Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-58967

Credentials not available after upgrade to LTS 2.176.2

    Details

    • Type: Bug
    • Status: Resolved (View Workflow)
    • Priority: Blocker
    • Resolution: Not A Defect
    • Environment:
    • Similar Issues:

      Description

      In a Multibranch pipeline we're using the withCredentials syntax in several places:

      withCredentials([usernamePassword(credentialsId: 'name-of-credentials', passwordVariable: 'PASSWORD', usernameVariable: 'USER')]) {
       // some block
      }
      

       

      This has worked fine for several weeks but since the upgrade we get:

      [Pipeline] withCredentials
      [Pipeline] // withCredentials
      [Pipeline] }
      [Pipeline] // node
      [Pipeline] }
      [Pipeline] // stage
      [Pipeline] echo
      *15:07:06*  failed
      [Pipeline] }
      [Pipeline] // timestamps
      [Pipeline] }
      [Pipeline] // node
      [Pipeline] End of Pipeline
      [BFA] Scanning build for known causes...
      [BFA] No failure causes found
      [BFA] Done. 0s
      ERROR: Could not find credentials entry with ID 'name-of-credentials'
      Finished: FAILURE
      

      The pipeline has not changed, the credentials have not been updated.

      I have found that the snippet generator displays an empty drop down list when I start it from within the "trunk" directory of the Multibranch pipeline.

      At one point I added a new credential and limited it to the folder of the Multibranch pipeline.
      When I start the snippet generator in that directory the new credential as well as the old credentials are both visible.
      When I start the snippet generator at the top level only the old credential is visible (as expected).

      The problem is that within the branches (currently only trunk) of the multibranch pipeline the credentials are not visible.

        Attachments

          Activity

          Hide
          jvz Matt Sicker added a comment -

          Sounds like this wasn't a regression then?

          Show
          jvz Matt Sicker added a comment - Sounds like this wasn't a regression then?
          Hide
          kon Kalle Niemitalo added a comment -

          This seems to be working:

          • Add a "jenkins-build" user to the security realm.
          • Configure Authorize Project to run all builds as the "jenkins-build" user, without allowing per-job configuration.
          • Add -Dcom.cloudbees.plugins.credentials.UseItemPermission=true to the Java options of the Jenkins master.
          • Configure Role-based Authorization Strategy like this:
            • Define the global role "build" with only these global permissions:
              • Overall/Read (might not be necessary)
              • Credentials/UseItem (this requires the option that was set above)
              • Agent/Build
              • Job/Read
            • Assign the global role "build" to the user "jenkins-build".
          • Add a certificate credential to the global credential domain of a multibranch pipeline job.
          • Reference the credential using withCredentials in the Jenkinsfiles of branches of that job.

          If I then log in as the "jenkins-build" user, I do not see the credentials, because of the missing Credentials/View permission. However, the builds can use the credentials just fine.

          Show
          kon Kalle Niemitalo added a comment - This seems to be working: Add a "jenkins-build" user to the security realm. Configure Authorize Project to run all builds as the "jenkins-build" user, without allowing per-job configuration. Add -Dcom.cloudbees.plugins.credentials.UseItemPermission=true to the Java options of the Jenkins master. Configure Role-based Authorization Strategy like this: Define the global role "build" with only these global permissions: Overall/Read (might not be necessary) Credentials/UseItem (this requires the option that was set above) Agent/Build Job/Read Assign the global role "build" to the user "jenkins-build". Add a certificate credential to the global credential domain of a multibranch pipeline job. Reference the credential using withCredentials in the Jenkinsfiles of branches of that job. If I then log in as the "jenkins-build" user, I do not see the credentials, because of the missing Credentials/View permission. However, the builds can use the credentials just fine.
          Hide
          bram_mertens Bram Mertens added a comment -

          A colleague found out that the problem is caused by the fact that as part of the upgrade the build authorization was configured to run as a specific user.

          The user that is configured does not have the Jobs/Configure permission.

          If we grant that permission the job is able to get the credentials as before.

          We will investigate the different options described in the Credentials API user guide to avoid granting that user Jobs/Configure permission.

          Show
          bram_mertens Bram Mertens added a comment - A colleague found out that the problem is caused by the fact that as part of the upgrade the build authorization was configured to run as a specific user. The user that is configured does not have the Jobs/Configure permission. If we grant that permission the job is able to get the credentials as before. We will investigate the different options described in the Credentials API user guide to avoid granting that user Jobs/Configure permission.
          Hide
          bram_mertens Bram Mertens added a comment -

          I tried to dowgrade the credentials and credentials binding plugins to credentials 2.2.0 and credentials binding 1.19 and even created a new credentials entry but the problem persists.

          Show
          bram_mertens Bram Mertens added a comment - I tried to dowgrade the credentials and credentials binding plugins to credentials 2.2.0 and credentials binding 1.19 and even created a new credentials entry but the problem persists.
          Hide
          bram_mertens Bram Mertens added a comment -

          The credentials test pipeline I created also works on another instance of the same LTS version.

          RHEL 7.6 , jenkins-2.176.2-1.1.noarch, 

          Several plugins are slightly older. The ones that catch my eye are:

          credentials 2.2.0

          credentials-binding 1.19 

           

          Versus on the jenkins master that fails:

          credentials 2.2.1

          credentials-binding 1.20

           

          Show
          bram_mertens Bram Mertens added a comment - The credentials test pipeline I created also works on another instance of the same LTS version. RHEL 7.6 , jenkins-2.176.2-1.1.noarch,  Several plugins are slightly older. The ones that catch my eye are: credentials 2.2.0 credentials-binding 1.19    Versus on the jenkins master that fails: credentials 2.2.1 credentials-binding 1.20  

            People

            • Assignee:
              Unassigned
              Reporter:
              bram_mertens Bram Mertens
            • Votes:
              1 Vote for this issue
              Watchers:
              5 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved: