We are facing ADOM group issue when adding it using the 'Add group' option. we upgraded Jenkins from 2.264.4 to 2.387.1 LTS The process of upgrade is

      1. Uninstalled java 8 and installed java 11
      2. Replaced Tomcat 9.0.50 with 9.0.70
      3. Under tomcat/webapps, deleted old Jenkins.war (2.264.4) and added new jenkins.war (2.387.1 LTS).
      4. We have a custom directory path for Jenkins file system which is untouched.
      5. Started tomcat service to start upgraded Jenkins and was loaded with all the pre existing data, jobs, plugins, and configs.
      6. In the pluginManager > updates, we updated selective plugins as per required.
      7. The Role-based Authorization Strategy Plugin in upgraded Jenkins is (587.588.v850a_20a_30162) and the old Jenkins is (3.1.1).

      FYI - This is no plugin issue as we have another upgraded Jenkins running with the same set of plugins and running with no issue.

      Authentication type enabled:
      1. Security Realm - SAML 2.0
      2. Project-based Matrix Authorization Strategy 

      After the ADOM group is added, we see a red exclamation, and when clicked on (show details) below is the error displayed... 

      java.lang.IllegalArgumentException: A granted authority textual representation is required
      at org.springframework.util.Assert.hasText(Assert.java:289)
      at org.springframework.security.core.authority.SimpleGrantedAuthority.<init>(SimpleGrantedAuthority.java:39)
      at jenkins.security.LastGrantedAuthoritiesProperty.getAuthorities2(LastGrantedAuthoritiesProperty.java:68)
      at org.jenkinsci.plugins.saml.SamlGroupDetails.hasGroupOnAuthorities(SamlGroupDetails.java:65)
      at org.jenkinsci.plugins.saml.SamlGroupDetails.lambda$getMembers$0(SamlGroupDetails.java:55)
      at java.base/java.util.ArrayList.forEach(ArrayList.java:1541)
      at org.jenkinsci.plugins.saml.SamlGroupDetails.getMembers(SamlGroupDetails.java:53)
      at org.jenkinsci.plugins.saml.SamlSecurityRealm.loadGroupByGroupname2(SamlSecurityRealm.java:633)
      at org.jenkinsci.plugins.matrixauth.ValidationUtil.validateGroup(ValidationUtil.java:68)
      at org.jenkinsci.plugins.matrixauth.AuthorizationContainerDescriptor.doCheckName_(AuthorizationContainerDescriptor.java:190)
      at hudson.security.GlobalMatrixAuthorizationStrategy$DescriptorImpl.doCheckName(GlobalMatrixAuthorizationStrategy.java:222)
      at java.base/java.lang.invoke.MethodHandle.invokeWithArguments(MethodHandle.java:710)
      at org.kohsuke.stapler.Function$MethodFunction.invoke(Function.java:397)
      at org.kohsuke.stapler.Function$InstanceFunction.invoke(Function.java:409)
      at org.kohsuke.stapler.Function.bindAndInvoke(Function.java:207)
      at org.kohsuke.stapler.Function.bindAndInvokeAndServeResponse(Function.java:140)
      at org.kohsuke.stapler.MetaClass$11.doDispatch(MetaClass.java:558)
      at org.kohsuke.stapler.NameBasedDispatcher.dispatch(NameBasedDispatcher.java:59)
      at org.kohsuke.stapler.Stapler.tryInvoke(Stapler.java:770)
      at org.kohsuke.stapler.Stapler.invoke(Stapler.java:900)
      at org.kohsuke.stapler.MetaClass$4.doDispatch(MetaClass.java:289)
      at org.kohsuke.stapler.NameBasedDispatcher.dispatch(NameBasedDispatcher.java:59)
      at org.kohsuke.stapler.Stapler.tryInvoke(Stapler.java:770)
      at org.kohsuke.stapler.Stapler.invoke(Stapler.java:900)
      at org.kohsuke.stapler.Stapler.invoke(Stapler.java:698)
      at org.kohsuke.stapler.Stapler.service(Stapler.java:248)
      at javax.servlet.http.HttpServlet.service(HttpServlet.java:779)
      at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:227)
      at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:162)
      at org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:53)
      at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:189)
      at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:162)
      at hudson.util.PluginServletFilter$1.doFilter(PluginServletFilter.java:157)
      at com.splunk.splunkjenkins.WebPostAccessLogger.doFilter(WebPostAccessLogger.java:39)
      at hudson.util.PluginServletFilter$1.doFilter(PluginServletFilter.java:154)
      at org.jenkinsci.plugins.corsfilter.AccessControlsFilter.doFilter(AccessControlsFilter.java:79)
      at hudson.util.PluginServletFilter$1.doFilter(PluginServletFilter.java:154)
      at org.jenkinsci.plugins.ssegateway.Endpoint$SSEListenChannelFilter.doFilter(Endpoint.java:248)
      at hudson.util.PluginServletFilter$1.doFilter(PluginServletFilter.java:154)
      at jenkins.telemetry.impl.UserLanguages$AcceptLanguageFilter.doFilter(UserLanguages.java:129)
      at hudson.util.PluginServletFilter$1.doFilter(PluginServletFilter.java:154)
      at jenkins.security.ResourceDomainFilter.doFilter(ResourceDomainFilter.java:81)
      at hudson.util.PluginServletFilter$1.doFilter(PluginServletFilter.java:154)
      at io.jenkins.blueocean.auth.jwt.impl.JwtAuthenticationFilter.doFilter(JwtAuthenticationFilter.java:60)
      at hudson.util.PluginServletFilter$1.doFilter(PluginServletFilter.java:154)
      at io.jenkins.blueocean.ResourceCacheControl.doFilter(ResourceCacheControl.java:134)
      at hudson.util.PluginServletFilter$1.doFilter(PluginServletFilter.java:154)
      at net.bull.javamelody.MonitoringFilter.doFilter(MonitoringFilter.java:239)
      at net.bull.javamelody.MonitoringFilter.doFilter(MonitoringFilter.java:215)
      at net.bull.javamelody.PluginMonitoringFilter.doFilter(PluginMonitoringFilter.java:88)
      at org.jvnet.hudson.plugins.monitoring.HudsonMonitoringFilter.doFilter(HudsonMonitoringFilter.java:121)
      at hudson.util.PluginServletFilter$1.doFilter(PluginServletFilter.java:154)
      at javax.servlet.FilterChain$doFilter.call(Unknown Source)
      at com.ceilfors.jenkins.plugins.jiratrigger.ExceptionLoggingFilter.doFilter(ExceptionLoggingFilter.groovy:29)
      at hudson.util.PluginServletFilter$1.doFilter(PluginServletFilter.java:154)
      at hudson.plugins.greenballs.GreenBallFilter.doFilter(GreenBallFilter.java:64)
      at hudson.util.PluginServletFilter$1.doFilter(PluginServletFilter.java:154)
      at jenkins.metrics.impl.MetricsFilter.doFilter(MetricsFilter.java:125)
      at hudson.util.PluginServletFilter$1.doFilter(PluginServletFilter.java:154)
      at hudson.util.PluginServletFilter.doFilter(PluginServletFilter.java:160)
      at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:189)
      at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:162)
      at hudson.security.csrf.CrumbFilter.doFilter(CrumbFilter.java:160)
      at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:189)
      at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:162)
      at hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:94)
      at jenkins.security.AcegiSecurityExceptionFilter.doFilter(AcegiSecurityExceptionFilter.java:52)
      at hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:99)
      at hudson.security.UnwrapSecurityExceptionFilter.doFilter(UnwrapSecurityExceptionFilter.java:54)
      at hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:99)
      at org.springframework.security.web.access.ExceptionTranslationFilter.doFilter(ExceptionTranslationFilter.java:126)
      at org.springframework.security.web.access.ExceptionTranslationFilter.doFilter(ExceptionTranslationFilter.java:120)
      at hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:99)
      at org.springframework.security.web.authentication.AnonymousAuthenticationFilter.doFilter(AnonymousAuthenticationFilter.java:100)
      at hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:99)
      at org.springframework.security.web.authentication.rememberme.RememberMeAuthenticationFilter.doFilter(RememberMeAuthenticationFilter.java:110)
      at org.springframework.security.web.authentication.rememberme.RememberMeAuthenticationFilter.doFilter(RememberMeAuthenticationFilter.java:101)
      at hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:99)
      at org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter.doFilter(AbstractAuthenticationProcessingFilter.java:227)
      at org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter.doFilter(AbstractAuthenticationProcessingFilter.java:221)
      at hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:99)
      at jenkins.security.BasicHeaderProcessor.doFilter(BasicHeaderProcessor.java:97)
      at hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:99)
      at org.springframework.security.web.context.SecurityContextPersistenceFilter.doFilter(SecurityContextPersistenceFilter.java:117)
      at org.springframework.security.web.context.SecurityContextPersistenceFilter.doFilter(SecurityContextPersistenceFilter.java:87)
      at hudson.security.HttpSessionContextIntegrationFilter2.doFilter(HttpSessionContextIntegrationFilter2.java:63)
      at hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:99)
      at hudson.security.ChainedServletFilter.doFilter(ChainedServletFilter.java:111)
      at hudson.security.HudsonFilter.doFilter(HudsonFilter.java:172)
      at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:189)
      at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:162)
      at org.kohsuke.stapler.compression.CompressionFilter.doFilter(CompressionFilter.java:53)
      at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:189)
      at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:162)
      at hudson.util.CharacterEncodingFilter.doFilter(CharacterEncodingFilter.java:86)
      at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:189)
      at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:162)
      at org.kohsuke.stapler.DiagnosticThreadNameFilter.doFilter(DiagnosticThreadNameFilter.java:30)
      at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:189)
      at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:162)
      at jenkins.security.SuspiciousRequestFilter.doFilter(SuspiciousRequestFilter.java:38)
      at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:189)
      at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:162)
      at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:177)
      at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:97)
      at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:660)
      at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:135)
      at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:92)
      at org.apache.catalina.valves.AbstractAccessLogValve.invoke(AbstractAccessLogValve.java:687)
      at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:78)
      at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:360)
      at org.apache.coyote.http11.Http11Processor.service(Http11Processor.java:399)
      at org.apache.coyote.AbstractProcessorLight.process(AbstractProcessorLight.java:65)
      at org.apache.coyote.AbstractProtocol$ConnectionHandler.process(AbstractProtocol.java:891)
      at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1784)
      at org.apache.tomcat.util.net.SocketProcessorBase.run(SocketProcessorBase.java:49)
      at org.apache.tomcat.util.threads.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1191)
      at org.apache.tomcat.util.threads.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:659)
      at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
      at java.base/java.lang.Thread.run(Thread.java:829)

          [JENKINS-71092] Adom group issue after jenkins upgrade

          Daniel Beck added a comment - - edited

          Role-based Authorization Strategy Plugin in upgraded Jenkins is (587.588.v850a_20a_30162)

          Why does the version of https://plugins.jenkins.io/role-strategy/ matter, when you're using https://plugins.jenkins.io/matrix-auth/ ?


          This looks like an empty group name, or null is recorded in the LastGrantedAuthoritiesProperty of  one of the users in JENKINS_HOME/users. Check those XML files for the serialized list of recorded group memberships and remove any that look like they represent an empty string.

          matrix-auth is not involved in recording groups or this code path beyond a general group lookup, so I'm removing that component. The likely culprit is SAML Plugin, or core.

          Daniel Beck added a comment - - edited Role-based Authorization Strategy Plugin in upgraded Jenkins is (587.588.v850a_20a_30162) Why does the version of https://plugins.jenkins.io/role-strategy/ matter, when you're using https://plugins.jenkins.io/matrix-auth/ ? This looks like an empty group name, or null is recorded in the LastGrantedAuthoritiesProperty of  one of the users in JENKINS_HOME/users . Check those XML files for the serialized list of recorded group memberships and remove any that look like they represent an empty string. matrix-auth is not involved in recording groups or this code path beyond a general group lookup, so I'm removing that component. The likely culprit is SAML Plugin, or core.

          If the SAML Response has a granted group with an empty content, that’s is a wrong IdP implementation/configuration, it is something unexpected and probable against the definition of the SAML response, so this issue is not a blocker at all. Please set the priority to normal or even low.

          After said that, if a granted group is empty the SAML plugin probably pass it to the core function that saves that field. The thing is where we punt the defensive code in the SAML plugin and we cover only the case for SAML or we put the filter in the Core to cover any bad data that come from external sources.

          Ivan Fernandez Calvo added a comment - If the SAML Response has a granted group with an empty content, that’s is a wrong IdP implementation/configuration, it is something unexpected and probable against the definition of the SAML response, so this issue is not a blocker at all. Please set the priority to normal or even low. After said that, if a granted group is empty the SAML plugin probably pass it to the core function that saves that field. The thing is where we punt the defensive code in the SAML plugin and we cover only the case for SAML or we put the filter in the Core to cover any bad data that come from external sources.

          Ivan Fernandez Calvo added a comment - - edited

          Checking the SAML plugin code, the groups are already filtered https://github.com/jenkinsci/saml-plugin/blob/main/src/main/java/org/jenkinsci/plugins/saml/SamlSecurityRealm.java#L502-L508. Hence, it is complicated that the SAML plugin generates that empty I don't know where that empty group comes from, but it is returned by jenkins.security.LastGrantedAuthoritiesProperty.getAuthorities2(LastGrantedAuthoritiesProperty.java:68).
          The user is making an upgrade or adding a group to a user, the initial comment confuses me. I doubt that all users have the same problem, so find the user with the weird LastGrantedAuthoritiesProperty and move its user folder to another place them make the upgrade(or whatever it is doing).

          Ivan Fernandez Calvo added a comment - - edited Checking the SAML plugin code, the groups are already filtered https://github.com/jenkinsci/saml-plugin/blob/main/src/main/java/org/jenkinsci/plugins/saml/SamlSecurityRealm.java#L502-L508 . Hence, it is complicated that the SAML plugin generates that empty I don't know where that empty group comes from, but it is returned by jenkins.security.LastGrantedAuthoritiesProperty.getAuthorities2(LastGrantedAuthoritiesProperty.java:68). The user is making an upgrade or adding a group to a user, the initial comment confuses me. I doubt that all users have the same problem, so find the user with the weird LastGrantedAuthoritiesProperty and move its user folder to another place them make the upgrade(or whatever it is doing).

          Akhil T added a comment - - edited

          Hey ifernandezcalvo, Thanks for the response.

          All the users and admins have the same error visible whenever adding the adom group.
          We tried clearing out everything under JENKINS_HOME/users/ directory and then the adom group error is no more. Now whenever users login back their user profiles will be auto-regenerated back via ldap, sso.

          Will observe the change for the next 1 week and then be good to close the ticket.

          Akhil T added a comment - - edited Hey ifernandezcalvo , Thanks for the response. All the users and admins have the same error visible whenever adding the adom group. We tried clearing out everything under JENKINS_HOME/users/ directory and then the adom group error is no more. Now whenever users login back their user profiles will be auto-regenerated back via ldap, sso. Will observe the change for the next 1 week and then be good to close the ticket.

            ifernandezcalvo Ivan Fernandez Calvo
            akhitak Akhil T
            Votes:
            0 Vote for this issue
            Watchers:
            3 Start watching this issue

              Created:
              Updated:
              Resolved: