[JENKINS-67981] Build failure due to ldap disabled account - Jenkins Jira

Details

Type: Bug
Status: Closed (View Workflow)
Priority: Major
Resolution: Fixed
Component/s: email-ext-plugin, git-plugin, ldap-plugin, mailer-plugin
Labels:
- email
- mailer
- notification
- plugin
Environment:
* Jenkins 2.315 on linux
* Mailer Plugin 408

Similar Issues:

Show
Released As:
4.12.1

Description

We are seeing the following error at the end of a select few builds, which is causing it to fail:

FATAL: org.springframework.security.authentication.DisabledException: The user "st123456" is administratively disabled.
org.springframework.security.authentication.DisabledException: The user "st123456" is administratively disabled.
	at hudson.security.UserAttributesHelper.checkIfUserEnabled(UserAttributesHelper.java:92)
	at hudson.security.LDAPSecurityRealm$LDAPUserDetailsService.loadUserByUsername(LDAPSecurityRealm.java:1315)
	at hudson.security.LDAPSecurityRealm$DelegateLDAPUserDetailsService.loadUserByUsername(LDAPSecurityRealm.java:1228)
	at hudson.security.LDAPSecurityRealm.loadUserByUsername2(LDAPSecurityRealm.java:763)
	at jenkins.security.UserDetailsCache$Retriever.call(UserDetailsCache.java:165)
	at jenkins.security.UserDetailsCache$Retriever.call(UserDetailsCache.java:154)
	at com.google.common.cache.LocalCache$LocalManualCache$1.load(LocalCache.java:4767)
	at com.google.common.cache.LocalCache$LoadingValueReference.loadFuture(LocalCache.java:3568)
	at com.google.common.cache.LocalCache$Segment.loadSync(LocalCache.java:2350)
	at com.google.common.cache.LocalCache$Segment.lockedGetOrLoad(LocalCache.java:2313)
	at com.google.common.cache.LocalCache$Segment.get(LocalCache.java:2228)
Caused: com.google.common.util.concurrent.UncheckedExecutionException
	at com.google.common.cache.LocalCache$Segment.get(LocalCache.java:2234)
	at com.google.common.cache.LocalCache.get(LocalCache.java:3965)
	at com.google.common.cache.LocalCache$LocalManualCache.get(LocalCache.java:4764)
	at jenkins.security.UserDetailsCache.loadUserByUsername(UserDetailsCache.java:122)
	at hudson.model.User$UserIDCanonicalIdResolver.resolveCanonicalId(User.java:1251)
	at hudson.model.User$CanonicalIdResolver.resolve(User.java:1192)
	at hudson.model.User.get(User.java:523)
	at hudson.plugins.git.GitChangeSet.findOrCreateUser(GitChangeSet.java:450)
	at hudson.plugins.git.GitChangeSet.getAuthor(GitChangeSet.java:546)
	at jenkins.scm.RunWithSCM.calculateCulprits(RunWithSCM.java:139)
	at hudson.model.AbstractBuild.calculateCulprits(AbstractBuild.java:342)
	at jenkins.scm.RunWithSCM.getCulprits(RunWithSCM.java:94)
	at hudson.model.AbstractBuild.getCulprits(AbstractBuild.java:331)
	at jenkins.scm.RunWithSCM.calculateCulprits(RunWithSCM.java:134)
	at hudson.model.AbstractBuild.calculateCulprits(AbstractBuild.java:342)
	at jenkins.scm.RunWithSCM.getCulprits(RunWithSCM.java:94)
	at hudson.model.AbstractBuild.getCulprits(AbstractBuild.java:331)
	at jenkins.scm.RunWithSCM.calculateCulprits(RunWithSCM.java:134)
	at hudson.model.AbstractBuild.calculateCulprits(AbstractBuild.java:342)
	at jenkins.scm.RunWithSCM.getCulprits(RunWithSCM.java:94)
	at hudson.model.AbstractBuild.getCulprits(AbstractBuild.java:331)
	at jenkins.scm.RunWithSCM.calculateCulprits(RunWithSCM.java:134)
	at hudson.model.AbstractBuild.calculateCulprits(AbstractBuild.java:342)
	at jenkins.scm.RunWithSCM.getCulprits(RunWithSCM.java:94)
	at hudson.model.AbstractBuild.getCulprits(AbstractBuild.java:331)
	at jenkins.scm.RunWithSCM.calculateCulprits(RunWithSCM.java:134)
	at hudson.model.AbstractBuild.calculateCulprits(AbstractBuild.java:342)
	at jenkins.scm.RunWithSCM.getCulprits(RunWithSCM.java:94)
	at hudson.model.AbstractBuild.getCulprits(AbstractBuild.java:331)
	at jenkins.scm.RunWithSCM.calculateCulprits(RunWithSCM.java:134)
	at hudson.model.AbstractBuild.calculateCulprits(AbstractBuild.java:342)
	at jenkins.scm.RunWithSCM.getCulprits(RunWithSCM.java:94)
	at hudson.model.AbstractBuild.getCulprits(AbstractBuild.java:331)
	at jenkins.scm.RunWithSCM.calculateCulprits(RunWithSCM.java:134)
	at hudson.model.AbstractBuild.calculateCulprits(AbstractBuild.java:342)
	at jenkins.scm.RunWithSCM.getCulprits(RunWithSCM.java:94)
	at hudson.model.AbstractBuild.getCulprits(AbstractBuild.java:331)
	at jenkins.scm.RunWithSCM.calculateCulprits(RunWithSCM.java:134)
	at hudson.model.AbstractBuild.calculateCulprits(AbstractBuild.java:342)
	at jenkins.scm.RunWithSCM.getCulprits(RunWithSCM.java:94)
	at hudson.model.AbstractBuild.getCulprits(AbstractBuild.java:331)
	at jenkins.scm.RunWithSCM.calculateCulprits(RunWithSCM.java:134)
	at hudson.model.AbstractBuild.calculateCulprits(AbstractBuild.java:342)
	at jenkins.scm.RunWithSCM.getCulprits(RunWithSCM.java:94)
	at hudson.model.AbstractBuild.getCulprits(AbstractBuild.java:331)
	at jenkins.scm.RunWithSCM.calculateCulprits(RunWithSCM.java:134)
	at hudson.model.AbstractBuild.calculateCulprits(AbstractBuild.java:342)
	at jenkins.scm.RunWithSCM.getCulprits(RunWithSCM.java:94)
	at hudson.model.AbstractBuild.getCulprits(AbstractBuild.java:331)
	at jenkins.scm.RunWithSCM.calculateCulprits(RunWithSCM.java:134)
	at hudson.model.AbstractBuild.calculateCulprits(AbstractBuild.java:342)
	at jenkins.scm.RunWithSCM.getCulprits(RunWithSCM.java:94)
	at hudson.model.AbstractBuild.getCulprits(AbstractBuild.java:331)
	at jenkins.scm.RunWithSCM.calculateCulprits(RunWithSCM.java:134)
	at hudson.model.AbstractBuild.calculateCulprits(AbstractBuild.java:342)
	at jenkins.scm.RunWithSCM.getCulprits(RunWithSCM.java:94)
	at hudson.model.AbstractBuild.getCulprits(AbstractBuild.java:331)
	at jenkins.scm.RunWithSCM.calculateCulprits(RunWithSCM.java:134)
	at hudson.model.AbstractBuild.calculateCulprits(AbstractBuild.java:342)
	at jenkins.scm.RunWithSCM.getCulprits(RunWithSCM.java:94)
	at hudson.model.AbstractBuild.getCulprits(AbstractBuild.java:331)
	at jenkins.scm.RunWithSCM.calculateCulprits(RunWithSCM.java:134)
	at hudson.model.AbstractBuild.calculateCulprits(AbstractBuild.java:342)
	at jenkins.scm.RunWithSCM.getCulprits(RunWithSCM.java:94)
	at hudson.model.AbstractBuild.getCulprits(AbstractBuild.java:331)
	at jenkins.scm.RunWithSCM.calculateCulprits(RunWithSCM.java:134)
	at hudson.model.AbstractBuild.calculateCulprits(AbstractBuild.java:342)
	at jenkins.scm.RunWithSCM.getCulprits(RunWithSCM.java:94)
	at hudson.model.AbstractBuild.getCulprits(AbstractBuild.java:331)
	at jenkins.scm.RunWithSCM.calculateCulprits(RunWithSCM.java:134)
	at hudson.model.AbstractBuild.calculateCulprits(AbstractBuild.java:342)
	at jenkins.scm.RunWithSCM.getCulprits(RunWithSCM.java:94)
	at hudson.model.AbstractBuild.getCulprits(AbstractBuild.java:331)
	at jenkins.scm.RunWithSCM.calculateCulprits(RunWithSCM.java:134)
	at hudson.model.AbstractBuild.calculateCulprits(AbstractBuild.java:342)
	at jenkins.scm.RunWithSCM.getCulprits(RunWithSCM.java:94)
	at hudson.model.AbstractBuild.getCulprits(AbstractBuild.java:331)
	at jenkins.scm.RunWithSCM.calculateCulprits(RunWithSCM.java:134)
	at hudson.model.AbstractBuild.calculateCulprits(AbstractBuild.java:342)
	at jenkins.scm.RunWithSCM.getCulprits(RunWithSCM.java:94)
	at hudson.model.AbstractBuild.getCulprits(AbstractBuild.java:331)
	at jenkins.scm.RunWithSCM.calculateCulprits(RunWithSCM.java:134)
	at hudson.model.AbstractBuild.calculateCulprits(AbstractBuild.java:342)
	at jenkins.scm.RunWithSCM.getCulprits(RunWithSCM.java:94)
	at hudson.model.AbstractBuild.getCulprits(AbstractBuild.java:331)
	at jenkins.scm.RunWithSCM.calculateCulprits(RunWithSCM.java:134)
	at hudson.model.AbstractBuild.calculateCulprits(AbstractBuild.java:342)
	at jenkins.scm.RunWithSCM.getCulprits(RunWithSCM.java:94)
	at hudson.model.AbstractBuild.getCulprits(AbstractBuild.java:331)
	at hudson.model.AbstractBuild$AbstractBuildExecution.post(AbstractBuild.java:703)
	at hudson.model.Run.execute(Run.java:1913)
	at hudson.model.FreeStyleBuild.run(FreeStyleBuild.java:43)
	at hudson.model.ResourceController.execute(ResourceController.java:99)
	at hudson.model.Executor.run(Executor.java:432)
Email was triggered for: Failure - Any
Sending email for trigger: Failure - Any
An attempt to send an e-mail to empty list of recipients, ignored.
Finished: FAILURE

We are using:

Jenkins 2.315
Email Extention 2.87
Mailer Plugin 408
LDAP Plugin 2.8
git plugin 4.10.3

An ldapsearch reveals the account is indeed disabled within AD.

Similar issues:

https://issues.jenkins.io/browse/JENKINS-64629

https://issues.jenkins.io/browse/JENKINS-67491

Attachments

- Sort By Name
- Sort By Date
- Ascending
- Descending
- Thumbnails
- List
- Download All

Screen Shot 2022-03-08 at 9.09.06 PM.png
44 kB
2022-03-09 03:10

Issue Links

relates to

JENKINS-64629 Build failure due to email notification issue

In Review

JENKINS-67491 Build failure due to disabled LDAP user

Closed

Activity

Ascending order - Click to sort in descending order

View 5 older comments

Mark Waite added a comment - 2022-03-21 19:38

No further thoughts on the issue. When I try to catch org.springframework.security.authentication.DisabledException , it seems to not be caught. I may need to catch the com.google.common.util.concurrent.UncheckedExecutionException though that is quite a broad exception to catch and ignore

Mark Waite added a comment - 2022-03-21 19:38 No further thoughts on the issue. When I try to catch org.springframework.security.authentication.DisabledException , it seems to not be caught. I may need to catch the com.google.common.util.concurrent.UncheckedExecutionException though that is quite a broad exception to catch and ignore

Antoine Musso added a comment - 2022-08-23 16:32

This looks almost exactly like ~~JENKINS-67491~~ which got reported against 4.10.1 and had a fix released in 4.10.2: https://github.com/jenkinsci/git-plugin/pull/1202/files

On the other issue, the trace showed GitChangeSet.java:460 and that code got wrapped with a try/catch to get org.springframework.security.core.AuthenticationException exceptions. That code tries to lookup a user based on the first part of the email address. So if the author is Jane <jfoo@example.org>, it tries to find "jfoo".

On this issue the trace occurs slightly above at GitChangeSet.java:450 which has:

user = User.get(csAuthor, false, Collections.emptyMap());

That searches for the, I am guessing, author name and would try to lookup "Jane".

We have the same issue at GitChangeSet.java:450 reported at https://phabricator.wikimedia.org/T315897 . The user "TheresNoTime" is disabled in our LDAP (the person uses a different LDAP account) but they craft their commit with that name in the author field.

I am guessing the same try/catch should be made when looking up the user by the user name.

Antoine Musso added a comment - 2022-08-23 16:32 This looks almost exactly like JENKINS-67491 which got reported against 4.10.1 and had a fix released in 4.10.2: https://github.com/jenkinsci/git-plugin/pull/1202/files On the other issue, the trace showed GitChangeSet.java:460 and that code got wrapped with a try/catch to get org.springframework.security.core.AuthenticationException exceptions. That code tries to lookup a user based on the first part of the email address. So if the author is Jane <jfoo@example.org>, it tries to find "jfoo". On this issue the trace occurs slightly above at GitChangeSet.java:450 which has: user = User.get(csAuthor, false, Collections.emptyMap()); That searches for the, I am guessing, author name and would try to lookup "Jane". We have the same issue at GitChangeSet.java:450 reported at https://phabricator.wikimedia.org/T315897 . The user "TheresNoTime" is disabled in our LDAP (the person uses a different LDAP account) but they craft their commit with that name in the author field. I am guessing the same try/catch should be made when looking up the user by the user name.

Antoine Musso added a comment - 2022-08-23 20:51

My bad I completely missed the first reply by Mark which stated exactly the same thing: other calls to User.get() did not get guarded and the PR is https://github.com/jenkinsci/git-plugin/pull/1233

Antoine Musso added a comment - 2022-08-23 20:51 My bad I completely missed the first reply by Mark which stated exactly the same thing: other calls to User.get() did not get guarded and the PR is https://github.com/jenkinsci/git-plugin/pull/1233

Mark Waite added a comment - 2022-08-23 21:44

hashar I've merged the master branch into that pull request so that you'll have a current version for your test.

Mark Waite added a comment - 2022-08-23 21:44 hashar I've merged the master branch into that pull request so that you'll have a current version for your test.

Antoine Musso added a comment - 2022-09-01 11:52 - edited

I have reproduced the issue in our Jenkins script console and went to elaborate a workaround which deal with AuthenticationException which are not UsernameNotFoundException.

From https://phabricator.wikimedia.org/T315897#8205451 :

import org.springframework.security.core.AuthenticationException;
import com.google.common.util.concurrent.UncheckedExecutionException;

try {
  try {
    println("Attempting to retrieve disabled user 'theresnotime'");
    println(User.get("theresnotime", false, Collections.emptyMap()));
    } catch (AuthenticationException e) {
      println("Throwing the AuthenticationException directly");
      throw e;
   } catch (UncheckedExecutionException e) {
      println("Got an UncheckedExecutionException");
      if (e.getCause() instanceof AuthenticationException) {
          println("Found cause to be an AuthenticationException, throwing");
          throw (AuthenticationException) e.getCause();
      } else {
          println("Unhandled exception");
          throw e;
      }
  }
} catch (AuthenticationException e) {
	println(User.getUnknown());
}

Which yields:

Attempting to retrieve disabled user 'theresnotime'
Got an UncheckedExecutionException
Found cause to be an AuthenticationException, throwing
unknown

I have send a new pull request with that code https://github.com/jenkinsci/git-plugin/pull/1322

Antoine Musso added a comment - 2022-09-01 11:52 - edited I have reproduced the issue in our Jenkins script console and went to elaborate a workaround which deal with AuthenticationException which are not UsernameNotFoundException . From https://phabricator.wikimedia.org/T315897#8205451 : import org.springframework.security.core.AuthenticationException; import com.google.common.util.concurrent.UncheckedExecutionException; try { try { println( "Attempting to retrieve disabled user 'theresnotime' " ); println(User.get( "theresnotime" , false , Collections.emptyMap())); } catch (AuthenticationException e) { println( "Throwing the AuthenticationException directly" ); throw e; } catch (UncheckedExecutionException e) { println( "Got an UncheckedExecutionException" ); if (e.getCause() instanceof AuthenticationException) { println( "Found cause to be an AuthenticationException, throwing" ); throw (AuthenticationException) e.getCause(); } else { println( "Unhandled exception" ); throw e; } } } catch (AuthenticationException e) { println(User.getUnknown()); } Which yields: Attempting to retrieve disabled user 'theresnotime' Got an UncheckedExecutionException Found cause to be an AuthenticationException, throwing unknown I have send a new pull request with that code https://github.com/jenkinsci/git-plugin/pull/1322

Jenkins

Build failure due to ldap disabled account

Details

Description

Attachments

Attachments

Issue Links

Activity

People

Dates