puppet-jenkins
puppet-jenkins copied to clipboard
voxpupuli
Initial setup fail to create user - ERROR: anonymous is missing the Overall/Read permission
With [part of] the manifest looking like this:
$adm_pw = hiera('jenkins_admin_user', undef)
[...]
user_hash => {
'admin' => {
'password' => "$adm_pw",
'email' => '[email protected]'
}
},
I get:
Notice: /Stage[main]/Jenkins::Users/Jenkins::User[admin]/Jenkins::Cli::Exec[create-jenkins-user-admin]/Exec[create-jenkins-user-admin]/returns:
Notice: /Stage[main]/Jenkins::Users/Jenkins::User[admin]/Jenkins::Cli::Exec[create-jenkins-user-admin]/Exec[create-jenkins-user-admin]/returns: ERROR: anonymous is missing the Overall/Read permission
Error: /usr/bin/java -jar /usr/share/jenkins/jenkins-cli.jar -s http://127.0.0.1:8080 groovy /usr/share/jenkins/puppet_helper.groovy create_or_update_user admin [email protected] 'secret' 'Managed by Puppet' '' returned 6 instead of one of [0]
Error: /Stage[main]/Jenkins::Users/Jenkins::User[admin]/Jenkins::Cli::Exec[create-jenkins-user-admin]/Exec[create-jenkins-user-admin]/returns: change from notrun to 0 failed: /usr/bin/java -jar /usr/share/jenkins/jenkins-cli.jar -s http://127.0.0.1:8080 groovy /usr/share/jenkins/puppet_helper.groovy create_or_update_user admin [email protected] 'secret' 'Managed by Puppet' '' returned 6 instead of one of [0]
If this is an existing jenkins install, It looks like there has been some security configuration.
The likely issue is the installation of Jenkins 2.x. The default authorizationStrategy has changed to FullControlOnceLoggedInAuthorizationStrategy and not AuthorizationStrategy$Unsecured.
I confirmed what @stanchan said above--changing the auth strategy to AuthorizationStrategy$Unsecured and security realm to SecurityRealm$None manually in config.xml fixed this error on re-run.
Seems like a chicken/egg issue: we need to change the auth strategy to gain permissions to use the CLI, but we use the CLI to change the auth strategy. Anyone have any suggestions other than managing confix.xml through a template?
@jhoblitt running on CentOS.
What I have been doing with the 2.x release has been to perform a 3 pass puppet run, first by running the puppet-jenkins module with the jenkins service 'stopped', followed by updating the config.xml with the AuthorizationStrategy$Unsecured and SecurityRealm$None settings, running through the module again, then followed by changing the config.xml with and ldap/matrix setup. Not optimal, but it got me through. Looking at possibly handling this inside the module, but I'm not too familiar with the code, so it will take me some time to ramp up.
@jhoblitt I am running on Ubuntu FWIW.
I considered the 3-step approach but didn't really feel comfortable spending much time doing that when it feels temporary. I think a good approach might be to set a phantom user via command line params:
--argumentsRealm.roles.$ADMIN_USER=admin
--argumentsRealm.passwd.$ADMIN_USER
And use the phantom user above to secure any CLI commands prior to creating any users.
@stanchan This module should be working with jenkins 2.x on el/centos. What version are you using?
@imdevin567 The issue with debian* is that the packaging auto starts the jenkins service. If this happens before puppet has written out the daemon arguments, jenkins 2.x will auto mangle the auth setup. The core issue is the debian packaging guidelines and I don't think there is much we can reasonable do except not use the official jenkins .debs.
@jhoblitt Got it, that makes sense.
I have been able to install .deb packages without starting daemons by setting the env var RUNLEVEL=1 during the install. i.e. RUNLEVEL=1 apt-get install -y jenkins works perfectly and doesn't start the daemon.
Unfortunately, there's an open ticket for setting env vars for the package type. Not sure what your thoughts are on a workaround for now, maybe by installing using exec rather than package for debian OSes?
@imdevin567 it appears that addressing the issue has been punted to puppet 5.x. exec sounds like the only reasonable option.
@jhoblitt I can probably take a stab at this unless someone else wants to. It's blocking some of the work slated for our current sprint, so I should be able to develop and test fairly quickly.
It may be worth raising this issue on the dev list. Someone might have an out-of-tree provider.
This is hack that I made to fix this issue on my Debian Jessie dev box. Idea is simple - generate SSH key and update admin account, so jenkins can again use CLI.
https://bitbucket.org/TomekUrug/jenkins-puppet-debian-hack/src/
This https://github.com/jenkinsci/puppet-jenkins/issues/761 pull request adds support for bootstrapping automation users in Jenkins 2.0 which should fix this issue.
@elconas I tried using your branch from #761 but still got this error.
Notice: /Stage[main]/Role::Jenkins/Jenkins::Credentials[deploy-key]/Jenkins::Cli::Exec[create-jenkins-credentials-deploy-key]/Exec[create-jenkins-credentials-deploy-key]/returns:
Notice: /Stage[main]/Role::Jenkins/Jenkins::Credentials[deploy-key]/Jenkins::Cli::Exec[create-jenkins-credentials-deploy-key]/Exec[create-jenkins-credentials-deploy-key]/returns: ERROR: anonymous is missing the Overall/Read permission
Notice: /Stage[main]/Role::Jenkins/Jenkins::Credentials[deploy-key]/Jenkins::Cli::Exec[create-jenkins-credentials-deploy-key]/Exec[create-jenkins-credentials-deploy-key]/returns: Aug 02, 2017 7:26:04 AM hudson.cli.CLI$5 run
Notice: /Stage[main]/Role::Jenkins/Jenkins::Credentials[deploy-key]/Jenkins::Cli::Exec[create-jenkins-credentials-deploy-key]/Exec[create-jenkins-credentials-deploy-key]/returns: WARNING: null
Notice: /Stage[main]/Role::Jenkins/Jenkins::Credentials[deploy-key]/Jenkins::Cli::Exec[create-jenkins-credentials-deploy-key]/Exec[create-jenkins-credentials-deploy-key]/returns: java.io.IOException: Stream is closed
Notice: /Stage[main]/Role::Jenkins/Jenkins::Credentials[deploy-key]/Jenkins::Cli::Exec[create-jenkins-credentials-deploy-key]/Exec[create-jenkins-credentials-deploy-key]/returns: at sun.net.www.protocol.http.HttpURLConnection$StreamingOutputStream.checkError(HttpURLConnection.java:3512)
Notice: /Stage[main]/Role::Jenkins/Jenkins::Credentials[deploy-key]/Jenkins::Cli::Exec[create-jenkins-credentials-deploy-key]/Exec[create-jenkins-credentials-deploy-key]/returns: at sun.net.www.protocol.http.HttpURLConnection$StreamingOutputStream.write(HttpURLConnection.java:3486)
Notice: /Stage[main]/Role::Jenkins/Jenkins::Credentials[deploy-key]/Jenkins::Cli::Exec[create-jenkins-credentials-deploy-key]/Exec[create-jenkins-credentials-deploy-key]/returns: at java.io.DataOutputStream.writeInt(DataOutputStream.java:197)
Notice: /Stage[main]/Role::Jenkins/Jenkins::Credentials[deploy-key]/Jenkins::Cli::Exec[create-jenkins-credentials-deploy-key]/Exec[create-jenkins-credentials-deploy-key]/returns: at hudson.cli.PlainCLIProtocol$EitherSide.send(PlainCLIProtocol.java:188)
Notice: /Stage[main]/Role::Jenkins/Jenkins::Credentials[deploy-key]/Jenkins::Cli::Exec[create-jenkins-credentials-deploy-key]/Exec[create-jenkins-credentials-deploy-key]/returns: at hudson.cli.PlainCLIProtocol$EitherSide.send(PlainCLIProtocol.java:195)
Notice: /Stage[main]/Role::Jenkins/Jenkins::Credentials[deploy-key]/Jenkins::Cli::Exec[create-jenkins-credentials-deploy-key]/Exec[create-jenkins-credentials-deploy-key]/returns: at hudson.cli.PlainCLIProtocol$EitherSide$1.write(PlainCLIProtocol.java:215)
Notice: /Stage[main]/Role::Jenkins/Jenkins::Credentials[deploy-key]/Jenkins::Cli::Exec[create-jenkins-credentials-deploy-key]/Exec[create-jenkins-credentials-deploy-key]/returns: at hudson.cli.CLI$5.run(CLI.java:677)
I also experience this problem (specifying a user_hash results in a message "anonymous is missing the Overall/Read permission"). What is the current way to go to configure a initial admin login/password for a instance?
I just ran into this as well with a fresh install. I attempted to configure the security settings like so:
The only other action I had taken before this was to disable CLI over remoting. I can no longer configure the server and am unsure how to proceed.
Is there any progress on this? I wish I knew any Ruby so I could help, but I don't... :(.