Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-64803

Shared Library using folder-scoped credential fails to authenticate when using tags

    XMLWordPrintable

    Details

    • Similar Issues:

      Description

      Loading a shared library (checkout) from a tag does not use the provided credentials, if they're specified via the folder plugin:

      lib = library(
          identifier: "my_repo@tag",
          retriever: modernSCM(
              [$class: 'GitSCMSource',
              remote: "https://path/to/my_repo.git",
              credentialsId: 'my_user_credentials_in_folder_scope'],
              traits: [gitBranchDiscovery(), gitTagDiscovery()]
          )
      )
      

      When using a branch name as version (identifier: "my_repo@branch_name"), the library is checked out correctly:

      Running in Durability level: MAX_SURVIVABILITY
      [Pipeline] Start of Pipeline
      [Pipeline] echo
      Using legacySCM
      [Pipeline] library
      Loading library my_repo@master
      Selected Git installation does not exist. Using Default
      The recommended git tool is: NONE
      using credential test
       > git rev-parse --is-inside-work-tree # timeout=10
      Fetching changes from the remote Git repository
       > git config remote.origin.url https://path/to/my_repo.git # timeout=10
      Fetching upstream changes from https://path/to/my_repo.git
       > git --version # timeout=10
       > git --version # 'git version 2.11.0'
      using GIT_ASKPASS to set credentials 
       > git fetch --tags --progress -- https://path/to/my_repo.git +refs/heads/*:refs/remotes/origin/* # timeout=10
       > git rev-parse refs/remotes/origin/master^{commit} # timeout=10
      Checking out Revision 43ecdf79f1e479252fd29d429eba29323364bf46 (refs/remotes/origin/master)
       > git config core.sparsecheckout # timeout=10
       > git checkout -f 43ecdf79f1e479252fd29d429eba29323364bf46 # timeout=10
      Commit message: "Merge branch 'release/2.2.0'"
       > git rev-list --no-walk 43ecdf79f1e479252fd29d429eba29323364bf46 # timeout=10
      [Pipeline] End of Pipeline
      Finished: SUCCESS
      

      But when using a tag, the checkout fails with the access being denied:

      Running in Durability level: MAX_SURVIVABILITY
      [Pipeline] Start of Pipeline
      [Pipeline] echo
      Using modernSCM
      [Pipeline] library
      Loading library my_repo@1.1.0
      Attempting to resolve 1.1.0 from remote references...
       > git --version # timeout=10
       > git --version # 'git version 2.11.0'
      using GIT_ASKPASS to set credentials 
       > git ls-remote -h -t -- https://path/to/my_repo.git # timeout=10
      Found match: refs/tags/1.1.0 revision 81fc8536284ca1c5fb526127b2b9e3349722f39c
      Resolving tag commit... (remote references may be a lightweight tag or an annotated tag)
       > git rev-parse --is-inside-work-tree # timeout=10
      Setting origin to https://path/to/my_repo.git
       > git config remote.origin.url https://path/to/my_repo.git # timeout=10
      Fetching origin...
      Fetching upstream changes from origin
       > git --version # timeout=10
       > git --version # 'git version 2.11.0'
       > git config --get remote.origin.url # timeout=10
       > git fetch --tags --progress -- origin +refs/heads/*:refs/remotes/origin/* # timeout=10
      ERROR: Checkout failed
      hudson.plugins.git.GitException: Command "git fetch --tags --progress -- origin +refs/heads/*:refs/remotes/origin/*" returned status code 128:
      stdout: 
      stderr: remote: HTTP Basic: Access denied
      fatal: Authentication failed for 'https://path/to/my_repo.git/'
      
      	at org.jenkinsci.plugins.gitclient.CliGitAPIImpl.launchCommandIn(CliGitAPIImpl.java:2450)
      	at org.jenkinsci.plugins.gitclient.CliGitAPIImpl.launchCommandWithCredentials(CliGitAPIImpl.java:2051)
      	at org.jenkinsci.plugins.gitclient.CliGitAPIImpl.access$500(CliGitAPIImpl.java:84)
      	at org.jenkinsci.plugins.gitclient.CliGitAPIImpl$1.execute(CliGitAPIImpl.java:573)
      	at jenkins.plugins.git.AbstractGitSCMSource.doRetrieve(AbstractGitSCMSource.java:370)
      	at jenkins.plugins.git.AbstractGitSCMSource.doRetrieve(AbstractGitSCMSource.java:330)
      	at jenkins.plugins.git.AbstractGitSCMSource.retrieve(AbstractGitSCMSource.java:956)
      	at jenkins.scm.api.SCMSource.fetch(SCMSource.java:636)
      	at org.jenkinsci.plugins.workflow.libs.SCMSourceRetriever.lambda$retrieve$0(SCMSourceRetriever.java:92)
      	at org.jenkinsci.plugins.workflow.libs.SCMSourceRetriever.retrySCMOperation(SCMSourceRetriever.java:107)
      	at org.jenkinsci.plugins.workflow.libs.SCMSourceRetriever.retrieve(SCMSourceRetriever.java:92)
      	at org.jenkinsci.plugins.workflow.libs.LibraryAdder.retrieve(LibraryAdder.java:157)
      	at org.jenkinsci.plugins.workflow.libs.LibraryStep$Execution.run(LibraryStep.java:205)
      	at org.jenkinsci.plugins.workflow.libs.LibraryStep$Execution.run(LibraryStep.java:154)
      	at org.jenkinsci.plugins.workflow.steps.AbstractSynchronousNonBlockingStepExecution$1$1.call(AbstractSynchronousNonBlockingStepExecution.java:47)
      	at hudson.security.ACL.impersonate(ACL.java:367)
      	at org.jenkinsci.plugins.workflow.steps.AbstractSynchronousNonBlockingStepExecution$1.run(AbstractSynchronousNonBlockingStepExecution.java:44)
      	at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:511)
      	at java.util.concurrent.FutureTask.run(FutureTask.java:266)
      	at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
      	at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
      	at java.lang.Thread.run(Thread.java:748)
      

      The issue only occurs with folder scoped credentials. When specifying the credential in the global scope instead of folder scope, we can also checkout the tag as intended.

        Attachments

          Issue Links

            Activity

            Hide
            degelma Marian Degel added a comment -

            Benjamin Asbach FYI, since you seem to have the same problem. Maybe you have some more details.

            Show
            degelma Marian Degel added a comment - Benjamin Asbach FYI, since you seem to have the same problem. Maybe you have some more details.
            Hide
            henjovr Henjo van Rees added a comment - - edited

            I confirm this issue, using a tag for a Library does not work with folder-scoped credentials:

            • We use the `@Library(["JenkinsLibrary@v1.0.0"]) _` annotation in the top of my Jenkinsfile (`v1.0.0` is a tag)
            • Modern SCM / Git used
            • On the Folder we declared the `JenkinsLibrary` Shared Pipeline library, with the correct credentials selected
              • On the Shared Pipeline Library I selected `master` as version, Jenkins correctly resolves to a commit id
              • When using the `v1.0.0` tag I get the "Authentication failed" error
            • When using a branch, everything works fine. But not with a tag.

            Git Plugin: 4.6.0

            Usecase: We use Git tags on the Jenkins library when we make breaking changes, to support running pipelines for older releases.

            So, a short reproduction:

            • Create Folder-scoped credentials
            • Have a Jenkins Library in Git with a Git tag (ensure that non-anonymous Git access is required)
            • Configure the Jenkins Library on the same Folder
            • Use Modern SCM
            • Select the tag as version
            Show
            henjovr Henjo van Rees added a comment - - edited I confirm this issue, using a tag for a Library does not work with folder-scoped credentials: We use the `@Library( ["JenkinsLibrary@v1.0.0"] ) _` annotation in the top of my Jenkinsfile (`v1.0.0` is a tag) Modern SCM / Git used On the Folder we declared the `JenkinsLibrary` Shared Pipeline library, with the correct credentials selected On the Shared Pipeline Library I selected `master` as version, Jenkins correctly resolves to a commit id When using the `v1.0.0` tag I get the "Authentication failed" error When using a branch, everything works fine. But not with a tag. Git Plugin: 4.6.0 Usecase : We use Git tags on the Jenkins library when we make breaking changes, to support running pipelines for older releases. So, a short reproduction: Create Folder-scoped credentials Have a Jenkins Library in Git with a Git tag (ensure that non-anonymous Git access is required) Configure the Jenkins Library on the same Folder Use Modern SCM Select the tag as version

              People

              Assignee:
              Unassigned Unassigned
              Reporter:
              degelma Marian Degel
              Votes:
              1 Vote for this issue
              Watchers:
              2 Start watching this issue

                Dates

                Created:
                Updated: