Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-57429

SYSTEM; is prohibited as a username for security reasons.

    • Icon: Bug Bug
    • Resolution: Unresolved
    • Icon: Minor Minor
    • credentials-plugin
    • None

      Hi,

      I have a pre-build Jenkins environment where I inject my secrets from a JSON file to the credentails.xml file via variables using ansible. Ideally would be that when Jenkins starts, the credential.xml will be encrypted, however, Jenkins doesn't encrypt credentials.xml file, is only encrypting secrets inside config.xml file on startup. 

      Eventually, I wrote a Groovy script to encrypt all the credentials on boot, from config.xml and credential.xml. Now, when Jenkins starts will run this groovy script;

      // import jenkins.model.Jenkins; ;com.cloudbees.plugins.credentials.CredentialsProvider.saveAll()
      

      Everything gets encrypted, thus, now I see a warning message from Jenkins, complaining about the system user is a prohibited user name. 

      This is the warning message I see in the logs;

      // May 10, 2019 5:54:34 PM com.cloudbees.plugins.credentials.CredentialsProvider$3 runMay 10, 2019 5:54:34 PM com.cloudbees.plugins.credentials.CredentialsProvider$3 runWARNING: Forced save credentials stores: Could not save com.cloudbees.plugins.credentials.UserCredentialsProvider$StoreImpl@c1aa8e7ERROR: "SYSTEM" is prohibited as a username for security reasons. at hudson.util.FormValidation._errorWithMarkup(FormValidation.java:266) at hudson.util.FormValidation.errorWithMarkup(FormValidation.java:252) at hudson.util.FormValidation.error(FormValidation.java:143) at hudson.model.User.save(User.java:792) at com.cloudbees.plugins.credentials.UserCredentialsProvider$UserCredentialsProperty.save(UserCredentialsProvider.java:488) at com.cloudbees.plugins.credentials.UserCredentialsProvider$UserCredentialsProperty.access$1100(UserCredentialsProvider.java:196) at com.cloudbees.plugins.credentials.UserCredentialsProvider$StoreImpl.save(UserCredentialsProvider.java:805) at com.cloudbees.plugins.credentials.CredentialsProvider$3.run(CredentialsProvider.java:1705) at jenkins.security.ImpersonatingScheduledExecutorService$1.run(ImpersonatingScheduledExecutorService.java:58) at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:511) at java.util.concurrent.FutureTask.run(FutureTask.java:266) at java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.access$201(ScheduledThreadPoolExecutor.java:180) at java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.run(ScheduledThreadPoolExecutor.java:293) at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149) at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624) at java.lang.Thread.run(Thread.java:748)
      

      Why am I seeing this warning message and how can I fix it? Is there another way on how to enforce encryption on startup, rather than using the groovy script I wrote? When I start working on this CI/CD project, Jenkins was encrypting the secrets on startup. I am not sure what  I have done that in the end Jenkins is ignoring credentials.xml file and leaves the secrets in plain text. 

      • The Jenkins master is running inside a Docker container
      • The flavour of the container it is Centos 7
      • The version of Jenkins is 2.164.2
      • Credential plugin version is credentials@2.1.18

      Thank you!

          [JENKINS-57429] SYSTEM; is prohibited as a username for security reasons.

          Bogdan Grosu added a comment - - edited

          Hi guys,

           

          Is it possible to get an update on this bug? Is this a bug or not? What would be the way to remediate the issue?

          Thank you!

          Bogdan Grosu added a comment - - edited Hi guys,   Is it possible to get an update on this bug? Is this a bug or not? What would be the way to remediate the issue? Thank you!

          Anthony Green added a comment -

          Have the same issue

          Anthony Green added a comment - Have the same issue

          Bogdan Grosu added a comment -

          anthonycgreen did you found a fix for this?

          Bogdan Grosu added a comment - anthonycgreen did you found a fix for this?

            Unassigned Unassigned
            groenator Bogdan Grosu
            Votes:
            2 Vote for this issue
            Watchers:
            3 Start watching this issue

              Created:
              Updated: