Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-13650

Upgrading Active Directory plugin from 1.26 to 1.27 causes loss of Jenkins admin rights

    Details

    • Type: Bug
    • Status: Resolved (View Workflow)
    • Priority: Major
    • Resolution: Fixed
    • Labels:
    • Environment:
      Windows Server 2003 x86, non-domain, connecting to Windows Server 2008 Active Directory. "Domain Name" set to ourcompanyname.com, "Domain controller" left blank. Jenkins version=1.450, AD plugin version=1.26
    • Similar Issues:

      Description

      I just updated the AD plugin with "install without restarting" turned on to attempt to fix bug 12619 which I originally reported.

      It failed:

      INFO: Starting the installation of Active Directory plugin on behalf of tfanning
      01-May-2012 11:23:40 hudson.model.UpdateCenter$UpdateCenterConfiguration download
      INFO: Downloading Active Directory plugin
      01-May-2012 11:23:41 hudson.PluginManager dynamicLoad
      INFO: Attempting to dynamic load C:\Program Files\Jenkins\plugins\active-directory.jpi
      01-May-2012 11:23:41 hudson.model.UpdateCenter$DownloadJob run
      SEVERE: Failed to install Active Directory plugin
      hudson.util.IOException2: Failed to dynamically deploy this plugin
      at hudson.model.UpdateCenter$InstallationJob._run(UpdateCenter.java:1137)
      at hudson.model.UpdateCenter$DownloadJob.run(UpdateCenter.java:955)
      at java.util.concurrent.Executors$RunnableAdapter.call(Unknown Source)
      at java.util.concurrent.FutureTask$Sync.innerRun(Unknown Source)
      at java.util.concurrent.FutureTask.run(Unknown Source)
      at java.util.concurrent.ThreadPoolExecutor$Worker.runTask(Unknown Source)
      at java.util.concurrent.ThreadPoolExecutor$Worker.run(Unknown Source)
      at java.lang.Thread.run(Unknown Source)
      Caused by: java.io.IOException: Unable to delete C:\Program Files\Jenkins\plugins\active-directory\WEB-INF\lib\active-directory-1.0.jar
      at hudson.Util.deleteFile(Util.java:237)
      at hudson.Util.deleteRecursive(Util.java:287)
      at hudson.Util.deleteContentsRecursive(Util.java:198)
      at hudson.Util.deleteRecursive(Util.java:278)
      at hudson.Util.deleteContentsRecursive(Util.java:198)
      at hudson.Util.deleteRecursive(Util.java:278)
      at hudson.Util.deleteContentsRecursive(Util.java:198)
      at hudson.ClassicPluginStrategy.explode(ClassicPluginStrategy.java:389)
      at hudson.ClassicPluginStrategy.createPluginWrapper(ClassicPluginStrategy.java:113)
      at hudson.PluginManager.dynamicLoad(PluginManager.java:340)
      at hudson.model.UpdateCenter$InstallationJob._run(UpdateCenter.java:1133)
      ... 7 more

      I then restarted the Jenkins service, waited, logged in with my AD credentials, so this appeared to work.

      However in Jenkins my AD account has now lost all of its admin privileges, i.e. I nor any other person configured to have admin rights can now configure Jenkins.

      I noticed active-directory.bak left over in the Jenkins plugin folder. Stopped the service, deleted active-directory.jpi, renamed active-directory.bak to .jpi, restarted, all working (albeit with bug 12619 still present)

      How should I upgrade to 1.27 safely?

        Attachments

          Activity

          tomfanning Tom Fanning created issue -
          Hide
          salvojo John Salvo added a comment -

          I have a similar but different issue. The active directory was upgraded properly to 1.27, but I also lost all jenkins admin rights ( There is no "Manage Jenkins" in the web page ).

          $ cat /home/jenkins/plugins/active-directory/META-INF/MANIFEST.MF
          Manifest-Version: 1.0
          Archiver-Version: Plexus Archiver
          Created-By: Apache Maven
          Built-By: kohsuke
          Build-Jdk: 1.6.0_26
          Extension-Name: active-directory
          Implementation-Title: active-directory
          Implementation-Version: 1.27
          Group-Id: org.jenkins-ci.plugins
          Short-Name: active-directory
          Long-Name: Jenkins Active Directory plugin
          Url: http://wiki.jenkins-ci.org/display/JENKINS/Active+Directory+Plugin
          Plugin-Version: 1.27
          Hudson-Version: 1.403
          Jenkins-Version: 1.403
          Plugin-Developers: Kohsuke Kawaguchi:kohsuke:

          I'll try to revert back to 1.26 to see if that helps.

          Show
          salvojo John Salvo added a comment - I have a similar but different issue. The active directory was upgraded properly to 1.27, but I also lost all jenkins admin rights ( There is no "Manage Jenkins" in the web page ). $ cat /home/jenkins/plugins/active-directory/META-INF/MANIFEST.MF Manifest-Version: 1.0 Archiver-Version: Plexus Archiver Created-By: Apache Maven Built-By: kohsuke Build-Jdk: 1.6.0_26 Extension-Name: active-directory Implementation-Title: active-directory Implementation-Version: 1.27 Group-Id: org.jenkins-ci.plugins Short-Name: active-directory Long-Name: Jenkins Active Directory plugin Url: http://wiki.jenkins-ci.org/display/JENKINS/Active+Directory+Plugin Plugin-Version: 1.27 Hudson-Version: 1.403 Jenkins-Version: 1.403 Plugin-Developers: Kohsuke Kawaguchi:kohsuke: I'll try to revert back to 1.26 to see if that helps.
          Hide
          salvojo John Salvo added a comment -

          If it helps, I am using project matrix authorisation

          <authorizationStrategy class="hudson.security.ProjectMatrixAuthorizationStrategy">
          <permission>hudson.model.Computer.Configure:salvojo</permission>
          <permission>hudson.model.Computer.Connect:salvojo</permission>
          <permission>hudson.model.Computer.Create:salvojo</permission>
          <permission>hudson.model.Computer.Delete:salvojo</permission>
          <permission>hudson.model.Computer.Disconnect:salvojo</permission>
          <permission>hudson.model.Hudson.Administer:salvojo</permission>
          < ...snip ...>

          Show
          salvojo John Salvo added a comment - If it helps, I am using project matrix authorisation <authorizationStrategy class="hudson.security.ProjectMatrixAuthorizationStrategy"> <permission>hudson.model.Computer.Configure:salvojo</permission> <permission>hudson.model.Computer.Connect:salvojo</permission> <permission>hudson.model.Computer.Create:salvojo</permission> <permission>hudson.model.Computer.Delete:salvojo</permission> <permission>hudson.model.Computer.Disconnect:salvojo</permission> <permission>hudson.model.Hudson.Administer:salvojo</permission> < ...snip ...>
          Hide
          salvojo John Salvo added a comment -

          Confirmed that restoring the active directory plug-in back to 1.26 restored my admin rights, and the "Manage Jenkins" link is now displayed again.

          Show
          salvojo John Salvo added a comment - Confirmed that restoring the active directory plug-in back to 1.26 restored my admin rights, and the "Manage Jenkins" link is now displayed again.
          Hide
          bahadir Deniz Bahadir added a comment - - edited

          I have the same behavior. (After upgrading, all admin users lost their privileged rights.)

          However, I might have a clue, whats going on:

          • With "Active Directory" plugin version 1.26: Jenkins shows my username in the top bar next to the logout-button.
          • With "Active Directory" plugin version 1.27: Jenkins shows my realname (in the form of "lastname, firstname") in the top bar next to the logout-button.
          • With "Active Directory" plugin version 1.27: Jenkins lists two users that seem to belong to me. One with my username as Jenkins user id (as with version 1.26), the other with my realname (in the form of "lastname, firstname").
          • With all "Active Directory" plugin versions: No matter what, I still can only login to Jenkins with my username, not with my realname (in the form of "lastname, firstname").

          After manually editing jenkins' config.xml in the filesystem - by copying all the permission-related lines with my username and replacing the username with realname ("lastname, firstname") - I am able to get my admin rights back.

          I assume, something got mixed up in version 1.27, so that wrong fields are read from the "Active Directory" database and the realname accidentally becomes the Jenkins user id.

          Show
          bahadir Deniz Bahadir added a comment - - edited I have the same behavior. (After upgrading, all admin users lost their privileged rights.) However, I might have a clue, whats going on: With "Active Directory" plugin version 1.26: Jenkins shows my username in the top bar next to the logout-button. With "Active Directory" plugin version 1.27: Jenkins shows my realname (in the form of "lastname, firstname") in the top bar next to the logout-button. With "Active Directory" plugin version 1.27: Jenkins lists two users that seem to belong to me. One with my username as Jenkins user id (as with version 1.26), the other with my realname (in the form of "lastname, firstname"). With all "Active Directory" plugin versions: No matter what, I still can only login to Jenkins with my username, not with my realname (in the form of "lastname, firstname"). After manually editing jenkins' config.xml in the filesystem - by copying all the permission-related lines with my username and replacing the username with realname ("lastname, firstname") - I am able to get my admin rights back. I assume, something got mixed up in version 1.27, so that wrong fields are read from the "Active Directory" database and the realname accidentally becomes the Jenkins user id.
          salvojo John Salvo made changes -
          Field Original Value New Value
          Summary Upgrading Active Directory plugin from 1.26 to 1.27 reported as failure then causes loss of Jenkins admin rights Upgrading Active Directory plugin from 1.26 to 1.27 causes loss of Jenkins admin rights
          Hide
          salvojo John Salvo added a comment -

          I updated the subject of this issue to reflect that the issue occurs on a successful upgrade to 1.27

          Show
          salvojo John Salvo added a comment - I updated the subject of this issue to reflect that the issue occurs on a successful upgrade to 1.27
          Hide
          salvojo John Salvo added a comment -

          Deniz is right ... I saw under /home/jenkins/users .... not the network user ID, but the full name of the user.

          Show
          salvojo John Salvo added a comment - Deniz is right ... I saw under /home/jenkins/users .... not the network user ID, but the full name of the user.
          Hide
          jacob_robertson Jacob Robertson added a comment -

          I have the same issue. I worked around it by going into config.xml and "Camel-Casing" all the user names. For example, each permission with the name "jacob.robertson" I changed to "Jacob.Robertson" and then restarted Jenkins. It worked.

          Show
          jacob_robertson Jacob Robertson added a comment - I have the same issue. I worked around it by going into config.xml and "Camel-Casing" all the user names. For example, each permission with the name "jacob.robertson" I changed to "Jacob.Robertson" and then restarted Jenkins. It worked.
          Hide
          jacob_robertson Jacob Robertson added a comment -

          I'm not sure what's going on... After making the fix I described above, I updated Jenkins to the latest LTS (1.447.1). At that time my permissions broke once again, and I had to fix config.xml to make my name all lower-case to get my permissions to show up.

          Show
          jacob_robertson Jacob Robertson added a comment - I'm not sure what's going on... After making the fix I described above, I updated Jenkins to the latest LTS (1.447.1). At that time my permissions broke once again, and I had to fix config.xml to make my name all lower-case to get my permissions to show up.
          Hide
          salvojo John Salvo added a comment - - edited

          Can everyone experiencing this issue vote for this ? There are currently only 2 votes. There should not bee a need to change anything in config.xml ( e.g. changing from the domain user ID to the user's real name ) when upgrading the plug-in.

          Show
          salvojo John Salvo added a comment - - edited Can everyone experiencing this issue vote for this ? There are currently only 2 votes. There should not bee a need to change anything in config.xml ( e.g. changing from the domain user ID to the user's real name ) when upgrading the plug-in.
          Hide
          baptiste Baptiste Guillory added a comment -

          Same problem here...
          Hope the fix will be done quickly

          Show
          baptiste Baptiste Guillory added a comment - Same problem here... Hope the fix will be done quickly
          Hide
          engejon Jonathan Engel added a comment -

          Just experienced the same problem. We're also using Matrix security. 1.26 works fine, upgrading to 1.27 causes loss of admin rights. Reverted to 1.26 with no changes to config.xml and admin rights are back.

          Show
          engejon Jonathan Engel added a comment - Just experienced the same problem. We're also using Matrix security. 1.26 works fine, upgrading to 1.27 causes loss of admin rights. Reverted to 1.26 with no changes to config.xml and admin rights are back.
          jacob_robertson Jacob Robertson made changes -
          Labels plugin plugin security
          Assignee Kohsuke Kawaguchi [ kohsuke ]
          Hide
          jacob_robertson Jacob Robertson added a comment -

          More information: If I upgrade from 1.16 to 1.27 I get this error. I then change the lower.case names to Upper.Case names in config.xml and that works. Then, I went to the config screen and removed the domain name and saved, and then my Upper.Case names stopped working.

          Show
          jacob_robertson Jacob Robertson added a comment - More information: If I upgrade from 1.16 to 1.27 I get this error. I then change the lower.case names to Upper.Case names in config.xml and that works. Then, I went to the config screen and removed the domain name and saved, and then my Upper.Case names stopped working.
          Hide
          jacob_robertson Jacob Robertson added a comment -

          Even more info...

          Depending on whether I login by typing "Jacob.Robertson" or "jacob.robertson" it will give me different permissions, but in both cases it will properly authenticate me.

          Show
          jacob_robertson Jacob Robertson added a comment - Even more info... Depending on whether I login by typing "Jacob.Robertson" or "jacob.robertson" it will give me different permissions, but in both cases it will properly authenticate me.
          Hide
          lalmand Landis Almand added a comment -

          No user rights are granted, not just loss of Admin. Only anonymous rights are granted.
          Jenkins ver. 1.447.1

          Show
          lalmand Landis Almand added a comment - No user rights are granted, not just loss of Admin. Only anonymous rights are granted. Jenkins ver. 1.447.1
          Hide
          kohsuke Kohsuke Kawaguchi added a comment -

          Argh. My 8b4c00a79201b605908d5d8983a7c719b0d645ff must have caused this. Fixing this now.

          Show
          kohsuke Kohsuke Kawaguchi added a comment - Argh. My 8b4c00a79201b605908d5d8983a7c719b0d645ff must have caused this. Fixing this now.
          Hide
          kohsuke Kohsuke Kawaguchi added a comment -

          Rolled back. Fixed for 1.28.

          Show
          kohsuke Kohsuke Kawaguchi added a comment - Rolled back. Fixed for 1.28.
          Hide
          scm_issue_link SCM/JIRA link daemon added a comment -

          Code changed in jenkins
          User: Kohsuke Kawaguchi
          Path:
          src/main/java/hudson/plugins/active_directory/ActiveDirectoryUnixAuthenticationProvider.java
          http://jenkins-ci.org/commit/active-directory-plugin/15a8a87bc333a12ead447425075df3bdafd7625c
          Log:
          [FIXED JENKINS-13650] Revert "JENKINS-12607 canonicalize the name."

          This reverts commit 8b4c00a79201b605908d5d8983a7c719b0d645ff.

          Compare: https://github.com/jenkinsci/active-directory-plugin/compare/e8943e7...15a8a87

          Show
          scm_issue_link SCM/JIRA link daemon added a comment - Code changed in jenkins User: Kohsuke Kawaguchi Path: src/main/java/hudson/plugins/active_directory/ActiveDirectoryUnixAuthenticationProvider.java http://jenkins-ci.org/commit/active-directory-plugin/15a8a87bc333a12ead447425075df3bdafd7625c Log: [FIXED JENKINS-13650] Revert " JENKINS-12607 canonicalize the name." This reverts commit 8b4c00a79201b605908d5d8983a7c719b0d645ff. Compare: https://github.com/jenkinsci/active-directory-plugin/compare/e8943e7...15a8a87
          Hide
          kohsuke Kohsuke Kawaguchi added a comment -

          In 1.27, because of the 8b4c00a7 change mentioned above, Jenkins was logging users into their canonical names, like "Kohsuke Kawaguchi", instead of their user names, like "kkawaguchi". Most authorization strategies record users by their user names, so of course such change results in the permission losses.

          1.28 restores the previous behaviour. This unfortunately means for those who modified config.xml for 1.27 would have to redo that one more time. My apologies.

          Show
          kohsuke Kohsuke Kawaguchi added a comment - In 1.27, because of the 8b4c00a7 change mentioned above, Jenkins was logging users into their canonical names, like "Kohsuke Kawaguchi", instead of their user names, like "kkawaguchi". Most authorization strategies record users by their user names, so of course such change results in the permission losses. 1.28 restores the previous behaviour. This unfortunately means for those who modified config.xml for 1.27 would have to redo that one more time. My apologies.
          Hide
          dogfood dogfood added a comment -

          Integrated in plugins_active-directory #63
          [FIXED JENKINS-13650] Revert "JENKINS-12607 canonicalize the name." (Revision 15a8a87bc333a12ead447425075df3bdafd7625c)

          Result = SUCCESS
          Kohsuke Kawaguchi :
          Files :

          • src/main/java/hudson/plugins/active_directory/ActiveDirectoryUnixAuthenticationProvider.java
          Show
          dogfood dogfood added a comment - Integrated in plugins_active-directory #63 [FIXED JENKINS-13650] Revert " JENKINS-12607 canonicalize the name." (Revision 15a8a87bc333a12ead447425075df3bdafd7625c) Result = SUCCESS Kohsuke Kawaguchi : Files : src/main/java/hudson/plugins/active_directory/ActiveDirectoryUnixAuthenticationProvider.java
          Hide
          salvojo John Salvo added a comment -

          Confirmed that 1.28 fixed this issue.

          Show
          salvojo John Salvo added a comment - Confirmed that 1.28 fixed this issue.
          Hide
          kohsuke Kohsuke Kawaguchi added a comment -

          Closing based on the last comment.

          Show
          kohsuke Kohsuke Kawaguchi added a comment - Closing based on the last comment.
          kohsuke Kohsuke Kawaguchi made changes -
          Status Open [ 1 ] Resolved [ 5 ]
          Resolution Fixed [ 1 ]
          rtyler R. Tyler Croy made changes -
          Workflow JNJira [ 144117 ] JNJira + In-Review [ 190917 ]

            People

            • Assignee:
              kohsuke Kohsuke Kawaguchi
              Reporter:
              tomfanning Tom Fanning
            • Votes:
              9 Vote for this issue
              Watchers:
              12 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved: