Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-44773

User Scoped credentials are not used by the "git" pipeline step

    Details

    • Similar Issues:

      Description

      Environment

      • Jenkins 2.46.2
      • credentials:2.1.13 'Credentials Plugin'
      • workflow-aggregator:2.5 'Pipeline'
      • workflow-api:2.12 'Pipeline: API'
      • workflow-basic-steps:2.4 'Pipeline: Basic Steps'
      • workflow-cps:2.29 'Pipeline: Groovy'
      • workflow-cps-checkpoint:2.4 'CloudBees Pipeline: Groovy Checkpoint Plugin'
      • workflow-cps-global-lib:2.7 'Pipeline: Shared Groovy Libraries'
      • workflow-durable-task-step:2.10 'Pipeline: Nodes and Processes'
      • workflow-job:2.10 'Pipeline: Job'
      • workflow-multibranch:2.14 'Pipeline: Multibranch'
      • workflow-scm-step:2.4 'Pipeline: SCM Step'
      • workflow-step-api:2.9 'Pipeline: Step API'
      • workflow-support:2.14 'Pipeline: Supporting APIs'

      Description

      When using the authorize project plugin,

      • User Scoped Credentials are not found by the "git" pipeline step.
      • Global Credentials overwritten by user scoped credentials are not overwritten by the "git" pipeline step.

      Reproduce

      • Install the Project Authorize Plugin and configure it "Run as user who triggered the build"
      • Create a global credential "global-bitbucket-credentials-intended-to-be-overwritten-at-the-user-scope" with valid credentials for a bitbucket server
      • Create user scoped credentials "global-bitbucket-credentials-intended-to-be-overwritten-at-the-user-scope" with invalid username and invalid password
      • create a pipeline with "git credentialsId: 'global-bitbucket-credentials-intended-to-be-overwritten-at-the-user-scope', url: 'https://bitbucket.example.com/.....git'"
      • run the build, it will succeed and logs will show that the global creds have been used, a log message will show the valid username, proving that the user credentials have been ignored
      • Create user scoped credentials "user-scoped-bitbucket-creds" with valid credentials for a bitbucket server
      • Create a pipeline with "git credentialsId: 'user-scoped-bitbucket-cred', url: 'https://bitbucket.example.com/.....git'"
      • job will fail with "authentication failed"

       

      node {
          // verify that the build is properly impersonated by the https://wiki.jenkins-ci.org/display/JENKINS/Authorize+Project+plugin
          echo "Build is running as user " + org.acegisecurity.context.SecurityContextHolder.getContext().getAuthentication().toString()
          
          stage ("Global Credentials Overwritten at the user scope") {
              // credentials declared globally and overwritten by a user scoped credentials
              git credentialsId: 'global-bitbucket-credentials-intended-to-be-overwritten-at-the-user-scope', url: 'https://bitbucket.example.com/scm/pet/spring-petclinic.git'
          }
          
          stage ("User Scoped Credentials") {
              // user scoped credentials
              git credentialsId: 'user-scoped-bitbucket-creds', url: 'https://bitbucket.example.com/scm/pet/spring-petclinic.git'
          }
      }
      
      Started by user admin
      [Pipeline] node
      Running on agent-1 in /home/ubuntu/agent-home/workspace/tests/user-scoped-credentials-pipeline-step-git
      [Pipeline] {
      [Pipeline] echo
      Build is running as user org.acegisecurity.providers.UsernamePasswordAuthenticationToken@965748a4: Username: admin; Password: [PROTECTED]; Authenticated: true; Details: null; Granted Authorities: authenticated
      [Pipeline] stage
      [Pipeline] { (Global Credentials Overwritten at the user scope)
      [Pipeline] git
       > git rev-parse --is-inside-work-tree # timeout=10
      Fetching changes from the remote Git repository
       > git config remote.origin.url https://bitbucket.example.com/scm/pet/spring-petclinic.git # timeout=10
      Fetching upstream changes from https://bitbucket.example.com/scm/pet/spring-petclinic.git
       > git --version # timeout=10
      using GIT_ASKPASS to set credentials QAh4dAzetrEp global creds, not overwritten
       > git fetch --tags --progress https://bitbucket.example.com/scm/pet/spring-petclinic.git +refs/heads/*:refs/remotes/origin/*
       > git rev-parse refs/remotes/origin/master^{commit} # timeout=10
       > git rev-parse refs/remotes/origin/origin/master^{commit} # timeout=10
      Checking out Revision fd1c742d4f8d193eb935519909c15302b783cd52 (refs/remotes/origin/master)
       > git config core.sparsecheckout # timeout=10
       > git checkout -f fd1c742d4f8d193eb935519909c15302b783cd52
       > git branch -a -v --no-abbrev # timeout=10
       > git branch -D master # timeout=10
       > git checkout -b master fd1c742d4f8d193eb935519909c15302b783cd52
       > git rev-list fd1c742d4f8d193eb935519909c15302b783cd52 # timeout=10
      [Pipeline] }
      [Pipeline] // stage
      [Pipeline] stage
      [Pipeline] { (User Scoped Credentials)
      [Pipeline] git
       > git rev-parse --is-inside-work-tree # timeout=10
      Fetching changes from the remote Git repository
       > git config remote.origin.url https://bitbucket.example.com/scm/pet/spring-petclinic.git # timeout=10
      Fetching upstream changes from https://bitbucket.example.com/scm/pet/spring-petclinic.git
       > git --version # timeout=10
       > git fetch --tags --progress https://bitbucket.example.com/scm/pet/spring-petclinic.git +refs/heads/*:refs/remotes/origin/*
      ERROR: Error fetching remote repo 'origin'
      hudson.plugins.git.GitException: Failed to fetch from https://bitbucket.example.com/scm/pet/spring-petclinic.git
      	at hudson.plugins.git.GitSCM.fetchFrom(GitSCM.java:806)
      	at hudson.plugins.git.GitSCM.retrieveChanges(GitSCM.java:1070)
      	at hudson.plugins.git.GitSCM.checkout(GitSCM.java:1101)
      	at org.jenkinsci.plugins.workflow.steps.scm.SCMStep.checkout(SCMStep.java:109)
      	at org.jenkinsci.plugins.workflow.steps.scm.SCMStep$StepExecutionImpl.run(SCMStep.java:83)
      	at org.jenkinsci.plugins.workflow.steps.scm.SCMStep$StepExecutionImpl.run(SCMStep.java:73)
      	at org.jenkinsci.plugins.workflow.steps.AbstractSynchronousNonBlockingStepExecution$1$1.call(AbstractSynchronousNonBlockingStepExecution.java:47)
      	at hudson.security.ACL.impersonate(ACL.java:260)
      	at org.jenkinsci.plugins.workflow.steps.AbstractSynchronousNonBlockingStepExecution$1.run(AbstractSynchronousNonBlockingStepExecution.java:44)
      	at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:511)
      	at java.util.concurrent.FutureTask.run(FutureTask.java:266)
      	at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
      	at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
      	at java.lang.Thread.run(Thread.java:745)
      Caused by: hudson.plugins.git.GitException: Command "git fetch --tags --progress https://bitbucket.example.com/scm/pet/spring-petclinic.git +refs/heads/*:refs/remotes/origin/*" returned status code 128:
      stdout: 
      stderr: fatal: Authentication failed for 'https://bitbucket.example.com/scm/pet/spring-petclinic.git/'
      
      	at org.jenkinsci.plugins.gitclient.CliGitAPIImpl.launchCommandIn(CliGitAPIImpl.java:1793)
      	at org.jenkinsci.plugins.gitclient.CliGitAPIImpl.launchCommandWithCredentials(CliGitAPIImpl.java:1519)
      	at org.jenkinsci.plugins.gitclient.CliGitAPIImpl.access$300(CliGitAPIImpl.java:64)
      	at org.jenkinsci.plugins.gitclient.CliGitAPIImpl$1.execute(CliGitAPIImpl.java:315)
      	at org.jenkinsci.plugins.gitclient.RemoteGitImpl$CommandInvocationHandler$1.call(RemoteGitImpl.java:153)
      	at org.jenkinsci.plugins.gitclient.RemoteGitImpl$CommandInvocationHandler$1.call(RemoteGitImpl.java:146)
      	at hudson.remoting.UserRequest.perform(UserRequest.java:153)
      	at hudson.remoting.UserRequest.perform(UserRequest.java:50)
      	at hudson.remoting.Request$2.run(Request.java:336)
      	at hudson.remoting.InterceptingExecutorService$1.call(InterceptingExecutorService.java:68)
      	at java.util.concurrent.FutureTask.run(FutureTask.java:266)
      	at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
      	at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
      	at java.lang.Thread.run(Thread.java:745)
      	at ......remote call to agent-1(Native Method)
      	at hudson.remoting.Channel.attachCallSiteStackTrace(Channel.java:1545)
      	at hudson.remoting.UserResponse.retrieve(UserRequest.java:253)
      	at hudson.remoting.Channel.call(Channel.java:830)
      	at org.jenkinsci.plugins.gitclient.RemoteGitImpl$CommandInvocationHandler.execute(RemoteGitImpl.java:146)
      	at sun.reflect.GeneratedMethodAccessor769.invoke(Unknown Source)
      	at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
      	at java.lang.reflect.Method.invoke(Method.java:498)
      	at org.jenkinsci.plugins.gitclient.RemoteGitImpl$CommandInvocationHandler.invoke(RemoteGitImpl.java:132)
      	at com.sun.proxy.$Proxy120.execute(Unknown Source)
      	at hudson.plugins.git.GitSCM.fetchFrom(GitSCM.java:804)
      	... 13 more
      [Pipeline] }
      [Pipeline] // stage
      [Pipeline] }
      [Pipeline] // node
      [Pipeline] End of Pipeline
      ERROR: null
      Finished: FAILURE
      

        Attachments

          Issue Links

            Activity

            Hide
            jvz Matt Sicker added a comment -

            There is now a new way to access user-scoped credentials detailed in JENKINS-58170 which uses credentials build parameters. These allow user-scoped credentials to be referenced in any context where you'd normally use the credentials id.

            Show
            jvz Matt Sicker added a comment - There is now a new way to access user-scoped credentials detailed in JENKINS-58170 which uses credentials build parameters. These allow user-scoped credentials to be referenced in any context where you'd normally use the credentials id.
            Hide
            jvz Matt Sicker added a comment -

            This feature can be replaced by JENKINS-58170 which provides a more standardized approach to granting user-scoped credentials to builds.

            Show
            jvz Matt Sicker added a comment - This feature can be replaced by JENKINS-58170 which provides a more standardized approach to granting user-scoped credentials to builds.
            Hide
            markewaite Mark Waite added a comment -

            I am not trying to fix this at this time Hugo van den Brand.

            Show
            markewaite Mark Waite added a comment - I am not trying to fix this at this time Hugo van den Brand .
            Hide
            hvdbrand Hugo van den Brand added a comment -

            We are experiencing a similar issue with Folder scoped credentials.

            Anyone trying to fix this?

            Show
            hvdbrand Hugo van den Brand added a comment - We are experiencing a similar issue with Folder scoped credentials. Anyone trying to fix this?
            Hide
            jglick Jesse Glick added a comment -

            The behavior of checkout is almost certainly the same, since the git step is merely syntactic sugar and winds up calling the same code.

            Show
            jglick Jesse Glick added a comment - The behavior of checkout is almost certainly the same, since the git step is merely syntactic sugar and winds up calling the same code.

              People

              • Assignee:
                Unassigned
                Reporter:
                cleclerc Cyrille Le Clerc
              • Votes:
                6 Vote for this issue
                Watchers:
                12 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved: