Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-59973

rtUpload / rtDownload fail with HTTP 401 / 403

    • Icon: Bug Bug
    • Resolution: Unresolved
    • Icon: Major Major
    • artifactory-plugin
    • None
    • - Jenkins v2.190.1 / Windows
      - Artifactory Plugin v3.4.x
      - Artifactory 6.12.2

      After Updating to the artifactory plugin v3.4.1 all up- or downloads using the declarative steps fail by 401 (upload) / 403 (download) HTTP errors.

      Both are working with v3.3.x and broken with 3.4.x.

      According the Artifactory logs the steps do not authenticate. 

       

      Upload

      rtUpload(serverId: 'artifactory-test', specPath: 'spec-ul.json')
      rtPublishBuildInfo(serverId: 'artifactory-test')
      

      Fails with error 401:

      Unauthorized Status code: 401
          at org.jfrog.build.extractor.clientConfiguration.util.spec.SpecDeploymentConsumer.consumerRun(SpecDeploymentConsumer.java:44)
      [...]
      

       

      Download

      rtDownload(serverId: 'artifactory-test', specPath: 'spec-dl.json')  

      Fails with error 403:

      java.io.IOException: Failed to search artifact by the aql 'items.find({"repo": "msys2","path": {"$ne": "."}, "$or": [{"$and": [{"path": { "$match": "distrib"},"name": { "$match": "msys2-x86_64-latest.tar.xz"}}]}]}).include("name","repo","path","actual_md5","actual_sha1","size","type","property")': HTTP/1.1 403 
          at org.jfrog.build.extractor.clientConfiguration.client.ArtifactoryDependenciesClient.getResponseStream(ArtifactoryDependenciesClient.java:136)
      [...]
      

      Configuration

      Artifactory is configured in the Jenkins settings (id artifactory-test in the examples) and useses the Credentials Plugin to access credentials.

      The Test Connection button returns the correct Artifactory version.

       

      Tested version of the plugin

       

      Version Result
      3.3.0
      3.3.1
      3.3.2
      3.4.0
      3.4.1

       

      Workaround

      Downgrade to a v3.3.x release.

          [JENKINS-59973] rtUpload / rtDownload fail with HTTP 401 / 403

          ethorsa created issue -
          ethorsa made changes -
          Attachment New: stacktrace-download.log [ 49342 ]
          ethorsa made changes -
          Attachment New: stacktrace-upload.log [ 49343 ]
          ethorsa made changes -
          Description Original: After Updating to the _artifactory plugin v3.4.1_ all up- or downloads using the declarative steps fail by 401 (upload) / 403 (download) HTTP errors.

          Both are working with v3.3.x and broken with 3.4.x.

          According the Artifactory logs the steps do not authenticate. 

           
          h3. Upload
          {code:java}
          rtUpload(serverId: 'artifactory-test', specPath: 'spec-ul.json')
          rtPublishBuildInfo(serverId: 'artifactory-test')
          {code}
          Fails with error 401:
          {noformat}
          Unauthorized Status code: 401
              at org.jfrog.build.extractor.clientConfiguration.util.spec.SpecDeploymentConsumer.consumerRun(SpecDeploymentConsumer.java:44)
          [...]
          {noformat}
           
          h3. Download
          {code:java}
          rtDownload(serverId: 'artifactory-test', specPath: 'spec-dl.json') {code}
          Fails with error 403:
          {noformat}
          java.io.IOException: Failed to search artifact by the aql 'items.find({"repo": "msys2","path": {"$ne": "."}, "$or": [{"$and": [{"path": { "$match": "distrib"},"name": { "$match": "msys2-x86_64-latest.tar.xz"}}]}]}).include("name","repo","path","actual_md5","actual_sha1","size","type","property")': HTTP/1.1 403
              at org.jfrog.build.extractor.clientConfiguration.client.ArtifactoryDependenciesClient.getResponseStream(ArtifactoryDependenciesClient.java:136)
          [...]
          {noformat}
          h3. Configuration

          Artifactory is configured in the Jenkins settings (id {{artifactory-test}} in the examples) and useses the _Credentials Plugin_ to access credentials.

          The _Test Connection_ button returns the correct Artifactory version.

           
          h3. Tested version of the plugin

           
          ||Version||Result||
          |3.3.0|(/)|
          |3.3.1|(/)|
          |3.3.2|(/)|
          |3.4.0|(x)|
          |3.4.1|(x)|
          New: After Updating to the _artifactory plugin v3.4.1_ all up- or downloads using the declarative steps fail by 401 (upload) / 403 (download) HTTP errors.

          Both are working with v3.3.x and broken with 3.4.x.

          According the Artifactory logs the steps do not authenticate. 

           
          h3. Upload
          {code:java}
          rtUpload(serverId: 'artifactory-test', specPath: 'spec-ul.json')
          rtPublishBuildInfo(serverId: 'artifactory-test')
          {code}
          Fails with error 401:
          {noformat}
          Unauthorized Status code: 401
              at org.jfrog.build.extractor.clientConfiguration.util.spec.SpecDeploymentConsumer.consumerRun(SpecDeploymentConsumer.java:44)
          [...]
          {noformat}
           
          h3. Download
          {code:java}
          rtDownload(serverId: 'artifactory-test', specPath: 'spec-dl.json') {code}
          Fails with error 403:
          {noformat}
          java.io.IOException: Failed to search artifact by the aql 'items.find({"repo": "msys2","path": {"$ne": "."}, "$or": [{"$and": [{"path": { "$match": "distrib"},"name": { "$match": "msys2-x86_64-latest.tar.xz"}}]}]}).include("name","repo","path","actual_md5","actual_sha1","size","type","property")': HTTP/1.1 403
              at org.jfrog.build.extractor.clientConfiguration.client.ArtifactoryDependenciesClient.getResponseStream(ArtifactoryDependenciesClient.java:136)
          [...]
          {noformat}
          h3. Configuration

          Artifactory is configured in the Jenkins settings (id {{artifactory-test}} in the examples) and useses the _Credentials Plugin_ to access credentials.

          The _Test Connection_ button returns the correct Artifactory version.

           
          h3. Tested version of the plugin

           
          ||Version||Result||
          |3.3.0|(/)|
          |3.3.1|(/)|
          |3.3.2|(/)|
          |3.4.0|(x)|
          |3.4.1|(x)|

           

          h3. Workaround

          Downgrade to a v3.3.x release.
          ethorsa made changes -
          Issue Type Original: New Feature [ 2 ] New: Bug [ 1 ]

          We ran in the same problem with v3.4.1 for Maven projects in Jenkins 2.190.2 (LTS):

          10:05:03 [INFO] Deploying artifact: https://xxx.jar
          10:05:06 [ERROR] org.jfrog.build.extractor.maven.BuildInfoRecorder.sessionEnded() listener has failed: 
          10:05:06 java.lang.RuntimeException: Error occurred while publishing artifact to Artifactory: /var/lib/jenkins/workspace/Card Node Snapshot/xxx.jar.
          10:05:06  Skipping deployment of remaining artifacts (if any) and build info.
          10:05:06     at org.jfrog.build.extractor.maven.BuildDeploymentHelper.deployArtifacts (BuildDeploymentHelper.java:303)
          10:05:06     at org.jfrog.build.extractor.maven.BuildDeploymentHelper.deploy (BuildDeploymentHelper.java:103)
          10:05:06     at org.jfrog.build.extractor.maven.BuildInfoRecorder.sessionEnded (BuildInfoRecorder.java:173)
          10:05:06     at org.apache.maven.lifecycle.internal.DefaultExecutionEventCatapult.fire (DefaultExecutionEventCatapult.java:64)
          10:05:06     at org.apache.maven.lifecycle.internal.DefaultExecutionEventCatapult.fire (DefaultExecutionEventCatapult.java:42)
          10:05:06     at org.apache.maven.lifecycle.internal.LifecycleStarter.execute (LifecycleStarter.java:137)
          10:05:06     at org.apache.maven.DefaultMaven.doExecute (DefaultMaven.java:305)
          10:05:06     at org.apache.maven.DefaultMaven.doExecute (DefaultMaven.java:192)
          10:05:06     at org.apache.maven.DefaultMaven.execute (DefaultMaven.java:105)
          10:05:06     at org.jvnet.hudson.maven3.launcher.Maven35Launcher.main (Maven35Launcher.java:130)
          ...
          10:05:06 Caused by: java.io.IOException: Failed to deploy file. Status code: 401 Response message: Artifactory returned the following errors: 
          10:05:06 Unauthorized Status code: 401
          

          Downgrading to v3.3.x worked around the issue for us too.

          I kind of feel this is related to picking up the right credentials.
          Our jobs do not 'Override default deployer credentials' and rely on the ~/.m2/settings.xml file being populated with those.
          But so far, I've not managed to work around this issue by changing the credential settings of the job.

