-
Bug
-
Resolution: Unresolved
-
Minor
-
None
Hi,
I have a pre-build Jenkins environment where I inject my secrets from a JSON file to the credentails.xml file via variables using ansible. Ideally would be that when Jenkins starts, the credential.xml will be encrypted, however, Jenkins doesn't encrypt credentials.xml file, is only encrypting secrets inside config.xml file on startup.
Eventually, I wrote a Groovy script to encrypt all the credentials on boot, from config.xml and credential.xml. Now, when Jenkins starts will run this groovy script;
// import jenkins.model.Jenkins; ;com.cloudbees.plugins.credentials.CredentialsProvider.saveAll()
Everything gets encrypted, thus, now I see a warning message from Jenkins, complaining about the system user is a prohibited user name.
This is the warning message I see in the logs;
// May 10, 2019 5:54:34 PM com.cloudbees.plugins.credentials.CredentialsProvider$3 runMay 10, 2019 5:54:34 PM com.cloudbees.plugins.credentials.CredentialsProvider$3 runWARNING: Forced save credentials stores: Could not save com.cloudbees.plugins.credentials.UserCredentialsProvider$StoreImpl@c1aa8e7ERROR: "SYSTEM" is prohibited as a username for security reasons. at hudson.util.FormValidation._errorWithMarkup(FormValidation.java:266) at hudson.util.FormValidation.errorWithMarkup(FormValidation.java:252) at hudson.util.FormValidation.error(FormValidation.java:143) at hudson.model.User.save(User.java:792) at com.cloudbees.plugins.credentials.UserCredentialsProvider$UserCredentialsProperty.save(UserCredentialsProvider.java:488) at com.cloudbees.plugins.credentials.UserCredentialsProvider$UserCredentialsProperty.access$1100(UserCredentialsProvider.java:196) at com.cloudbees.plugins.credentials.UserCredentialsProvider$StoreImpl.save(UserCredentialsProvider.java:805) at com.cloudbees.plugins.credentials.CredentialsProvider$3.run(CredentialsProvider.java:1705) at jenkins.security.ImpersonatingScheduledExecutorService$1.run(ImpersonatingScheduledExecutorService.java:58) at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:511) at java.util.concurrent.FutureTask.run(FutureTask.java:266) at java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.access$201(ScheduledThreadPoolExecutor.java:180) at java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.run(ScheduledThreadPoolExecutor.java:293) at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149) at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624) at java.lang.Thread.run(Thread.java:748)
Why am I seeing this warning message and how can I fix it? Is there another way on how to enforce encryption on startup, rather than using the groovy script I wrote? When I start working on this CI/CD project, Jenkins was encrypting the secrets on startup. I am not sure what I have done that in the end Jenkins is ignoring credentials.xml file and leaves the secrets in plain text.
- The Jenkins master is running inside a Docker container
- The flavour of the container it is Centos 7
- The version of Jenkins is 2.164.2
- Credential plugin version is credentials@2.1.18
Thank you!
Hi guys,
Is it possible to get an update on this bug? Is this a bug or not? What would be the way to remediate the issue?
Thank you!