workaround seems like it could become a concern.

          Keith Harvey added a comment -

          Any update on this, Thanks

          Keith Harvey added a comment - Any update on this, Thanks

          Daniel Beck added a comment -

          Per today's security advisory, it is indeed not safe to apply the workaround that disables the additional permission check. Previously published documentation has been updated.

          https://jenkins.io/security/advisory/2018-12-05/#SECURITY-595

          https://jenkins.io/doc/upgrade-guide/2.138/#security-hardening-impacts-use-of-github-oauth-plugin

           

          Daniel Beck added a comment - Per today's security advisory, it is indeed not safe to apply the workaround that disables the additional permission check. Previously published documentation has been updated. https://jenkins.io/security/advisory/2018-12-05/#SECURITY-595 https://jenkins.io/doc/upgrade-guide/2.138/#security-hardening-impacts-use-of-github-oauth-plugin  

          Are there any workarounds that don't cause security issues?

          Daniel Lo Nigro added a comment - Are there any workarounds that don't cause security issues?

          Sam Gleske added a comment -

          A few minutes ago I released 0.31 which includes https://github.com/jenkinsci/github-oauth-plugin/pull/103. This should be resolved. Please re-open if not.

          Sam Gleske added a comment - A few minutes ago I released 0.31 which includes https://github.com/jenkinsci/github-oauth-plugin/pull/103 . This should be resolved. Please re-open if not.

          sag47 and doridian, this is still an issue all the way from 2.131.2 to LTS (2.164.2). We are stuck on 2.131.1 and unable to move forwards until this is resolved. Could you please revisit this issue?

          jeremy hochheiser added a comment - sag47  and doridian , this is still an issue all the way from 2.131.2 to LTS (2.164.2). We are stuck on 2.131.1 and unable to move forwards until this is resolved. Could you please revisit this issue?

            sag47 Sam Gleske
            doridian Mark Dietzer
            Votes:
            13 Vote for this issue
            Watchers:
            23 Start watching this issue

              Created:
              Updated:
              Resolved: