-
Bug
-
Resolution: Fixed
-
Critical
-
Jenkins 2.321, Credentials Plugin 2.6.2
-
-
1055.v1346ba467ba1
After updating to the newest version 2.6.2, our SSH credentials stopped working in jobs.
We use them:
- For the SSH Agent, which now fails with this exception:
FATAL: [ssh-agent] Could not find specified credentials java.io.IOException: [ssh-agent] Could not find specified credentials at com.cloudbees.jenkins.plugins.sshagent.SSHAgentBuildWrapper.preCheckout(SSHAgentBuildWrapper.java:209)
- To connect to our SCM via Git plugin, which only logs a warning, but still works:
Warning: CredentialId "a151f039-3970-4572-95d0-f24def5e9896" could not be found.
In the dropdown menu of both plugins, no credential is selectable. We also have "Secret text" and "username and password" types in the global domain, so the problem seems to not only be limited to SSH.
These behaviours could be fixed by reverting the plugin to version 2.6.1.
- is duplicated by
-
-
- Resolved
-
- links to
[JENKINS-67170] Credentials missing after upgrade if Configure Credential Providers » Types set to “Only selected”
timja I think https://github.com/jenkinsci/credentials-plugin/pull/235/commits/23d24bd53f69c96d68b1fe5135d02eb542b93606 neglected to add readResolve for Credentials{Type,Provider}Filter.{In,Ex}cludes.classNames as was done for CredentialsProviderTypeRestriction. That does not exactly explain the symptoms because those classes should not have been used by default IIUC—should have both defaulted to None, which should not need any migration—and users claimed to have not touched these settings before.
(It would be helpful if an affected user had a copy of their $JENKINS_HOME/credentials-configuration.xml from before the upgrade, or at least from before applying the workaround.)
Luckily we make backups. 
So here is the content of the credentials-configuration.xml from before the upgrade:
<?xml version='1.1' encoding='UTF-8'?>
<com.cloudbees.plugins.credentials.CredentialsProviderManager plugin="credentials@2.5">
<providerFilter class="com.cloudbees.plugins.credentials.CredentialsProviderFilter$Includes">
<classNames class="linked-hash-set">
<string>com.cloudbees.hudson.plugins.folder.properties.FolderCredentialsProvider</string>
<string>com.cloudbees.plugins.credentials.SystemCredentialsProvider$ProviderImpl</string>
</classNames>
</providerFilter>
<typeFilter class="com.cloudbees.plugins.credentials.CredentialsTypeFilter$Includes">
<classNames class="linked-hash-set">
<string>com.cloudbees.plugins.credentials.impl.UsernamePasswordCredentialsImpl$DescriptorImpl</string>
<string>com.microsoftopentechnologies.windowsazurestorage.helper.AzureStorageAccount$DescriptorImpl</string>
<string>com.dabsquared.gitlabjenkins.connection.GitLabApiTokenImpl$DescriptorImpl</string>
<string>com.cloudbees.jenkins.plugins.sshcredentials.impl.BasicSSHUserPrivateKey$DescriptorImpl</string>
<string>org.jenkinsci.plugins.plaincredentials.impl.FileCredentialsImpl$DescriptorImpl</string>
</classNames>
</typeFilter>
<restrictions/>
</com.cloudbees.plugins.credentials.CredentialsProviderManager>
As I guessed. I still wonder how you got this configuration however. I tried in a fresh installation and just creating credentials does not cause this file to be created. I had to go to http://jenkins/configureCredentials/ and Save, which then just resulted in
<?xml version='1.1' encoding='UTF-8'?> <com.cloudbees.plugins.credentials.CredentialsProviderManager plugin="credentials@2.6.1"> <providerFilter class="com.cloudbees.plugins.credentials.CredentialsProviderFilter$None"/> <typeFilter class="com.cloudbees.plugins.credentials.CredentialsTypeFilter$None"/> <restrictions/> </com.cloudbees.plugins.credentials.CredentialsProviderManager>
In order to get a file like yours, I had to specifically pick Only selected under each of Providers and Types. At that point, I could reproduce the bug by upgrading credentials: no credentials were accessible, and /configureCredentials/ showed unchecked boxes beneath Types (Providers was still OK because that did not have a Descriptor/Describable split).
I don't know how we got there. We are running our Jenkins for years now and continually upgraded. Along the way we added plugins and credential providers and types and maybe one of the previous updates changed or messed up something.
We are running our Jenkins for years now
OK, perhaps you configured this setting at some point and simply forgot about it. Probably not relevant either way.
We ran into this issue when upgrading to 2.319.1 tonight. We also have a credentials-configuration.xml file. There are two overlaps between ours and sascha_broich's file. These are the UsernamePasswordCredentialsImpl FileCredentialsImpl. Here is the complete file:
<?xml version='1.1' encoding='UTF-8'?> <com.cloudbees.plugins.credentials.CredentialsProviderManager plugin="credentials@2.3.13"> <providerFilter class="com.cloudbees.plugins.credentials.CredentialsProviderFilter$None"/> <typeFilter class="com.cloudbees.plugins.credentials.CredentialsTypeFilter$Includes"> <classNames class="linked-hash-set"> <string>com.cloudbees.plugins.credentials.impl.UsernamePasswordCredentialsImpl$DescriptorImpl</string> <string>com.cloudbees.jenkins.plugins.awscredentials.AWSCredentialsImpl$DescriptorImpl</string> <string>org.jenkinsci.plugins.github_branch_source.GitHubAppCredentials$DescriptorImpl</string> <string>com.cloudbees.jenkins.plugins.sshcredentials.impl.BasicSSHUserPrivateKey$DescriptorImpl</string> <string>org.jenkinsci.plugins.plaincredentials.impl.FileCredentialsImpl$DescriptorImpl</string> <string>org.jenkinsci.plugins.plaincredentials.impl.StringCredentialsImpl$DescriptorImpl</string> <string>com.cloudbees.plugins.credentials.impl.CertificateCredentialsImpl$DescriptorImpl</string> </classNames> </typeFilter> <restrictions/> </com.cloudbees.plugins.credentials.CredentialsProviderManager>
timja do you have any time to look at this? If not, I can try submitting a patch.
If you had to change some setting after upgrade, that is of course a bug.