Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-13650

Upgrading Active Directory plugin from 1.26 to 1.27 causes loss of Jenkins admin rights

    XMLWordPrintable

    Details

    • Type: Bug
    • Status: Resolved (View Workflow)
    • Priority: Major
    • Resolution: Fixed
    • Labels:
    • Environment:
      Windows Server 2003 x86, non-domain, connecting to Windows Server 2008 Active Directory. "Domain Name" set to ourcompanyname.com, "Domain controller" left blank. Jenkins version=1.450, AD plugin version=1.26
    • Similar Issues:

      Description

      I just updated the AD plugin with "install without restarting" turned on to attempt to fix bug 12619 which I originally reported.

      It failed:

      INFO: Starting the installation of Active Directory plugin on behalf of tfanning
      01-May-2012 11:23:40 hudson.model.UpdateCenter$UpdateCenterConfiguration download
      INFO: Downloading Active Directory plugin
      01-May-2012 11:23:41 hudson.PluginManager dynamicLoad
      INFO: Attempting to dynamic load C:\Program Files\Jenkins\plugins\active-directory.jpi
      01-May-2012 11:23:41 hudson.model.UpdateCenter$DownloadJob run
      SEVERE: Failed to install Active Directory plugin
      hudson.util.IOException2: Failed to dynamically deploy this plugin
      at hudson.model.UpdateCenter$InstallationJob._run(UpdateCenter.java:1137)
      at hudson.model.UpdateCenter$DownloadJob.run(UpdateCenter.java:955)
      at java.util.concurrent.Executors$RunnableAdapter.call(Unknown Source)
      at java.util.concurrent.FutureTask$Sync.innerRun(Unknown Source)
      at java.util.concurrent.FutureTask.run(Unknown Source)
      at java.util.concurrent.ThreadPoolExecutor$Worker.runTask(Unknown Source)
      at java.util.concurrent.ThreadPoolExecutor$Worker.run(Unknown Source)
      at java.lang.Thread.run(Unknown Source)
      Caused by: java.io.IOException: Unable to delete C:\Program Files\Jenkins\plugins\active-directory\WEB-INF\lib\active-directory-1.0.jar
      at hudson.Util.deleteFile(Util.java:237)
      at hudson.Util.deleteRecursive(Util.java:287)
      at hudson.Util.deleteContentsRecursive(Util.java:198)
      at hudson.Util.deleteRecursive(Util.java:278)
      at hudson.Util.deleteContentsRecursive(Util.java:198)
      at hudson.Util.deleteRecursive(Util.java:278)
      at hudson.Util.deleteContentsRecursive(Util.java:198)
      at hudson.ClassicPluginStrategy.explode(ClassicPluginStrategy.java:389)
      at hudson.ClassicPluginStrategy.createPluginWrapper(ClassicPluginStrategy.java:113)
      at hudson.PluginManager.dynamicLoad(PluginManager.java:340)
      at hudson.model.UpdateCenter$InstallationJob._run(UpdateCenter.java:1133)
      ... 7 more

      I then restarted the Jenkins service, waited, logged in with my AD credentials, so this appeared to work.

      However in Jenkins my AD account has now lost all of its admin privileges, i.e. I nor any other person configured to have admin rights can now configure Jenkins.

      I noticed active-directory.bak left over in the Jenkins plugin folder. Stopped the service, deleted active-directory.jpi, renamed active-directory.bak to .jpi, restarted, all working (albeit with bug 12619 still present)

      How should I upgrade to 1.27 safely?

        Attachments

          Activity

          Hide
          scm_issue_link SCM/JIRA link daemon added a comment -

          Code changed in jenkins
          User: Kohsuke Kawaguchi
          Path:
          src/main/java/hudson/plugins/active_directory/ActiveDirectoryUnixAuthenticationProvider.java
          http://jenkins-ci.org/commit/active-directory-plugin/15a8a87bc333a12ead447425075df3bdafd7625c
          Log:
          [FIXED JENKINS-13650] Revert "JENKINS-12607 canonicalize the name."

          This reverts commit 8b4c00a79201b605908d5d8983a7c719b0d645ff.

          Compare: https://github.com/jenkinsci/active-directory-plugin/compare/e8943e7...15a8a87

          Show
          scm_issue_link SCM/JIRA link daemon added a comment - Code changed in jenkins User: Kohsuke Kawaguchi Path: src/main/java/hudson/plugins/active_directory/ActiveDirectoryUnixAuthenticationProvider.java http://jenkins-ci.org/commit/active-directory-plugin/15a8a87bc333a12ead447425075df3bdafd7625c Log: [FIXED JENKINS-13650] Revert " JENKINS-12607 canonicalize the name." This reverts commit 8b4c00a79201b605908d5d8983a7c719b0d645ff. Compare: https://github.com/jenkinsci/active-directory-plugin/compare/e8943e7...15a8a87
          Hide
          kohsuke Kohsuke Kawaguchi added a comment -

          In 1.27, because of the 8b4c00a7 change mentioned above, Jenkins was logging users into their canonical names, like "Kohsuke Kawaguchi", instead of their user names, like "kkawaguchi". Most authorization strategies record users by their user names, so of course such change results in the permission losses.

          1.28 restores the previous behaviour. This unfortunately means for those who modified config.xml for 1.27 would have to redo that one more time. My apologies.

          Show
          kohsuke Kohsuke Kawaguchi added a comment - In 1.27, because of the 8b4c00a7 change mentioned above, Jenkins was logging users into their canonical names, like "Kohsuke Kawaguchi", instead of their user names, like "kkawaguchi". Most authorization strategies record users by their user names, so of course such change results in the permission losses. 1.28 restores the previous behaviour. This unfortunately means for those who modified config.xml for 1.27 would have to redo that one more time. My apologies.
          Hide
          dogfood dogfood added a comment -

          Integrated in plugins_active-directory #63
          [FIXED JENKINS-13650] Revert "JENKINS-12607 canonicalize the name." (Revision 15a8a87bc333a12ead447425075df3bdafd7625c)

          Result = SUCCESS
          Kohsuke Kawaguchi :
          Files :

          • src/main/java/hudson/plugins/active_directory/ActiveDirectoryUnixAuthenticationProvider.java
          Show
          dogfood dogfood added a comment - Integrated in plugins_active-directory #63 [FIXED JENKINS-13650] Revert " JENKINS-12607 canonicalize the name." (Revision 15a8a87bc333a12ead447425075df3bdafd7625c) Result = SUCCESS Kohsuke Kawaguchi : Files : src/main/java/hudson/plugins/active_directory/ActiveDirectoryUnixAuthenticationProvider.java
          Hide
          salvojo John Salvo added a comment -

          Confirmed that 1.28 fixed this issue.

          Show
          salvojo John Salvo added a comment - Confirmed that 1.28 fixed this issue.
          Hide
          kohsuke Kohsuke Kawaguchi added a comment -

          Closing based on the last comment.

          Show
          kohsuke Kohsuke Kawaguchi added a comment - Closing based on the last comment.

            People

            • Assignee:
              kohsuke Kohsuke Kawaguchi
              Reporter:
              tomfanning Tom Fanning
            • Votes:
              9 Vote for this issue
              Watchers:
              12 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved: