[JENKINS-73060] Github Oauth authentication 'randomly' missing authorities

Type: Bug
Resolution: Unresolved
Priority: Major
Component/s: github-oauth-plugin
Labels:
None
Environment:
Jenkins 2.440.2
GitHub Authentication plugin 597.ve0c3480fcb_d0
Matrix Authorization Strategy Plugin 3.2.2

Similar Issues:
Powered by SuggestiMate

Show

We're using the Github auth and Matrix Auth plugin for configuring build permissions.
We're using curl with basic auth to trigger builds remotely on this Jenkins.
Most of the time that works well, but seemingly randomly the builds are rejected because of missing permissions:

'javax.servlet.ServletException: hudson.security.AccessDeniedException3: userxxx is missing the Job/Build permission: 200'

We're running some dozen builds per day and in average 2-3 builds fail. One some days more, on other days no builds fail.

I've tried to find more info by enabling more fine grained logging and this is what I could get.
When the builds fails, the user is missing any GrantedAuthorities:
'FINE hudson.security.SidACL hasPermission2: hasPermission(UsernamePasswordAuthenticationToken [Principal=userxxx, Credentials=[PROTECTED], Authenticated=true, Details=null, Granted Authorities=[]],Permission[class hudson.model.Hudson,Read])=>true'

on successful builds he has the expected authorities:
'FINE hudson.security.SidACL hasPermission2: hasPermission(UsernamePasswordAuthenticationToken [Principal=userxxx, Credentials=[PROTECTED], Authenticated=true, Details=null, Granted Authorities=[authenticated, website, ...]],Permission[interface hudson.model.Item,Build])=>true'

I've tried to find an existing bug report, but couldn't find anything matching.
Maybe this is related, but I'm not sure JENKINS-72209

is related to

JENKINS-63296 Failed permission check on Resource Root URL

Open

JENKINS-72209 Authorities are not immediately returned from github when login

Reopened

JENKINS-72268 Users missing permissions at the controller level

Reopened

kutzi created issue - 2024-04-24 07:07

kutzi made changes - 2024-04-24 07:08

Description

Original: We're using the Github auth and Matrix Auth plugin for configuring build permissions.
We're using curl with basic auth to trigger builds remotely on this Jenkins.
Most of the time that works well, but seemingly randomly the builds are rejected because of missing permissions:

{{'javax.servlet.ServletException: hudson.security.AccessDeniedException3: userxxx is missing the Job/Build permission: 200'}}

We're running some dozen builds per day and in average 2-3 builds fail. One some days more, on other days no builds fail.

I've tried to find more info by enabled more fine grained logging and this is what I could get.
When the builds fails, the user is missing any GrantedAuthorities:
{{'FINE hudson.security.SidACL hasPermission2: hasPermission(UsernamePasswordAuthenticationToken [Principal=userxxx, Credentials=[PROTECTED], Authenticated=true, Details=null, Granted Authorities=[]],Permission[class hudson.model.Hudson,Read])=>true'}}

on successful builds he has the expected authorities:
{{'FINE hudson.security.SidACL hasPermission2: hasPermission(UsernamePasswordAuthenticationToken [Principal=teamwebsiteauto, Credentials=[PROTECTED], Authenticated=true, Details=null, Granted Authorities=[authenticated, website, ...]],Permission[interface hudson.model.Item,Build])=>true}}
{{'}}

{{I've tried to find an existing bug report, but couldn't find anything matching.
Maybe this is related, but I'm not sure JENKINS-72209}}

New: We're using the Github auth and Matrix Auth plugin for configuring build permissions.
We're using curl with basic auth to trigger builds remotely on this Jenkins.
Most of the time that works well, but seemingly randomly the builds are rejected because of missing permissions:

{{'javax.servlet.ServletException: hudson.security.AccessDeniedException3: userxxx is missing the Job/Build permission: 200'}}

We're running some dozen builds per day and in average 2-3 builds fail. One some days more, on other days no builds fail.

I've tried to find more info by enabled more fine grained logging and this is what I could get.
When the builds fails, the user is missing any GrantedAuthorities:
{{'FINE hudson.security.SidACL hasPermission2: hasPermission(UsernamePasswordAuthenticationToken [Principal=userxxx, Credentials=[PROTECTED], Authenticated=true, Details=null, Granted Authorities=[]],Permission[class hudson.model.Hudson,Read])=>true'}}

on successful builds he has the expected authorities:
{{{}'FINE hudson.security.SidACL hasPermission2: hasPermission(UsernamePasswordAuthenticationToken [Principal=teamwebsiteauto, Credentials=[PROTECTED], Authenticated=true, Details=null, Granted Authorities=[authenticated, website, ...]],Permission[interface hudson.model.Item,Build])=>true{}}}{{{}'{}}}

{{I've tried to find an existing bug report, but couldn't find anything matching.
Maybe this is related, but I'm not sure JENKINS-72209}}

kutzi made changes - 2024-04-24 07:08

Link

New: This issue is related to JENKINS-72209 [ JENKINS-72209 ]

kutzi made changes - 2024-04-24 07:10

Description

Original: We're using the Github auth and Matrix Auth plugin for configuring build permissions.
We're using curl with basic auth to trigger builds remotely on this Jenkins.
Most of the time that works well, but seemingly randomly the builds are rejected because of missing permissions:

{{'javax.servlet.ServletException: hudson.security.AccessDeniedException3: userxxx is missing the Job/Build permission: 200'}}

We're running some dozen builds per day and in average 2-3 builds fail. One some days more, on other days no builds fail.

I've tried to find more info by enabled more fine grained logging and this is what I could get.
When the builds fails, the user is missing any GrantedAuthorities:
{{'FINE hudson.security.SidACL hasPermission2: hasPermission(UsernamePasswordAuthenticationToken [Principal=userxxx, Credentials=[PROTECTED], Authenticated=true, Details=null, Granted Authorities=[]],Permission[class hudson.model.Hudson,Read])=>true'}}

on successful builds he has the expected authorities:
{{{}'FINE hudson.security.SidACL hasPermission2: hasPermission(UsernamePasswordAuthenticationToken [Principal=teamwebsiteauto, Credentials=[PROTECTED], Authenticated=true, Details=null, Granted Authorities=[authenticated, website, ...]],Permission[interface hudson.model.Item,Build])=>true{}}}{{{}'{}}}

{{I've tried to find an existing bug report, but couldn't find anything matching.
Maybe this is related, but I'm not sure JENKINS-72209}}

New: We're using the Github auth and Matrix Auth plugin for configuring build permissions.
We're using curl with basic auth to trigger builds remotely on this Jenkins.
Most of the time that works well, but seemingly randomly the builds are rejected because of missing permissions:

{{'javax.servlet.ServletException: hudson.security.AccessDeniedException3: userxxx is missing the Job/Build permission: 200'}}

We're running some dozen builds per day and in average 2-3 builds fail. One some days more, on other days no builds fail.

I've tried to find more info by enabled more fine grained logging and this is what I could get.
When the builds fails, the user is missing any GrantedAuthorities:
{{'FINE hudson.security.SidACL hasPermission2: hasPermission(UsernamePasswordAuthenticationToken [Principal=userxxx, Credentials=[PROTECTED], Authenticated=true, Details=null, Granted Authorities=[]],Permission[class hudson.model.Hudson,Read])=>true'}}

on successful builds he has the expected authorities:
{{{}'FINE hudson.security.SidACL hasPermission2: hasPermission(UsernamePasswordAuthenticationToken [Principal=userxxx, Credentials=[PROTECTED], Authenticated=true, Details=null, Granted Authorities=[authenticated, website, ...]],Permission[interface hudson.model.Item,Build])=>true{}}}{{{}'{}}}

{{I've tried to find an existing bug report, but couldn't find anything matching.
Maybe this is related, but I'm not sure JENKINS-72209}}

kutzi made changes - 2024-04-24 07:10

Description

Original: We're using the Github auth and Matrix Auth plugin for configuring build permissions.
We're using curl with basic auth to trigger builds remotely on this Jenkins.
Most of the time that works well, but seemingly randomly the builds are rejected because of missing permissions:

{{'javax.servlet.ServletException: hudson.security.AccessDeniedException3: userxxx is missing the Job/Build permission: 200'}}

We're running some dozen builds per day and in average 2-3 builds fail. One some days more, on other days no builds fail.

I've tried to find more info by enabled more fine grained logging and this is what I could get.
When the builds fails, the user is missing any GrantedAuthorities:
{{'FINE hudson.security.SidACL hasPermission2: hasPermission(UsernamePasswordAuthenticationToken [Principal=userxxx, Credentials=[PROTECTED], Authenticated=true, Details=null, Granted Authorities=[]],Permission[class hudson.model.Hudson,Read])=>true'}}

on successful builds he has the expected authorities:
{{{}'FINE hudson.security.SidACL hasPermission2: hasPermission(UsernamePasswordAuthenticationToken [Principal=userxxx, Credentials=[PROTECTED], Authenticated=true, Details=null, Granted Authorities=[authenticated, website, ...]],Permission[interface hudson.model.Item,Build])=>true{}}}{{{}'{}}}

{{I've tried to find an existing bug report, but couldn't find anything matching.
Maybe this is related, but I'm not sure JENKINS-72209}}

New: We're using the Github auth and Matrix Auth plugin for configuring build permissions.
We're using curl with basic auth to trigger builds remotely on this Jenkins.
Most of the time that works well, but seemingly randomly the builds are rejected because of missing permissions:

{{'javax.servlet.ServletException: hudson.security.AccessDeniedException3: userxxx is missing the Job/Build permission: 200'}}

We're running some dozen builds per day and in average 2-3 builds fail. One some days more, on other days no builds fail.

I've tried to find more info by enabled more fine grained logging and this is what I could get.
When the builds fails, the user is missing any GrantedAuthorities:
{{'FINE hudson.security.SidACL hasPermission2: hasPermission(UsernamePasswordAuthenticationToken [Principal=userxxx, Credentials=[PROTECTED], Authenticated=true, Details=null, Granted Authorities=[]],Permission[class hudson.model.Hudson,Read])=>true'}}

on successful builds he has the expected authorities:
{{{}'FINE hudson.security.SidACL hasPermission2: hasPermission(UsernamePasswordAuthenticationToken [Principal=userxxx, Credentials=[PROTECTED], Authenticated=true, Details=null, Granted Authorities=[authenticated, website, ...]],Permission[interface hudson.model.Item,Build])=>true{}}}{{{}'{}}}

I've tried to find an existing bug report, but couldn't find anything matching.
Maybe this is related, but I'm not sure JENKINS-72209

kutzi made changes - 2024-04-24 07:19

Description

Original: We're using the Github auth and Matrix Auth plugin for configuring build permissions.
We're using curl with basic auth to trigger builds remotely on this Jenkins.
Most of the time that works well, but seemingly randomly the builds are rejected because of missing permissions:

{{'javax.servlet.ServletException: hudson.security.AccessDeniedException3: userxxx is missing the Job/Build permission: 200'}}

We're running some dozen builds per day and in average 2-3 builds fail. One some days more, on other days no builds fail.

I've tried to find more info by enabled more fine grained logging and this is what I could get.
When the builds fails, the user is missing any GrantedAuthorities:
{{'FINE hudson.security.SidACL hasPermission2: hasPermission(UsernamePasswordAuthenticationToken [Principal=userxxx, Credentials=[PROTECTED], Authenticated=true, Details=null, Granted Authorities=[]],Permission[class hudson.model.Hudson,Read])=>true'}}

on successful builds he has the expected authorities:
{{{}'FINE hudson.security.SidACL hasPermission2: hasPermission(UsernamePasswordAuthenticationToken [Principal=userxxx, Credentials=[PROTECTED], Authenticated=true, Details=null, Granted Authorities=[authenticated, website, ...]],Permission[interface hudson.model.Item,Build])=>true{}}}{{{}'{}}}

I've tried to find an existing bug report, but couldn't find anything matching.
Maybe this is related, but I'm not sure JENKINS-72209

New: We're using the Github auth and Matrix Auth plugin for configuring build permissions.
We're using curl with basic auth to trigger builds remotely on this Jenkins.
Most of the time that works well, but seemingly randomly the builds are rejected because of missing permissions:

{{'javax.servlet.ServletException: hudson.security.AccessDeniedException3: userxxx is missing the Job/Build permission: 200'}}

We're running some dozen builds per day and in average 2-3 builds fail. One some days more, on other days no builds fail.

I've tried to find more info by enabling more fine grained logging and this is what I could get.
When the builds fails, the user is missing any GrantedAuthorities:
{{'FINE hudson.security.SidACL hasPermission2: hasPermission(UsernamePasswordAuthenticationToken [Principal=userxxx, Credentials=[PROTECTED], Authenticated=true, Details=null, Granted Authorities=[]],Permission[class hudson.model.Hudson,Read])=>true'}}

on successful builds he has the expected authorities:
{{{}'FINE hudson.security.SidACL hasPermission2: hasPermission(UsernamePasswordAuthenticationToken [Principal=userxxx, Credentials=[PROTECTED], Authenticated=true, Details=null, Granted Authorities=[authenticated, website, ...]],Permission[interface hudson.model.Item,Build])=>true{}}}{{{}'{}}}

I've tried to find an existing bug report, but couldn't find anything matching.
Maybe this is related, but I'm not sure JENKINS-72209

kutzi added a comment - 2024-04-24 07:53

Also, we've added a 'sleep 5 seconds and then try again' step to our CI process, but still it seems to fail in all cases with the same error even on the retry

kutzi added a comment - 2024-04-24 07:53 Also, we've added a 'sleep 5 seconds and then try again' step to our CI process, but still it seems to fail in all cases with the same error even on the retry

kutzi added a comment - 2024-04-24 08:12

Also, it seems that the issue is happening mostly in the morning, when the 1st builds are started, but sometimes also happens later - i.e. in the afternoon

kutzi added a comment - 2024-04-24 08:12 Also, it seems that the issue is happening mostly in the morning, when the 1st builds are started, but sometimes also happens later - i.e. in the afternoon

kutzi added a comment - 2024-05-08 12:38

Is there any update on this?
It's really annoying as it's happening several times a day and no workaround we tried (e.g. logging with in earlier request in case some caches need to be filled first) has helped

kutzi added a comment - 2024-05-08 12:38 Is there any update on this? It's really annoying as it's happening several times a day and no workaround we tried (e.g. logging with in earlier request in case some caches need to be filled first) has helped

kutzi made changes - 2024-05-08 12:55

Link

New: This issue is related to JENKINS-72268 [ JENKINS-72268 ]

Assignee:: Unassigned

Reporter:: kutzi

Votes:: 1 Vote for this issue

Watchers:: 2 Start watching this issue

Created:: 2024-04-24 07:07

Updated:: 2024-12-05 12:14

Jenkins

Details

Description

Attachments

Issue Links

Activity

Collapse comment: kutzi added a comment - 2024-04-24 07:53

Expand comment: kutzi added a comment - 2024-04-24 07:53

Collapse comment: kutzi added a comment - 2024-04-24 08:12

Expand comment: kutzi added a comment - 2024-04-24 08:12

Collapse comment: kutzi added a comment - 2024-05-08 12:38

Expand comment: kutzi added a comment - 2024-05-08 12:38

People

Dates