Question

我们使用带有Github身份验证插件和GitHub Committer授权策略的Jenkins Blue Ocean。整个多分支管道正常运行，包括从webhooks触发构建并为每个拉取请求强制执行jenkins状态检查。不在我们组织内的用户无权访问Jenkins。

问题是非管理员用户无法使用经典詹金斯打开任何作业。单击到工作名称后，他们将收到404而不是打开工作页面。当他们单击请求请求状态检查中的“详细信息”链接时，也会发生同样的情况。但是，他们可以从蓝海看到所有詹金斯的工作。

请注意，对于詹金斯（Jenkins）管理员，这两种方法始终都有效。

我已经尝试将非管理员用户添加为显式协作者，但没有任何效果（通常，我们的开发人员是开发团队的一部分，该团队可以访问存储库）。

编辑

仅供参考：我允许以下github范围：read:org,user:email（位于全局GitHub OAuth设置中）。

当用户尝试访问管道页面时，引发以下异常。我撤消了访问令牌，并从jenkins_home/users中删除了用户文件夹。从STD jenkins输出中获取例外。它也显示在配置页面的应用内登录中。

Nov 12, 2018 3:49:22 PM org.apache.http.client.protocol.ResponseProcessCookies processCookies
WARNING: Invalid cookie header: "Set-Cookie: has_recent_activity=1; path=/; expires=Mon, 12 Nov 2018 16:49:22 -0000". Invalid 'expires' attribute: Mon, 12 Nov 2018 16:49:22 -0000
Nov 12, 2018 3:49:22 PM com.squareup.okhttp.internal.Platform$JdkWithJettyBootPlatform getSelectedProtocol
INFO: ALPN callback dropped: SPDY and HTTP/2 are disabled. Is alpn-boot on the boot class path?
Nov 12, 2018 3:49:39 PM hudson.init.impl.InstallUncaughtExceptionHandler lambda$init$0
WARNING: null
java.lang.IllegalStateException: WRITER
        at org.eclipse.jetty.server.Response.getOutputStream(Response.java:917)
        at javax.servlet.ServletResponseWrapper.getOutputStream(ServletResponseWrapper.java:142)
        at org.kohsuke.stapler.compression.CompressionServletResponse.activate(CompressionServletResponse.java:61)
        at org.kohsuke.stapler.compression.CompressionFilter.activate(CompressionFilter.java:108)
        at org.kohsuke.stapler.ResponseImpl.getCompressedOutputStream(ResponseImpl.java:302)
        at org.kohsuke.stapler.jelly.DefaultScriptInvoker.createOutputStream(DefaultScriptInvoker.java:88)
        at org.kohsuke.stapler.jelly.DefaultScriptInvoker.createXMLOutput(DefaultScriptInvoker.java:68)
        at org.kohsuke.stapler.jelly.DefaultScriptInvoker.invokeScript(DefaultScriptInvoker.java:51)
        at org.kohsuke.stapler.jelly.JellyClassTearOff.serveIndexJelly(JellyClassTearOff.java:112)
        at org.kohsuke.stapler.jelly.JellyFacet.handleIndexRequest(JellyFacet.java:145)
        at org.kohsuke.stapler.IndexViewDispatcher.dispatch(IndexViewDispatcher.java:30)
        at org.kohsuke.stapler.Stapler.tryInvoke(Stapler.java:734)
        at org.kohsuke.stapler.Stapler.invoke(Stapler.java:864)
        at org.kohsuke.stapler.Stapler.tryInvoke(Stapler.java:801)
        at org.kohsuke.stapler.Stapler.invoke(Stapler.java:864)
        at org.kohsuke.stapler.MetaClass$5.doDispatch(MetaClass.java:248)
        at org.kohsuke.stapler.NameBasedDispatcher.dispatch(NameBasedDispatcher.java:58)
        at org.kohsuke.stapler.Stapler.tryInvoke(Stapler.java:734)
        at org.kohsuke.stapler.Stapler.invoke(Stapler.java:864)
        at org.kohsuke.stapler.Stapler.invoke(Stapler.java:668)
        at org.kohsuke.stapler.Stapler.service(Stapler.java:238)
        at javax.servlet.http.HttpServlet.service(HttpServlet.java:790)
        at org.eclipse.jetty.servlet.ServletHolder.handle(ServletHolder.java:865)
        at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1655)
        at hudson.util.PluginServletFilter$1.doFilter(PluginServletFilter.java:154)
        at org.jenkinsci.plugins.ssegateway.Endpoint$SSEListenChannelFilter.doFilter(Endpoint.java:243)
        at hudson.util.PluginServletFilter$1.doFilter(PluginServletFilter.java:151)
        at io.jenkins.blueocean.ResourceCacheControl.doFilter(ResourceCacheControl.java:134)
        at hudson.util.PluginServletFilter$1.doFilter(PluginServletFilter.java:151)
        at io.jenkins.blueocean.auth.jwt.impl.JwtAuthenticationFilter.doFilter(JwtAuthenticationFilter.java:61)
        at hudson.util.PluginServletFilter$1.doFilter(PluginServletFilter.java:151)
        at hudson.util.PluginServletFilter.doFilter(PluginServletFilter.java:157)
        at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1642)
        at hudson.security.csrf.CrumbFilter.doFilter(CrumbFilter.java:105)
        at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1642)
        at hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:84)
        at hudson.security.UnwrapSecurityExceptionFilter.doFilter(UnwrapSecurityExceptionFilter.java:51)
        at hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:87)
        at jenkins.security.ExceptionTranslationFilter.doFilter(ExceptionTranslationFilter.java:117)
        at hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:87)
        at org.acegisecurity.providers.anonymous.AnonymousProcessingFilter.doFilter(AnonymousProcessingFilter.java:125)
        at hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:87)
        at org.acegisecurity.ui.rememberme.RememberMeProcessingFilter.doFilter(RememberMeProcessingFilter.java:142)
        at hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:87)
        at org.acegisecurity.ui.AbstractProcessingFilter.doFilter(AbstractProcessingFilter.java:271)
        at hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:87)
        at jenkins.security.BasicHeaderProcessor.doFilter(BasicHeaderProcessor.java:93)
        at hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:87)
        at org.acegisecurity.context.HttpSessionContextIntegrationFilter.doFilter(HttpSessionContextIntegrationFilter.java:249)
        at hudson.security.HttpSessionContextIntegrationFilter2.doFilter(HttpSessionContextIntegrationFilter2.java:67)
        at hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:87)
        at hudson.security.ChainedServletFilter.doFilter(ChainedServletFilter.java:90)
        at hudson.security.HudsonFilter.doFilter(HudsonFilter.java:171)
        at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1642)
        at org.kohsuke.stapler.compression.CompressionFilter.doFilter(CompressionFilter.java:49)
        at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1642)
        at hudson.util.CharacterEncodingFilter.doFilter(CharacterEncodingFilter.java:82)
        at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1642)
        at org.kohsuke.stapler.DiagnosticThreadNameFilter.doFilter(DiagnosticThreadNameFilter.java:30)
        at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1642)
        at org.eclipse.jetty.servlet.ServletHandler.doHandle(ServletHandler.java:533)
        at org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:146)
        at org.eclipse.jetty.security.SecurityHandler.handle(SecurityHandler.java:524)
        at org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:132)
        at org.eclipse.jetty.server.handler.ScopedHandler.nextHandle(ScopedHandler.java:257)
        at org.eclipse.jetty.server.session.SessionHandler.doHandle(SessionHandler.java:1595)
        at org.eclipse.jetty.server.handler.ScopedHandler.nextHandle(ScopedHandler.java:255)
        at org.eclipse.jetty.server.handler.ContextHandler.doHandle(ContextHandler.java:1317)
        at org.eclipse.jetty.server.handler.ScopedHandler.nextScope(ScopedHandler.java:203)
        at org.eclipse.jetty.servlet.ServletHandler.doScope(ServletHandler.java:473)
        at org.eclipse.jetty.server.session.SessionHandler.doScope(SessionHandler.java:1564)
        at org.eclipse.jetty.server.handler.ScopedHandler.nextScope(ScopedHandler.java:201)
        at org.eclipse.jetty.server.handler.ContextHandler.doScope(ContextHandler.java:1219)
        at org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:144)
        at org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:132)
        at org.eclipse.jetty.server.Server.handle(Server.java:531)
        at org.eclipse.jetty.server.HttpChannel.handle(HttpChannel.java:352)
        at org.eclipse.jetty.server.HttpConnection.onFillable(HttpConnection.java:260)
        at org.eclipse.jetty.io.AbstractConnection$ReadCallback.succeeded(AbstractConnection.java:281)
        at org.eclipse.jetty.io.FillInterest.fillable(FillInterest.java:102)
        at org.eclipse.jetty.io.ChannelEndPoint$2.run(ChannelEndPoint.java:118)
        at org.eclipse.jetty.util.thread.strategy.EatWhatYouKill.runTask(EatWhatYouKill.java:333)
        at org.eclipse.jetty.util.thread.strategy.EatWhatYouKill.doProduce(EatWhatYouKill.java:310)
        at org.eclipse.jetty.util.thread.strategy.EatWhatYouKill.tryProduce(EatWhatYouKill.java:168)
        at org.eclipse.jetty.util.thread.strategy.EatWhatYouKill.run(EatWhatYouKill.java:126)
        at org.eclipse.jetty.util.thread.ReservedThreadExecutor$ReservedThread.run(ReservedThreadExecutor.java:366)
        at org.eclipse.jetty.util.thread.QueuedThreadPool.runJob(QueuedThreadPool.java:762)
        at org.eclipse.jetty.util.thread.QueuedThreadPool$2.run(QueuedThreadPool.java:680)
        at java.lang.Thread.run(Thread.java:748)

Answer 1

这个问题是我们遇到的问题的非常准确的描述。讨论是https://issues.jenkins-ci.org/browse/JENKINS-54031 将以下内容添加到 JAVA_OPTS 对我们来说是一种解决方法：

-Dorg.kohsuke.stapler.jelly.DefaultScriptInvoker.compress=false
-Dhudson.model.AbstractItem.skipPermissionCheck=true
-Dhudson.model.Run.skipPermissionCheck=true

来自GitHub OATH的用户无法打开jenkins作业（错误404）

1 个答案: