Configuration-as-code-plugin: java.lang.IllegalArgumentException: Permission can not be null for sid:[USERNAME]

Created on 15 Jan 2019  路  15Comments  路  Source: jenkinsci/configuration-as-code-plugin

Jenkins version 2.158
Plugin version: 1.4 (incl CasC-Support)
OS: Jenkins:2.158/Docker Image

Starting a new docker container based on the Official Jenkins Docker Image fails when I have specifiv users listed. If I only have anonymous listed, it works. Prior to upgrading Jenkins+plugins the complete permissions-list worked fine.

jenkins:
  authorizationStrategy:
    globalMatrix:
      grantedPermissions:
        - "Overall/Administer:anonymous"
        ... [Bunch of permissions for anonymous]
        - "Overall/Administer:[USERNAME]"
        ... [Bunch of permissions for USERNAME]

Exception:

java.lang.IllegalArgumentException: Permission can not be null for sid:[USERNAME]
    at hudson.security.GlobalMatrixAuthorizationStrategy.add(GlobalMatrixAuthorizationStrategy.java:94)
    at io.jenkins.plugins.casc.support.matrixauth.MatrixAuthorizationStrategyConfigurator.lambda$setGrantedPermissions$2(MatrixAuthorizationStrategyConfigurator.java:57)
    at java.util.ArrayList.forEach(ArrayList.java:1257)
    at io.jenkins.plugins.casc.support.matrixauth.MatrixAuthorizationStrategyConfigurator.setGrantedPermissions(MatrixAuthorizationStrategyConfigurator.java:54)
    at io.jenkins.plugins.casc.Attribute.setValue(Attribute.java:170)
    at io.jenkins.plugins.casc.BaseConfigurator.configure(BaseConfigurator.java:355)
Caused: io.jenkins.plugins.casc.ConfiguratorException: string: Failed to set attribute grantedPermissions(class: class java.lang.String, multiple: true)
    at io.jenkins.plugins.casc.BaseConfigurator.configure(BaseConfigurator.java:357)
    at io.jenkins.plugins.casc.BaseConfigurator.configure(BaseConfigurator.java:273)
    at io.jenkins.plugins.casc.impl.configurators.HeteroDescribableConfigurator.configure(HeteroDescribableConfigurator.java:96)
    at io.jenkins.plugins.casc.impl.configurators.HeteroDescribableConfigurator.check(HeteroDescribableConfigurator.java:101)
    at io.jenkins.plugins.casc.impl.configurators.HeteroDescribableConfigurator.check(HeteroDescribableConfigurator.java:43)
    at io.jenkins.plugins.casc.BaseConfigurator.configure(BaseConfigurator.java:349)
    at io.jenkins.plugins.casc.BaseConfigurator.check(BaseConfigurator.java:284)
    at io.jenkins.plugins.casc.ConfigurationAsCode.lambda$checkWith$8(ConfigurationAsCode.java:657)
    at io.jenkins.plugins.casc.ConfigurationAsCode.invokeWith(ConfigurationAsCode.java:620)
Caused: io.jenkins.plugins.casc.ConfiguratorException: jenkins: error configuring 'jenkins' with class io.jenkins.plugins.casc.core.JenkinsConfigurator configurator
    at io.jenkins.plugins.casc.ConfigurationAsCode.invokeWith(ConfigurationAsCode.java:626)
    at io.jenkins.plugins.casc.ConfigurationAsCode.checkWith(ConfigurationAsCode.java:657)
    at io.jenkins.plugins.casc.ConfigurationAsCode.configureWith(ConfigurationAsCode.java:642)
    at io.jenkins.plugins.casc.ConfigurationAsCode.configureWith(ConfigurationAsCode.java:545)
    at io.jenkins.plugins.casc.ConfigurationAsCode.configure(ConfigurationAsCode.java:275)
    at io.jenkins.plugins.casc.ConfigurationAsCode.init(ConfigurationAsCode.java:267)
Caused: java.lang.reflect.InvocationTargetException
    at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
    at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
    at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
    at java.lang.reflect.Method.invoke(Method.java:498)
    at hudson.init.TaskMethodFinder.invoke(TaskMethodFinder.java:104)
Caused: java.lang.Error
    at hudson.init.TaskMethodFinder.invoke(TaskMethodFinder.java:110)
    at hudson.init.TaskMethodFinder$TaskImpl.run(TaskMethodFinder.java:175)
    at org.jvnet.hudson.reactor.Reactor.runTask(Reactor.java:296)
    at jenkins.model.Jenkins$5.runTask(Jenkins.java:1083)
    at org.jvnet.hudson.reactor.Reactor$2.run(Reactor.java:214)
    at org.jvnet.hudson.reactor.Reactor$Node.run(Reactor.java:117)
    at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
    at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
    at java.lang.Thread.run(Thread.java:748)
Caused: org.jvnet.hudson.reactor.ReactorException
    at org.jvnet.hudson.reactor.Reactor.execute(Reactor.java:282)
    at jenkins.InitReactorRunner.run(InitReactorRunner.java:48)
    at jenkins.model.Jenkins.executeReactor(Jenkins.java:1117)
    at jenkins.model.Jenkins.<init>(Jenkins.java:921)
    at hudson.model.Hudson.<init>(Hudson.java:85)
    at hudson.model.Hudson.<init>(Hudson.java:81)
    at hudson.WebAppMain$3.run(WebAppMain.java:233)
Caused: hudson.util.HudsonFailedToLoad
    at hudson.WebAppMain$3.run(WebAppMain.java:250)

All 15 comments

This issue is not related to CasC as first thought. Going on a hunt for other updated plugins..

My guess is that it's related to the implementation in the CasC-support plugin?

I'm running into the exact same issue.

In our case, we're porting an existing set-up to CasC, we have Github-oauth plugin installed, and are using Github groups to authorize people, for example:

com.cloudbees.plugins.credentials.CredentialsProvider.Create:blendle*Our Jenkins Group

This works in our current setup, but causes the issue described above when porting to CasC.

Even when using the "export" feature, it still shows the same error when trying to reuse that.

Even when using the following plugin versions (I also tried using the latest versions):

  • configuration-as-code:1.0
  • configuration-as-code-support:1.0

And using the jenkins/jenkins:2.153-alpine (which is the version before the CVE release that @jonbrohauge linked to),

I still get the same error, using this config:

jenkins:
  authorizationStrategy:
    globalMatrix:
      grantedPermissions:
        - "Permission[class hudson.model.View]:JeanMertz"
Caused by: java.lang.IllegalArgumentException: Permission can not be null for sid:JeanMertz
        at hudson.security.GlobalMatrixAuthorizationStrategy.add(GlobalMatrixAuthorizationStrategy.java:94)
        at io.jenkins.plugins.casc.support.matrixauth.MatrixAuthorizationStrategyConfigurator.lambda$setGrantedPermissions$2(MatrixAuthorizationStrategyConfigurator.java:57)
        at java.util.ArrayList.forEach(ArrayList.java:1257)
        at io.jenkins.plugins.casc.support.matrixauth.MatrixAuthorizationStrategyConfigurator.setGrantedPermissions(MatrixAuthorizationStrategyConfigurator.java:54)
        at io.jenkins.plugins.casc.Attribute.setValue(Attribute.java:162)
        at io.jenkins.plugins.casc.BaseConfigurator.configure(BaseConfigurator.java:337)
        ... 26 more

Diving a bit deeper. It looks like the PermissionFinder returns null:

https://github.com/jenkinsci/configuration-as-code-plugin/blob/f857cab4172a73959a2cd20524bb2afa58ac044b/plugin/src/main/java/io/jenkins/plugins/casc/util/PermissionFinder.java#L42-L63

So, simplifying my set-up, this works:

jenkins:
  authorizationStrategy:
    globalMatrix:
      grantedPermissions:
        - "Overall/Read:JeanMertz"
        - "Overall/Read:blendle*Our Jenkins Group"

So the plugin works, it's just that you can't:

  1. copy the setup from your existing config.xml and expect things to work
  2. nor can you export the config from the Jenkins UI using the CasC export feature and expect things to work

You'll have to manually add the permissions, using the correct patterns (I haven't done so yet, so I'm assuming that's possible, and I won't run into a related issue).

So, yes, things work as expected, you just need to be sure to use the right naming scheme.

See here for more details:

https://wiki.jenkins.io/display/JENKINS/Matrix-based+security

Basically, you have to use GROUP/PERMISSION:NAME. The groups and permissions are listed on the above linked page.

thanks @JeanMertz - I'll keep the issue open since the documentation update seems to be needed (https://github.com/jenkinsci/configuration-as-code-plugin/tree/master/demos/global-matrix-auth)

I might be blind, but I don't see the difference between my jcasc.yaml file and yours, @JeanMertz. I have used my yaml-file since the Alpha-days of the plugin... And I wrote the docs on this part, originally.
My config:

jenkins:
  authorizationStrategy:
    globalMatrix:
      grantedPermissions:
        - "Overall/Administer:anonymous"
        - "Overall/Administer:[USERNAME]"

Your config:

jenkins:
  authorizationStrategy:
    globalMatrix:
      grantedPermissions:
        - "Overall/Read:JeanMertz"
        - "Overall/Read:blendle*Our Jenkins Group"

Is that all you have in your grantedPermissions array @jonbrohauge?

Once I resolved all strings in the array to correct name schemes (I have about 30 in there), things worked as expected for me.

Hmm.. I have quite a few more than the two.
I'll have stab at rewriting the permissions after next week some time. I have a weeks vacation coming up.

After painstakingly adding permissions one line at a time, it appears that a plugin has removed one permission entry without notification. Thanks to the JFrog/Artifactory Plugin :-1:

would be really nice if export used the correct permission names right away...

IIRC there is a PR to fix this by @ndeloof pending at the appropriate plugin

Was this page helpful?
0 / 5 - 0 ratings