          Looking at the recent commits, I wonder if this one could be the culprit:

          [HAP-1219] folder scoped credentials for deploy step (#171)

          Benoit Donneaux added a comment - We ran in the same problem with v3.4.1 for Maven projects in Jenkins 2.190.2 (LTS): 10:05:03 [INFO] Deploying artifact: https://xxx.jar 10:05:06 [ERROR] org.jfrog.build.extractor.maven.BuildInfoRecorder.sessionEnded() listener has failed: 10:05:06 java.lang.RuntimeException: Error occurred while publishing artifact to Artifactory: /var/lib/jenkins/workspace/Card Node Snapshot/xxx.jar. 10:05:06 Skipping deployment of remaining artifacts (if any) and build info. 10:05:06 at org.jfrog.build.extractor.maven.BuildDeploymentHelper.deployArtifacts (BuildDeploymentHelper.java:303) 10:05:06 at org.jfrog.build.extractor.maven.BuildDeploymentHelper.deploy (BuildDeploymentHelper.java:103) 10:05:06 at org.jfrog.build.extractor.maven.BuildInfoRecorder.sessionEnded (BuildInfoRecorder.java:173) 10:05:06 at org.apache.maven.lifecycle.internal.DefaultExecutionEventCatapult.fire (DefaultExecutionEventCatapult.java:64) 10:05:06 at org.apache.maven.lifecycle.internal.DefaultExecutionEventCatapult.fire (DefaultExecutionEventCatapult.java:42) 10:05:06 at org.apache.maven.lifecycle.internal.LifecycleStarter.execute (LifecycleStarter.java:137) 10:05:06 at org.apache.maven.DefaultMaven.doExecute (DefaultMaven.java:305) 10:05:06 at org.apache.maven.DefaultMaven.doExecute (DefaultMaven.java:192) 10:05:06 at org.apache.maven.DefaultMaven.execute (DefaultMaven.java:105) 10:05:06 at org.jvnet.hudson.maven3.launcher.Maven35Launcher.main (Maven35Launcher.java:130) ... 10:05:06 Caused by: java.io.IOException: Failed to deploy file. Status code: 401 Response message: Artifactory returned the following errors: 10:05:06 Unauthorized Status code: 401 Downgrading to v3.3.x worked around the issue for us too. I kind of feel this is related to picking up the right credentials. Our jobs do not 'Override default deployer credentials' and rely on the ~/.m2/settings.xml file being populated with those. But so far, I've not managed to work around this issue by changing the credential settings of the job. Looking at the recent commits, I wonder if this one could be the culprit: [HAP-1219] folder scoped credentials for deploy step (#171)

          ethorsa added a comment -

          I have manged to git bisect the causing commit: f2ca1492f64deb34b4cbb1ff286bd94411829bed

          ethorsa added a comment - I have manged to git bisect the causing commit: f2ca1492f64deb34b4cbb1ff286bd94411829bed

          ethorsa, could you perhaps elaborate a bit about the credentials used on the repository you are trying to upload to?

          I'm the author of that patch, and I have tried to reproduce it, without any luck.  However offa seems to be able to reproduce it, so there might be something missing in the example I used to try and reproduce it.

          See the link you provided for more information about what I have tried so far.  In short, I have tried the maven-example from the jfrog/jenkins-examples repo, against a brand new installation of Artifactory-oss (version 6.16.0 rev 61600900), running in a container.  I have configured a repository named 'libs-snapshot-local' (as this is what the example upload spec uses), where anonymous have manage permissions for both repo action and build action.

          Jesper Reenberg added a comment - ethorsa , could you perhaps elaborate a bit about the credentials used on the repository you are trying to upload to? I'm the author of that patch, and I have tried to reproduce it, without any luck.  However offa seems to be able to reproduce it, so there might be something missing in the example I used to try and reproduce it. See the link you provided for more information about what I have tried so far.  In short, I have tried the maven-example from the jfrog/jenkins-examples repo, against a brand new installation of Artifactory-oss (version 6.16.0 rev 61600900), running in a container.  I have configured a repository named 'libs-snapshot-local' (as this is what the example upload spec uses), where anonymous have manage permissions for both repo action and build action.

          Yahav Itzhak added a comment -

          Yahav Itzhak added a comment - ethorsa bdonneaux Thanks for reporting this issue. We fix this issue in this commit: https://github.com/jfrog/jenkins-artifactory-plugin/commit/879ba6cb7b5ba14c7ff3ffb4184e4fa249744eb5 Here is a snapshot with the fix: https://oss.jfrog.org/oss-snapshot-local/org/jenkins-ci/plugins/artifactory/3.4.x-SNAPSHOT/artifactory-3.4.x-20191208.120519-26.hpi We'll appreciate your feedback for that!

          ethorsa added a comment - - edited

          Unfortunately I still run into the error using the attached snapshot version.

          I have setup a minimal example like this:

          Pipeline Code

          The pipeline code is integrated via multibranch pipeline (fetched from git repository). Beside the Git connection there's nothing configured in the multibranch pipeline project itself.

           

          pipeline {
              agent any
          
              stages {
                  stage("Test") {
                      steps {
                          rtDownload(serverId: 'artifactory-test', specPath: 'spec-dl.json')
                      }
                  }
          
              }
          }
          

           

          spec-dl.json:

          {
              "files": [{
                  "pattern": "jenkins-artifactory-test/*",
                  "target": "jenkins-artifactory-test/",
                  "flat": "true"
              }]
          }

           

          The git repository contains the Jenkinsfile and specfile. The job does not use folders – however, a multibranch pipeline itself is some kind of folder.

           

          Artifactory repository

          The related artifactory repository jenkins-artifactory-test is of generic type and has permissions set, so all user can do anything. Anonymous user don't have access though.

          For this test it contains only a simple example.md file with some chars in it.

           

          Jenkins Configuration

          The Artifactory connection is specified in the Jenkins global configuration (Artifactory section):

          • Use the Credentials Plugin: yes
          • Server ID: artifactory-test (as used in the pipeline)
          • Default Deployer Credentials:
            • Credentials: A credential stored by the credentials Plugin (Scope: Global, contains username and associated Artifactory API key)
          • Use Different Resolver Credentials: no

          Pressing the Test Connection button shows "Found Artifactory 6.12.2".

          Screenshot of the configuration attached.

          Running the Pipeline

          Executing the pipeline fails with following error (Blue Ocean, full log attached):

           

          Using spec file: <Workspach Path>\spec-dl.json
          
          Searching for artifacts...
          
          Failed to search artifact by the aql 'items.find({"repo": "jenkins-artifactory-test","$or": [{"$and": [{"path": { "$match": "*"},"name": { "$match": "*"}}]}]}).include("name","repo","path","actual_md5","actual_sha1","size","type","property")': HTTP/1.1 403
          

           

          There are no related entries in the global Jenkins All Log. Are there any logs that could be helpful?

           

          Versions

          • Jenkins: v2.190.3
            • Artifactory Plugin: Snapshot by yahaviz
            • Credentials Plugin: 2.3.0
          • Artifactory: 6.12.2

           

          ethorsa added a comment - - edited Unfortunately I still run into the error using the attached snapshot version. I have setup a minimal example like this: Pipeline Code The pipeline code is integrated via multibranch pipeline (fetched from git repository). Beside the Git connection there's nothing configured in the multibranch pipeline project itself.   pipeline { agent any stages { stage( "Test" ) { steps { rtDownload(serverId: 'artifactory-test' , specPath: 'spec-dl.json' ) } } } }   spec-dl.json: { "files" : [{ "pattern" : "jenkins-artifactory-test/*" , "target" : "jenkins-artifactory-test/" , "flat" : " true " }] }   The git repository contains the Jenkinsfile and specfile. The job does not use folders – however, a multibranch pipeline itself is some kind of folder.   Artifactory repository The related artifactory repository jenkins-artifactory-test is of generic type and has permissions set, so all user can do anything. Anonymous user don't have access though. For this test it contains only a simple example.md file with some chars in it.   Jenkins Configuration The Artifactory connection is specified in the Jenkins global configuration (Artifactory section): Use the Credentials Plugin: yes Server ID: artifactory-test (as used in the pipeline) Default Deployer Credentials: Credentials: A credential stored by the credentials Plugin (Scope: Global, contains username and associated Artifactory API key) Use Different Resolver Credentials: no Pressing the Test Connection button shows "Found Artifactory 6.12.2" . Screenshot of the configuration attached. Running the Pipeline Executing the pipeline fails with following error (Blue Ocean, full log attached):   Using spec file: <Workspach Path>\spec-dl.json Searching for artifacts... Failed to search artifact by the aql 'items.find({"repo": "jenkins-artifactory-test","$or": [{"$and": [{"path": { "$match": "*"},"name": { "$match": "*"}}]}]}).include("name","repo","path","actual_md5","actual_sha1","size","type","property")': HTTP/1.1 403   There are no related entries in the global Jenkins All Log. Are there any logs that could be helpful?   Versions Jenkins: v2.190.3 Artifactory Plugin: Snapshot by yahaviz Credentials Plugin: 2.3.0 Artifactory: 6.12.2  

            Unassigned Unassigned
            ethorsa ethorsa
            Votes:
            2 Vote for this issue
            Watchers:
            8 Start watching this issue

              Created:
              Updated: