Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-73060

Github Oauth authentication 'randomly' missing authorities

    • Icon: Bug Bug
    • Resolution: Unresolved
    • Icon: Major Major
    • github-oauth-plugin
    • None
    • Jenkins 2.440.2
      GitHub Authentication plugin 597.ve0c3480fcb_d0
      Matrix Authorization Strategy Plugin 3.2.2

      We're using the Github auth and Matrix Auth plugin for configuring build permissions.
      We're using curl with basic auth to trigger builds remotely on this Jenkins.
      Most of the time that works well, but seemingly randomly the builds are rejected because of missing permissions:

      'javax.servlet.ServletException: hudson.security.AccessDeniedException3: userxxx is missing the Job/Build permission: 200'

      We're running some dozen builds per day and in average 2-3 builds fail. One some days more, on other days no builds fail.

      I've tried to find more info by enabling more fine grained logging and this is what I could get.
      When the builds fails, the user is missing any GrantedAuthorities:
      'FINE hudson.security.SidACL hasPermission2: hasPermission(UsernamePasswordAuthenticationToken [Principal=userxxx, Credentials=[PROTECTED], Authenticated=true, Details=null, Granted Authorities=[]],Permission[class hudson.model.Hudson,Read])=>true'

      on successful builds he has the expected authorities:
      'FINE hudson.security.SidACL hasPermission2: hasPermission(UsernamePasswordAuthenticationToken [Principal=userxxx, Credentials=[PROTECTED], Authenticated=true, Details=null, Granted Authorities=[authenticated, website, ...]],Permission[interface hudson.model.Item,Build])=>true'
       
      I've tried to find an existing bug report, but couldn't find anything matching.
      Maybe this is related, but I'm not sure JENKINS-72209

          [JENKINS-73060] Github Oauth authentication 'randomly' missing authorities

          kutzi added a comment -

          Also, we've added a 'sleep 5 seconds and then try again' step to our CI process, but still it seems to fail in all cases with the same error even on the retry

          kutzi added a comment - Also, we've added a 'sleep 5 seconds and then try again' step to our CI process, but still it seems to fail in all cases with the same error even on the retry

          kutzi added a comment -

          Also, it seems that the issue is happening mostly in the morning, when the 1st builds are started, but sometimes also happens later - i.e. in the afternoon

          kutzi added a comment - Also, it seems that the issue is happening mostly in the morning, when the 1st builds are started, but sometimes also happens later - i.e. in the afternoon

          kutzi added a comment -

          Is there any update on this?
          It's really annoying as it's happening several times a day and no workaround we tried (e.g. logging with in earlier request in case some caches need to be filled first) has helped

          kutzi added a comment - Is there any update on this? It's really annoying as it's happening several times a day and no workaround we tried (e.g. logging with in earlier request in case some caches need to be filled first) has helped

          Fabian Holler added a comment - - edited

          We experience a very similar issue with the same setup. I believe it has the same cause:

          Triggering builds or viewing artifacts from now and then fails for various users with:

          <USER> is missing the Overall/Read permission

          After some retries it succeeds for the same user.

           

          When triggering builds with curl and it happens, jenkins responds with a 403 status code and the following information in the http headers:

          < X-You-Are-Authenticated-As: fho
          < X-You-Are-In-Group-Disabled: JENKINS-39402: use -Dhudson.security.AccessDeniedException2.REPORT_GROUP_HEADERS=true or use /whoAmI to diagnose
          < X-Required-Permission: hudson.model.Hudson.Read
          < X-Permission-Implied-By: hudson.security.Permission.GenericRead
          < X-Permission-Implied-By: hudson.model.Hudson.Administer

           

          We experience the issue since years with various Jenkins and plugin versions.

          Currently we are using Jenkins version 2.479.2 and GitHub Authentication plugin Version 621.v33b_4394dda_4d 

          Fabian Holler added a comment - - edited We experience a very similar issue with the same setup. I believe it has the same cause: Triggering builds or viewing artifacts from now and then fails for various users with: <USER> is missing the Overall/Read permission After some retries it succeeds for the same user.   When triggering builds with curl and it happens, jenkins responds with a 403 status code and the following information in the http headers: < X-You-Are-Authenticated-As: fho < X-You-Are-In-Group-Disabled: JENKINS-39402 : use -Dhudson.security.AccessDeniedException2.REPORT_GROUP_HEADERS=true or use /whoAmI to diagnose < X-Required-Permission: hudson.model.Hudson.Read < X-Permission-Implied-By: hudson.security.Permission.GenericRead < X-Permission-Implied-By: hudson.model.Hudson.Administer   We experience the issue since years with various Jenkins and plugin versions. Currently we are using Jenkins version 2.479.2 and GitHub Authentication plugin Version 621.v33b_4394dda_4d 

            Unassigned Unassigned
            kutzi kutzi
            Votes:
            1 Vote for this issue
            Watchers:
            2 Start watching this issue

              Created:
              Updated: