Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Jenkins user permissions wiped on restart?

Tags:

jenkins

I hope someone can point out some schoolboy error I'm making here as I'm about to lose my mind.

  • Fresh install of jenkins jenkins-1.590-1.1.noarch.rpm on red hat from here
  • I can set up build jobs fine and they run as expected interacting with svn
  • I set up user access as described here on the jenkins wiki
  • I can log in and out as I please, and all jobs still run fine
  • HOWEVER after a server restart I can still log in, but all my access permissions are gone (this happens to all users)

Any idea why the permissions are vanishing?

To get around this I have to clean out all users and set them up again, but these are again wiped on restart.

Thanks in advance

EDIT

I am using Jenkins own user db and have tried both matrix-based permissions and project based matrix authorisation.

After restart when I try to access an jenkins config page I get the error "t143ahe is missing the Overall/Administer permission"

My config.xml after restart is (Looks like I do have administer according to this):

<?xml version='1.0' encoding='UTF-8'?>
<hudson>
  <disabledAdministrativeMonitors/>
  <version>1.0</version>
   <numExecutors>2</numExecutors>
  <mode>NORMAL</mode>
  <useSecurity>true</useSecurity>
  <authorizationStrategy class="hudson.security.ProjectMatrixAuthorizationStrategy">
    <permission>com.cloudbees.plugins.credentials.CredentialsProvider.Create:T143AHE</permission>
    <permission>com.cloudbees.plugins.credentials.CredentialsProvider.Delete:T143AHE</permission>
    <permission>com.cloudbees.plugins.credentials.CredentialsProvider.ManageDomains:T143AHE</permission>
    <permission>com.cloudbees.plugins.credentials.CredentialsProvider.Update:T143AHE</permission>
    <permission>com.cloudbees.plugins.credentials.CredentialsProvider.View:T143AHE</permission>
    <permission>hudson.model.Computer.Build:T143AHE</permission>
    <permission>hudson.model.Computer.Configure:T143AHE</permission>
    <permission>hudson.model.Computer.Connect:T143AHE</permission>
    <permission>hudson.model.Computer.Create:T143AHE</permission>
    <permission>hudson.model.Computer.Delete:T143AHE</permission>
    <permission>hudson.model.Computer.Disconnect:T143AHE</permission>
    <permission>hudson.model.Hudson.Administer:T143AHE</permission>
    <permission>hudson.model.Hudson.ConfigureUpdateCenter:T143AHE</permission>
    <permission>hudson.model.Hudson.Read:T143AHE</permission>
    <permission>hudson.model.Hudson.Read:anonymous</permission>
    <permission>hudson.model.Hudson.RunScripts:T143AHE</permission>
    <permission>hudson.model.Hudson.UploadPlugins:T143AHE</permission>
    <permission>hudson.model.Item.Build:T143AHE</permission>
    <permission>hudson.model.Item.Cancel:T143AHE</permission>
    <permission>hudson.model.Item.Configure:T143AHE</permission>
    <permission>hudson.model.Item.Create:T143AHE</permission>
    <permission>hudson.model.Item.Delete:T143AHE</permission>
    <permission>hudson.model.Item.Discover:T143AHE</permission>
    <permission>hudson.model.Item.Read:T143AHE</permission>
    <permission>hudson.model.Item.Workspace:T143AHE</permission>
    <permission>hudson.model.Run.Delete:T143AHE</permission>
    <permission>hudson.model.Run.Update:T143AHE</permission>
    <permission>hudson.model.View.Configure:T143AHE</permission>
    <permission>hudson.model.View.Create:T143AHE</permission>
    <permission>hudson.model.View.Delete:T143AHE</permission>
    <permission>hudson.model.View.Read:T143AHE</permission>
    <permission>hudson.scm.SCM.Tag:T143AHE</permission>
  </authorizationStrategy>
  <securityRealm class="hudson.security.HudsonPrivateSecurityRealm">
    <disableSignup>false</disableSignup>
    <enableCaptcha>false</enableCaptcha>
  </securityRealm>
  <disableRememberMe>false</disableRememberMe>
  <projectNamingStrategy class="jenkins.model.ProjectNamingStrategy$DefaultProjectNamingStrategy"/>
  <workspaceDir>${ITEM_ROOTDIR}/workspace</workspaceDir>
  <buildsDir>${ITEM_ROOTDIR}/builds</buildsDir>
  <markupFormatter class="hudson.markup.EscapedMarkupFormatter"/>
  <jdks/>
  <viewsTabBar class="hudson.views.DefaultViewsTabBar"/>
  <myViewsTabBar class="hudson.views.DefaultMyViewsTabBar"/>
  <clouds/>
  <slaves/>
  <scmCheckoutRetryCount>0</scmCheckoutRetryCount>
  <views>
    <hudson.model.AllView>
      <owner class="hudson" reference="../../.."/>
      <name>All</name>
      <filterExecutors>false</filterExecutors>
      <filterQueue>false</filterQueue>
     <properties class="hudson.model.View$PropertyList"/>
    </hudson.model.AllView>
  </views>
  <primaryView>All</primaryView>
  <slaveAgentPort>0</slaveAgentPort>
  <label></label>
  <nodeProperties/>
  <globalNodeProperties/>
</hudson>

My user specific config.xml is:

<user>
  <fullName>scribe1010</fullName>
  <properties>
    <hudson.model.PaneStatusProperties>
      <collapsed/>
    </hudson.model.PaneStatusProperties>
    <jenkins.security.ApiTokenProperty>
      <apiToken>lnqauTbOZ0xuAK9qBuh6/UG3RRmzN4mxkiSADlYmQD7jkqN1XswzKmqEOLpvBVsG</apiToken>
    </jenkins.security.ApiTokenProperty>
    <com.cloudbees.plugins.credentials.UserCredentialsProvider_-UserCredentialsProperty plugin="[email protected]">
      <domainCredentialsMap class="hudson.util.CopyOnWriteMap$Hash"/>
    </com.cloudbees.plugins.credentials.UserCredentialsProvider_-UserCredentialsProperty>
    <hudson.model.MyViewsProperty>
      <views>
        <hudson.model.AllView>
          <owner class="hudson.model.MyViewsProperty" reference="../../.."/>
          <name>All</name>
          <filterExecutors>false</filterExecutors>
          <filterQueue>false</filterQueue>
          <properties class="hudson.model.View$PropertyList"/>
        </hudson.model.AllView>
      </views>
    </hudson.model.MyViewsProperty>
    <hudson.search.UserSearchProperty>
      <insensitiveSearch>false</insensitiveSearch>
    </hudson.search.UserSearchProperty>
    <hudson.security.HudsonPrivateSecurityRealm_-Details>
      <passwordHash>#jbcrypt:$2a$10$29UCLwZafb8TTSsGvsWYBunY034m1q.Wjgl5JfbCJR83Dcvvs1Dh2</passwordHash>
    </hudson.security.HudsonPrivateSecurityRealm_-Details>
    <hudson.tasks.Mailer_-UserProperty plugin="[email protected]">
      <emailAddress>[email protected]</emailAddress>
    </hudson.tasks.Mailer_-UserProperty>
    <jenkins.security.LastGrantedAuthoritiesProperty>
      <roles>
        <string>authenticated</string>
      </roles>
      <timestamp>1416992003750</timestamp>
    </jenkins.security.LastGrantedAuthoritiesProperty>
  </properties>
</user>

NOTE: Here the role is listed as 'authenticated' rather than anything like 'administrator' etc... (don't know if this is an issue or not).

EDIT 2 I've upgraded to the latest rpm but no fix.

like image 995
scribe1010 Avatar asked Nov 25 '14 16:11

scribe1010


1 Answers

As suggested by Daniel in the comments, restricting usernames to lowercase (and potentially the extra configuration save) has done the trick and permissions now persist after a restart.

like image 120
scribe1010 Avatar answered Oct 21 '22 04:10

scribe1010