Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-67981

Build failure due to ldap disabled account

    XMLWordPrintable

Details

    • 4.12.1

    Description

      We are seeing the following error at the end of a select few builds, which is causing it to fail:

      FATAL: org.springframework.security.authentication.DisabledException: The user "st123456" is administratively disabled.
      org.springframework.security.authentication.DisabledException: The user "st123456" is administratively disabled.
      	at hudson.security.UserAttributesHelper.checkIfUserEnabled(UserAttributesHelper.java:92)
      	at hudson.security.LDAPSecurityRealm$LDAPUserDetailsService.loadUserByUsername(LDAPSecurityRealm.java:1315)
      	at hudson.security.LDAPSecurityRealm$DelegateLDAPUserDetailsService.loadUserByUsername(LDAPSecurityRealm.java:1228)
      	at hudson.security.LDAPSecurityRealm.loadUserByUsername2(LDAPSecurityRealm.java:763)
      	at jenkins.security.UserDetailsCache$Retriever.call(UserDetailsCache.java:165)
      	at jenkins.security.UserDetailsCache$Retriever.call(UserDetailsCache.java:154)
      	at com.google.common.cache.LocalCache$LocalManualCache$1.load(LocalCache.java:4767)
      	at com.google.common.cache.LocalCache$LoadingValueReference.loadFuture(LocalCache.java:3568)
      	at com.google.common.cache.LocalCache$Segment.loadSync(LocalCache.java:2350)
      	at com.google.common.cache.LocalCache$Segment.lockedGetOrLoad(LocalCache.java:2313)
      	at com.google.common.cache.LocalCache$Segment.get(LocalCache.java:2228)
      Caused: com.google.common.util.concurrent.UncheckedExecutionException
      	at com.google.common.cache.LocalCache$Segment.get(LocalCache.java:2234)
      	at com.google.common.cache.LocalCache.get(LocalCache.java:3965)
      	at com.google.common.cache.LocalCache$LocalManualCache.get(LocalCache.java:4764)
      	at jenkins.security.UserDetailsCache.loadUserByUsername(UserDetailsCache.java:122)
      	at hudson.model.User$UserIDCanonicalIdResolver.resolveCanonicalId(User.java:1251)
      	at hudson.model.User$CanonicalIdResolver.resolve(User.java:1192)
      	at hudson.model.User.get(User.java:523)
      	at hudson.plugins.git.GitChangeSet.findOrCreateUser(GitChangeSet.java:450)
      	at hudson.plugins.git.GitChangeSet.getAuthor(GitChangeSet.java:546)
      	at jenkins.scm.RunWithSCM.calculateCulprits(RunWithSCM.java:139)
      	at hudson.model.AbstractBuild.calculateCulprits(AbstractBuild.java:342)
      	at jenkins.scm.RunWithSCM.getCulprits(RunWithSCM.java:94)
      	at hudson.model.AbstractBuild.getCulprits(AbstractBuild.java:331)
      	at jenkins.scm.RunWithSCM.calculateCulprits(RunWithSCM.java:134)
      	at hudson.model.AbstractBuild.calculateCulprits(AbstractBuild.java:342)
      	at jenkins.scm.RunWithSCM.getCulprits(RunWithSCM.java:94)
      	at hudson.model.AbstractBuild.getCulprits(AbstractBuild.java:331)
      	at jenkins.scm.RunWithSCM.calculateCulprits(RunWithSCM.java:134)
      	at hudson.model.AbstractBuild.calculateCulprits(AbstractBuild.java:342)
      	at jenkins.scm.RunWithSCM.getCulprits(RunWithSCM.java:94)
      	at hudson.model.AbstractBuild.getCulprits(AbstractBuild.java:331)
      	at jenkins.scm.RunWithSCM.calculateCulprits(RunWithSCM.java:134)
      	at hudson.model.AbstractBuild.calculateCulprits(AbstractBuild.java:342)
      	at jenkins.scm.RunWithSCM.getCulprits(RunWithSCM.java:94)
      	at hudson.model.AbstractBuild.getCulprits(AbstractBuild.java:331)
      	at jenkins.scm.RunWithSCM.calculateCulprits(RunWithSCM.java:134)
      	at hudson.model.AbstractBuild.calculateCulprits(AbstractBuild.java:342)
      	at jenkins.scm.RunWithSCM.getCulprits(RunWithSCM.java:94)
      	at hudson.model.AbstractBuild.getCulprits(AbstractBuild.java:331)
      	at jenkins.scm.RunWithSCM.calculateCulprits(RunWithSCM.java:134)
      	at hudson.model.AbstractBuild.calculateCulprits(AbstractBuild.java:342)
      	at jenkins.scm.RunWithSCM.getCulprits(RunWithSCM.java:94)
      	at hudson.model.AbstractBuild.getCulprits(AbstractBuild.java:331)
      	at jenkins.scm.RunWithSCM.calculateCulprits(RunWithSCM.java:134)
      	at hudson.model.AbstractBuild.calculateCulprits(AbstractBuild.java:342)
      	at jenkins.scm.RunWithSCM.getCulprits(RunWithSCM.java:94)
      	at hudson.model.AbstractBuild.getCulprits(AbstractBuild.java:331)
      	at jenkins.scm.RunWithSCM.calculateCulprits(RunWithSCM.java:134)
      	at hudson.model.AbstractBuild.calculateCulprits(AbstractBuild.java:342)
      	at jenkins.scm.RunWithSCM.getCulprits(RunWithSCM.java:94)
      	at hudson.model.AbstractBuild.getCulprits(AbstractBuild.java:331)
      	at jenkins.scm.RunWithSCM.calculateCulprits(RunWithSCM.java:134)
      	at hudson.model.AbstractBuild.calculateCulprits(AbstractBuild.java:342)
      	at jenkins.scm.RunWithSCM.getCulprits(RunWithSCM.java:94)
      	at hudson.model.AbstractBuild.getCulprits(AbstractBuild.java:331)
      	at jenkins.scm.RunWithSCM.calculateCulprits(RunWithSCM.java:134)
      	at hudson.model.AbstractBuild.calculateCulprits(AbstractBuild.java:342)
      	at jenkins.scm.RunWithSCM.getCulprits(RunWithSCM.java:94)
      	at hudson.model.AbstractBuild.getCulprits(AbstractBuild.java:331)
      	at jenkins.scm.RunWithSCM.calculateCulprits(RunWithSCM.java:134)
      	at hudson.model.AbstractBuild.calculateCulprits(AbstractBuild.java:342)
      	at jenkins.scm.RunWithSCM.getCulprits(RunWithSCM.java:94)
      	at hudson.model.AbstractBuild.getCulprits(AbstractBuild.java:331)
      	at jenkins.scm.RunWithSCM.calculateCulprits(RunWithSCM.java:134)
      	at hudson.model.AbstractBuild.calculateCulprits(AbstractBuild.java:342)
      	at jenkins.scm.RunWithSCM.getCulprits(RunWithSCM.java:94)
      	at hudson.model.AbstractBuild.getCulprits(AbstractBuild.java:331)
      	at jenkins.scm.RunWithSCM.calculateCulprits(RunWithSCM.java:134)
      	at hudson.model.AbstractBuild.calculateCulprits(AbstractBuild.java:342)
      	at jenkins.scm.RunWithSCM.getCulprits(RunWithSCM.java:94)
      	at hudson.model.AbstractBuild.getCulprits(AbstractBuild.java:331)
      	at jenkins.scm.RunWithSCM.calculateCulprits(RunWithSCM.java:134)
      	at hudson.model.AbstractBuild.calculateCulprits(AbstractBuild.java:342)
      	at jenkins.scm.RunWithSCM.getCulprits(RunWithSCM.java:94)
      	at hudson.model.AbstractBuild.getCulprits(AbstractBuild.java:331)
      	at jenkins.scm.RunWithSCM.calculateCulprits(RunWithSCM.java:134)
      	at hudson.model.AbstractBuild.calculateCulprits(AbstractBuild.java:342)
      	at jenkins.scm.RunWithSCM.getCulprits(RunWithSCM.java:94)
      	at hudson.model.AbstractBuild.getCulprits(AbstractBuild.java:331)
      	at jenkins.scm.RunWithSCM.calculateCulprits(RunWithSCM.java:134)
      	at hudson.model.AbstractBuild.calculateCulprits(AbstractBuild.java:342)
      	at jenkins.scm.RunWithSCM.getCulprits(RunWithSCM.java:94)
      	at hudson.model.AbstractBuild.getCulprits(AbstractBuild.java:331)
      	at jenkins.scm.RunWithSCM.calculateCulprits(RunWithSCM.java:134)
      	at hudson.model.AbstractBuild.calculateCulprits(AbstractBuild.java:342)
      	at jenkins.scm.RunWithSCM.getCulprits(RunWithSCM.java:94)
      	at hudson.model.AbstractBuild.getCulprits(AbstractBuild.java:331)
      	at jenkins.scm.RunWithSCM.calculateCulprits(RunWithSCM.java:134)
      	at hudson.model.AbstractBuild.calculateCulprits(AbstractBuild.java:342)
      	at jenkins.scm.RunWithSCM.getCulprits(RunWithSCM.java:94)
      	at hudson.model.AbstractBuild.getCulprits(AbstractBuild.java:331)
      	at jenkins.scm.RunWithSCM.calculateCulprits(RunWithSCM.java:134)
      	at hudson.model.AbstractBuild.calculateCulprits(AbstractBuild.java:342)
      	at jenkins.scm.RunWithSCM.getCulprits(RunWithSCM.java:94)
      	at hudson.model.AbstractBuild.getCulprits(AbstractBuild.java:331)
      	at jenkins.scm.RunWithSCM.calculateCulprits(RunWithSCM.java:134)
      	at hudson.model.AbstractBuild.calculateCulprits(AbstractBuild.java:342)
      	at jenkins.scm.RunWithSCM.getCulprits(RunWithSCM.java:94)
      	at hudson.model.AbstractBuild.getCulprits(AbstractBuild.java:331)
      	at hudson.model.AbstractBuild$AbstractBuildExecution.post(AbstractBuild.java:703)
      	at hudson.model.Run.execute(Run.java:1913)
      	at hudson.model.FreeStyleBuild.run(FreeStyleBuild.java:43)
      	at hudson.model.ResourceController.execute(ResourceController.java:99)
      	at hudson.model.Executor.run(Executor.java:432)
      Email was triggered for: Failure - Any
      Sending email for trigger: Failure - Any
      An attempt to send an e-mail to empty list of recipients, ignored.
      Finished: FAILURE
      

      We are using:

      • Jenkins 2.315
      • Email Extention 2.87
      • Mailer Plugin 408
      • LDAP Plugin 2.8
      • git plugin 4.10.3

      An ldapsearch reveals the account is indeed disabled within AD.

      Similar issues:

      https://issues.jenkins.io/browse/JENKINS-64629

      https://issues.jenkins.io/browse/JENKINS-67491

      Attachments

        Issue Links

          Activity

            markewaite Mark Waite added a comment -

            No further thoughts on the issue. When I try to catch org.springframework.security.authentication.DisabledException , it seems to not be caught. I may need to catch the com.google.common.util.concurrent.UncheckedExecutionException though that is quite a broad exception to catch and ignore

            markewaite Mark Waite added a comment - No further thoughts on the issue. When I try to catch org.springframework.security.authentication.DisabledException , it seems to not be caught. I may need to catch the com.google.common.util.concurrent.UncheckedExecutionException though that is quite a broad exception to catch and ignore
            hashar Antoine Musso added a comment -

            This looks almost exactly like JENKINS-67491 which got reported against 4.10.1 and had a fix released in 4.10.2: https://github.com/jenkinsci/git-plugin/pull/1202/files

            On the other issue, the trace showed GitChangeSet.java:460 and that code got wrapped with a try/catch to get org.springframework.security.core.AuthenticationException exceptions. That code tries to lookup a user based on the first part of the email address. So if the author is Jane <jfoo@example.org>, it tries to find "jfoo".

            On this issue the trace occurs slightly above at GitChangeSet.java:450 which has:

            user = User.get(csAuthor, false, Collections.emptyMap());

            That searches for the, I am guessing, author name and would try to lookup "Jane".

            We have the same issue at GitChangeSet.java:450 reported at https://phabricator.wikimedia.org/T315897 . The user "TheresNoTime" is disabled in our LDAP (the person uses a different LDAP account) but they craft their commit with that name in the author field.

            I am guessing the same try/catch should be made when looking up the user by the user name.

            hashar Antoine Musso added a comment - This looks almost exactly like JENKINS-67491 which got reported against 4.10.1 and had a fix released in 4.10.2: https://github.com/jenkinsci/git-plugin/pull/1202/files On the other issue, the trace showed GitChangeSet.java:460 and that code got wrapped with a try/catch to get org.springframework.security.core.AuthenticationException exceptions. That code tries to lookup a user based on the first part of the email address. So if the author is Jane <jfoo@example.org>, it tries to find "jfoo". On this issue the trace occurs slightly above at GitChangeSet.java:450 which has: user = User.get(csAuthor, false, Collections.emptyMap()); That searches for the, I am guessing, author name and would try to lookup "Jane". We have the same issue at GitChangeSet.java:450 reported at https://phabricator.wikimedia.org/T315897 . The user "TheresNoTime" is disabled in our LDAP (the person uses a different LDAP account) but they craft their commit with that name in the author field. I am guessing the same try/catch should be made when looking up the user by the user name.
            hashar Antoine Musso added a comment -

            My bad I completely missed the first reply by Mark which stated exactly the same thing: other calls to User.get() did not get guarded and the PR is https://github.com/jenkinsci/git-plugin/pull/1233

            hashar Antoine Musso added a comment - My bad I completely missed the first reply by Mark which stated exactly the same thing: other calls to User.get() did not get guarded and the PR is https://github.com/jenkinsci/git-plugin/pull/1233
            markewaite Mark Waite added a comment -

            hashar I've merged the master branch into that pull request so that you'll have a current version for your test.

            markewaite Mark Waite added a comment - hashar I've merged the master branch into that pull request so that you'll have a current version for your test.
            hashar Antoine Musso added a comment - - edited

            I have reproduced the issue in our Jenkins script console and went to elaborate a workaround which deal with AuthenticationException which are not UsernameNotFoundException.

            From https://phabricator.wikimedia.org/T315897#8205451 :

            import org.springframework.security.core.AuthenticationException;
            import com.google.common.util.concurrent.UncheckedExecutionException;
            
            try {
              try {
                println("Attempting to retrieve disabled user 'theresnotime'");
                println(User.get("theresnotime", false, Collections.emptyMap()));
                } catch (AuthenticationException e) {
                  println("Throwing the AuthenticationException directly");
                  throw e;
               } catch (UncheckedExecutionException e) {
                  println("Got an UncheckedExecutionException");
                  if (e.getCause() instanceof AuthenticationException) {
                      println("Found cause to be an AuthenticationException, throwing");
                      throw (AuthenticationException) e.getCause();
                  } else {
                      println("Unhandled exception");
                      throw e;
                  }
              }
            } catch (AuthenticationException e) {
            	println(User.getUnknown());
            }
            

            Which yields:

            Attempting to retrieve disabled user 'theresnotime'
            Got an UncheckedExecutionException
            Found cause to be an AuthenticationException, throwing
            unknown
            

            I have send a new pull request with that code https://github.com/jenkinsci/git-plugin/pull/1322

            hashar Antoine Musso added a comment - - edited I have reproduced the issue in our Jenkins script console and went to elaborate a workaround which deal with AuthenticationException which are not UsernameNotFoundException . From https://phabricator.wikimedia.org/T315897#8205451 : import org.springframework.security.core.AuthenticationException; import com.google.common.util.concurrent.UncheckedExecutionException; try { try { println( "Attempting to retrieve disabled user 'theresnotime' " ); println(User.get( "theresnotime" , false , Collections.emptyMap())); } catch (AuthenticationException e) { println( "Throwing the AuthenticationException directly" ); throw e; } catch (UncheckedExecutionException e) { println( "Got an UncheckedExecutionException" ); if (e.getCause() instanceof AuthenticationException) { println( "Found cause to be an AuthenticationException, throwing" ); throw (AuthenticationException) e.getCause(); } else { println( "Unhandled exception" ); throw e; } } } catch (AuthenticationException e) { println(User.getUnknown()); } Which yields: Attempting to retrieve disabled user 'theresnotime' Got an UncheckedExecutionException Found cause to be an AuthenticationException, throwing unknown I have send a new pull request with that code https://github.com/jenkinsci/git-plugin/pull/1322

            People

              jvz Matt Sicker
              potentialingenuity Blake Mammen
              Votes:
              0 Vote for this issue
              Watchers:
              4 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: