Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-53188

New jobs created from Blue Ocean are tied with username that created them

    Details

    • Similar Issues:
    • Released As:
      1.13.1

      Description

      A colleague (let's say, username cadana) created a Multibranch Pipeline job from Blue Ocean, with Github SCM (username for SCM is not tied in any way with cadana) and now he left the company. I had to copy the job manually to "recreate" it, to lose the first owner that no longer exists to fix this error.

      A build log from a job:

      Started by user Laszlo, William Daniel
      [BFA] Scanning build for known causes...
      [BFA] No failure causes found
      [BFA] Done. 0s
      org.acegisecurity.userdetails.UsernameNotFoundException: User cadana not found in directory.
       at org.acegisecurity.ldap.search.FilterBasedLdapUserSearch.searchForUser(FilterBasedLdapUserSearch.java:126)
       at hudson.security.LDAPSecurityRealm$LDAPUserDetailsService.loadUserByUsername(LDAPSecurityRealm.java:1314)
       at hudson.security.LDAPSecurityRealm$LDAPUserDetailsService.loadUserByUsername(LDAPSecurityRealm.java:1251)
       at jenkins.security.ImpersonatingUserDetailsService.loadUserByUsername(ImpersonatingUserDetailsService.java:32)
       at hudson.model.User.getUserDetailsForImpersonation(User.java:349)
       at hudson.model.User.impersonate(User.java:329)
       at io.jenkins.blueocean.rest.impl.pipeline.credential.BlueOceanCredentialsProvider.getCredentials(BlueOceanCredentialsProvider.java:76)
       at com.cloudbees.plugins.credentials.CredentialsProvider.lookupCredentials(CredentialsProvider.java:413)
       at com.cloudbees.plugins.credentials.CredentialsProvider.lookupCredentials(CredentialsProvider.java:532)
       at org.jenkinsci.plugins.github_branch_source.Connector.lookupScanCredentials(Connector.java:234)
       at org.jenkinsci.plugins.github_branch_source.GitHubSCMSource.retrieve(GitHubSCMSource.java:1399)
       at jenkins.scm.api.SCMSource.fetch(SCMSource.java:566)
       at org.jenkinsci.plugins.workflow.multibranch.SCMBinder.create(SCMBinder.java:95)
       at org.jenkinsci.plugins.workflow.job.WorkflowRun.run(WorkflowRun.java:303)
       at hudson.model.ResourceController.execute(ResourceController.java:97)
       at hudson.model.Executor.run(Executor.java:429)
      Finished: FAILURE
      

        Attachments

          Activity

          Show
          halkeye Gavin Mogan added a comment - https://github.com/jenkinsci/blueocean-plugin/pull/1915
          Hide
          halkeye Gavin Mogan added a comment -

          William Laszlo this was released on friday, so let me know if you continue to have problems once you upgrade (if you upgrade)

          Show
          halkeye Gavin Mogan added a comment - William Laszlo this was released on friday, so let me know if you continue to have problems once you upgrade (if you upgrade)
          Hide
          wlaszlo William Laszlo added a comment -

          Sure, thank you!
          Even if I make the update, I don't know when this would happen again to my team (when someone is deleted from LDAP). I really can't test it when I want. I hope that no-one will have this issue from now.

          I recreated the job when I figured out that I found a bug and I was able to run it. I can't confirm now that it's ok or not because I don't have anymore that original job.

          Show
          wlaszlo William Laszlo added a comment - Sure, thank you! Even if I make the update, I don't know when this would happen again to my team (when someone is deleted from LDAP). I really can't test it when I want. I hope that no-one will have this issue from now. I recreated the job when I figured out that I found a bug and I was able to run it. I can't confirm now that it's ok or not because I don't have anymore that original job.
          Hide
          cjharmath CJ Harmath added a comment -

          I've stumbled up this as I was curious how to setup a pipeline with a global credential instead of a user specific.

          Currently when a user creates a new pipeline at first time, he/she will be asked for a personal access token for github which then gets stored in the users credential.

          Since users can come and go, it would be more practical if an administrator can set the credential.

          This also has an added value of GitHub checks not showing the user who created the pipeline, but the user configured by the admin.

           

          Happy to submit a new issue.

           

          Thanks,

          CJ

          Show
          cjharmath CJ Harmath added a comment - I've stumbled up this as I was curious how to setup a pipeline with a global credential instead of a user specific. Currently when a user creates a new pipeline at first time, he/she will be asked for a personal access token for github which then gets stored in the users credential. Since users can come and go, it would be more practical if an administrator can set the credential. This also has an added value of GitHub checks not showing the user who created the pipeline, but the user configured by the admin.   Happy to submit a new issue.   Thanks, CJ
          Hide
          cjharmath CJ Harmath added a comment -

          This is how my job's config.xml starts

          <?xml version='1.1' encoding='UTF-8'?>
          <org.jenkinsci.plugins.workflow.multibranch.WorkflowMultiBranchProject plugin="workflow-multibranch@2.21">
            <actions/>
            <description>test</description>
            <properties>
              <io.jenkins.blueocean.rest.impl.pipeline.credential.BlueOceanCredentialsProvider_-FolderPropertyImpl plugin="blueocean-pipeline-scm-api@1.14.0">
                <domain plugin="credentials@2.1.19">
                  <name>blueocean-folder-credential-domain</name>
                  <description>Blue Ocean Folder Credentials domain</description>
                  <specifications/>
                </domain>
                <user>testuser</user>
                <id>github-enterprise:bd08318e10264d38792523a9e76b6f818f8ec73616f7b13b99692ed940ce642c</id>
              </io.jenkins.blueocean.rest.impl.pipeline.credential.BlueOceanCredentialsProvider_-FolderPropertyImpl>
              <org.jenkinsci.plugins.pipeline.modeldefinition.config.FolderConfig plugin="pipeline-model-definition@1.3.8">
                <dockerLabel></dockerLabel>
                <registry plugin="docker-commons@1.14"/>
              </org.jenkinsci.plugins.pipeline.modeldefinition.config.FolderConfig>
            </properties>
          

          And I wonder if the BlueOceanCredentialProvider which references the testuser's credential can be changed to use the global credential instead.

          I already have a jenkins level github enterprise access token credential, so i would like to just use that.

          That token btw was issued to a service account which is also added on the GitHub Enterprise side with a nice Jenkins icon, so it looks much better than the pipeline creator's photo next to a Pull request check.

          I've just changed the testuser to jenkins user then updated the user level credential as well and it works, but it's hacky and too involved.

          Show
          cjharmath CJ Harmath added a comment - This is how my job's config.xml starts <?xml version= '1.1' encoding= 'UTF-8' ?> <org.jenkinsci.plugins.workflow.multibranch.WorkflowMultiBranchProject plugin= "workflow-multibranch@2.21" > <actions/> <description>test</description> <properties> <io.jenkins.blueocean. rest .impl.pipeline.credential.BlueOceanCredentialsProvider_-FolderPropertyImpl plugin= "blueocean-pipeline-scm-api@1.14.0" > <domain plugin= "credentials@2.1.19" > <name>blueocean-folder-credential-domain</name> <description>Blue Ocean Folder Credentials domain</description> <specifications/> </domain> <user>testuser</user> <id>github-enterprise:bd08318e10264d38792523a9e76b6f818f8ec73616f7b13b99692ed940ce642c</id> </io.jenkins.blueocean. rest .impl.pipeline.credential.BlueOceanCredentialsProvider_-FolderPropertyImpl> <org.jenkinsci.plugins.pipeline.modeldefinition.config.FolderConfig plugin= "pipeline-model-definition@1.3.8" > <dockerLabel></dockerLabel> <registry plugin= "docker-commons@1.14" /> </org.jenkinsci.plugins.pipeline.modeldefinition.config.FolderConfig> </properties> And I wonder if the BlueOceanCredentialProvider which references the testuser's credential can be changed to use the global credential instead. I already have a jenkins level github enterprise access token credential, so i would like to just use that. That token btw was issued to a service account which is also added on the GitHub Enterprise side with a nice Jenkins icon, so it looks much better than the pipeline creator's photo next to a Pull request check. I've just changed the testuser to jenkins user then updated the user level credential as well and it works, but it's hacky and too involved.

            People

            • Assignee:
              halkeye Gavin Mogan
              Reporter:
              wlaszlo William Laszlo
            • Votes:
              0 Vote for this issue
              Watchers:
              3 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved: