scribe1010
Reputation: 213
Jenkins user permissions wiped on restart?
I hope someone can point out some schoolboy error I'm making here as I'm about to lose my mind.
- Fresh install of jenkins jenkins-1.590-1.1.noarch.rpm on red hat from here
- I can set up build jobs fine and they run as expected interacting with svn
- I set up user access as described here on the jenkins wiki
- I can log in and out as I please, and all jobs still run fine
- HOWEVER after a server restart I can still log in, but all my access permissions are gone (this happens to all users)
Any idea why the permissions are vanishing?
To get around this I have to clean out all users and set them up again, but these are again wiped on restart.
Thanks in advance
EDIT
I am using Jenkins own user db and have tried both matrix-based permissions and project based matrix authorisation.
After restart when I try to access an jenkins config page I get the error "t143ahe is missing the Overall/Administer permission"
My config.xml after restart is (Looks like I do have administer according to this):
<?xml version='1.0' encoding='UTF-8'?>
<hudson>
<disabledAdministrativeMonitors/>
<version>1.0</version>
<numExecutors>2</numExecutors>
<mode>NORMAL</mode>
<useSecurity>true</useSecurity>
<authorizationStrategy class="hudson.security.ProjectMatrixAuthorizationStrategy">
<permission>com.cloudbees.plugins.credentials.CredentialsProvider.Create:T143AHE</permission>
<permission>com.cloudbees.plugins.credentials.CredentialsProvider.Delete:T143AHE</permission>
<permission>com.cloudbees.plugins.credentials.CredentialsProvider.ManageDomains:T143AHE</permission>
<permission>com.cloudbees.plugins.credentials.CredentialsProvider.Update:T143AHE</permission>
<permission>com.cloudbees.plugins.credentials.CredentialsProvider.View:T143AHE</permission>
<permission>hudson.model.Computer.Build:T143AHE</permission>
<permission>hudson.model.Computer.Configure:T143AHE</permission>
<permission>hudson.model.Computer.Connect:T143AHE</permission>
<permission>hudson.model.Computer.Create:T143AHE</permission>
<permission>hudson.model.Computer.Delete:T143AHE</permission>
<permission>hudson.model.Computer.Disconnect:T143AHE</permission>
<permission>hudson.model.Hudson.Administer:T143AHE</permission>
<permission>hudson.model.Hudson.ConfigureUpdateCenter:T143AHE</permission>
<permission>hudson.model.Hudson.Read:T143AHE</permission>
<permission>hudson.model.Hudson.Read:anonymous</permission>
<permission>hudson.model.Hudson.RunScripts:T143AHE</permission>
<permission>hudson.model.Hudson.UploadPlugins:T143AHE</permission>
<permission>hudson.model.Item.Build:T143AHE</permission>
<permission>hudson.model.Item.Cancel:T143AHE</permission>
<permission>hudson.model.Item.Configure:T143AHE</permission>
<permission>hudson.model.Item.Create:T143AHE</permission>
<permission>hudson.model.Item.Delete:T143AHE</permission>
<permission>hudson.model.Item.Discover:T143AHE</permission>
<permission>hudson.model.Item.Read:T143AHE</permission>
<permission>hudson.model.Item.Workspace:T143AHE</permission>
<permission>hudson.model.Run.Delete:T143AHE</permission>
<permission>hudson.model.Run.Update:T143AHE</permission>
<permission>hudson.model.View.Configure:T143AHE</permission>
<permission>hudson.model.View.Create:T143AHE</permission>
<permission>hudson.model.View.Delete:T143AHE</permission>
<permission>hudson.model.View.Read:T143AHE</permission>
<permission>hudson.scm.SCM.Tag:T143AHE</permission>
</authorizationStrategy>
<securityRealm class="hudson.security.HudsonPrivateSecurityRealm">
<disableSignup>false</disableSignup>
<enableCaptcha>false</enableCaptcha>
</securityRealm>
<disableRememberMe>false</disableRememberMe>
<projectNamingStrategy class="jenkins.model.ProjectNamingStrategy$DefaultProjectNamingStrategy"/>
<workspaceDir>${ITEM_ROOTDIR}/workspace</workspaceDir>
<buildsDir>${ITEM_ROOTDIR}/builds</buildsDir>
<markupFormatter class="hudson.markup.EscapedMarkupFormatter"/>
<jdks/>
<viewsTabBar class="hudson.views.DefaultViewsTabBar"/>
<myViewsTabBar class="hudson.views.DefaultMyViewsTabBar"/>
<clouds/>
<slaves/>
<scmCheckoutRetryCount>0</scmCheckoutRetryCount>
<views>
<hudson.model.AllView>
<owner class="hudson" reference="../../.."/>
<name>All</name>
<filterExecutors>false</filterExecutors>
<filterQueue>false</filterQueue>
<properties class="hudson.model.View$PropertyList"/>
</hudson.model.AllView>
</views>
<primaryView>All</primaryView>
<slaveAgentPort>0</slaveAgentPort>
<label></label>
<nodeProperties/>
<globalNodeProperties/>
</hudson>
My user specific config.xml is:
<user>
<fullName>scribe1010</fullName>
<properties>
<hudson.model.PaneStatusProperties>
<collapsed/>
</hudson.model.PaneStatusProperties>
<jenkins.security.ApiTokenProperty>
<apiToken>lnqauTbOZ0xuAK9qBuh6/UG3RRmzN4mxkiSADlYmQD7jkqN1XswzKmqEOLpvBVsG</apiToken>
</jenkins.security.ApiTokenProperty>
<com.cloudbees.plugins.credentials.UserCredentialsProvider_-UserCredentialsProperty plugin="[email protected]">
<domainCredentialsMap class="hudson.util.CopyOnWriteMap$Hash"/>
</com.cloudbees.plugins.credentials.UserCredentialsProvider_-UserCredentialsProperty>
<hudson.model.MyViewsProperty>
<views>
<hudson.model.AllView>
<owner class="hudson.model.MyViewsProperty" reference="../../.."/>
<name>All</name>
<filterExecutors>false</filterExecutors>
<filterQueue>false</filterQueue>
<properties class="hudson.model.View$PropertyList"/>
</hudson.model.AllView>
</views>
</hudson.model.MyViewsProperty>
<hudson.search.UserSearchProperty>
<insensitiveSearch>false</insensitiveSearch>
</hudson.search.UserSearchProperty>
<hudson.security.HudsonPrivateSecurityRealm_-Details>
<passwordHash>#jbcrypt:$2a$10$29UCLwZafb8TTSsGvsWYBunY034m1q.Wjgl5JfbCJR83Dcvvs1Dh2</passwordHash>
</hudson.security.HudsonPrivateSecurityRealm_-Details>
<hudson.tasks.Mailer_-UserProperty plugin="[email protected]">
<emailAddress>[email protected]</emailAddress>
</hudson.tasks.Mailer_-UserProperty>
<jenkins.security.LastGrantedAuthoritiesProperty>
<roles>
<string>authenticated</string>
</roles>
<timestamp>1416992003750</timestamp>
</jenkins.security.LastGrantedAuthoritiesProperty>
</properties>
</user>
NOTE: Here the role is listed as 'authenticated' rather than anything like 'administrator' etc... (don't know if this is an issue or not).
EDIT 2 I've upgraded to the latest rpm but no fix.
Upvotes: 6
Views: 7143
Answers (2)
robert-vsni
Reputation: 1
I found that on my instance of Jenkins (running on docker, although I think this is irrelevant) had an initialization script under the $JEKINS_HOME / init.groovy.d a directory called security.groovy.
This file was forcing a security realm strategy and authorization strategy (perhaps overiding your own).
Perhaps check that out, hope it helps!
Upvotes: 0
scribe1010
Reputation: 213
As suggested by Daniel in the comments, restricting usernames to lowercase (and potentially the extra configuration save) has done the trick and permissions now persist after a restart.
Upvotes: 6
Related Questions
- Jenkins Run/Replay permission missing even though authenticated users are allowed to do everything
- Jenkins Ambiguous Permission
- Jenkins user is gone after macOS update
- Jenkins Run as Specific User not working
- Configure default permissions for newly registered Jenkins users
- Jenkins erases jobs on system restart
- Jenkins loses all data when rebooting pc
- User Permission in Jenkins
- Jenkins losing configuration
- Why are all configs lost when starting Jenkins as another user on Tomcat?