Lost access to publish releases for Crowd2 plugin

[DuMaM]

Service(s)

Artifactory

Summary

Hi,

I was trying to do a release of plugin which i maintain.
I double checked if I use correct encrypted password in settings.xml, and if everything works as it supposed to.
Sadly I do and I still have a "Unauthorized" error.
Could somebody help me?

[WARNING] The requested profile "consume-incrementals" could not be activated because it does not exist.
[ERROR] Failed to execute goal org.apache.maven.plugins:maven-deploy-plugin:2.8.2:deploy (default-deploy) on project crowd2: Failed to deploy artifacts: Could not transfer artifact org.jenkins-ci.plugins:crowd2:hpi:3.2.0 from/to maven.jenkins-ci.org (https://repo.jenkins-ci.org/releases/): authentication failed for https://repo.jenkins-ci.org/releases/org/jenkins-ci/plugins/crowd2/3.2.0/crowd2-3.2.0.hpi, status: 401 Unauthorized -> [Help 1]

Reproduction steps

No response

[MarkEWaite]

The most likely issue is that the password is incorrect. Be sure that you've followed all the steps on the Artifactory Credentials for Maven page. The password to be encrypted is the password for your jenkins.io account, not the password for your GitHub account.

You can check that the password is working by running the command mvn deploy from a fresh copy of your plugin repository.

[dduportal]

Additional note: if you change your password on accounts.jenkins.io, you'll have to wait ~3 hours (worst case) until the maven repository is synchronised with the new credentials.

[DuMaM]

I changed it 2 weeks ago.

[dduportal]

@DuMaM could you also confirm that you carefully follow the instructions shared by Mark (https://www.jenkins.io/doc/developer/publishing/releasing-manually/#artifactory-credentials-for-maven) ?

[DuMaM]

I did it mulitple times, but i will try it out with curl today if i can log in

[lemeurherve]

@DuMaM did it worked?

[DuMaM]

Hi,
Sorry for delay.
I checked if i can login into ui -> yes i can.
Then I executed such curl, with output confirming my theory.

 ~/W/j/crowd2-plugin -> curl -u dumam:<nonencrypted_password> https://repo.jenkins-ci.org/setup/settings.xml                   
{
  "errors" : [ {
    "status" : 403,
    "message" : "Download request for repo:path 'setup:settings.xml' is forbidden for user: 'dumam'."
  } ]
}                                                                                                                                              

BTW I just noticed that according to tutorial here https://www.jenkins.io/doc/developer/publishing/releasing-manually/
In curl i should use a repo.jenkins-ci.org, but in settings xml there is maven.jenkins-ci.org.
Is it a problem?
I'm using repo.jenkins-ci.org

[DuMaM]

I guess this could be connected with changes around my account done recently.
#3107

[dduportal]

Hi @DuMaM . So I've checked your accounts on the different systems involved here:

• Your account on accounts.jenkins.io was marked as "unverified email" (in our Keycloak backend). That issue happens some time to time so I've removed this state: that should unlock your account during the next sync. to artifactory.
• On artifactory side, the permissions looks correct: you get the permissions for the crowd2 plugin deployment.

I've triggered a manual build of the RPU ("repository permission updater"), to avoid waiting for 3 hours: I'll report the result here before asking you to try again.

[DuMaM]

Ok. I will wait for information:)

[dduportal]

@DuMaM the job ran successfully but no mention of any password synchronization.

Can you confirm that you are able to log-in to repo.jenkins-ci.org with your account's credentials?

Side note: The URL https://repo.jenkins-ci.org/setup/settings.xml is not expected to accept an authentication only based on username + password: it is a full webservice that requires a web token (I assume JWT, or anything like this) to avoid CSRF.
I got the same 403 error as your even with a correctly configured credentials.

You can test authentication with the URL of an artifact though (like Maven would do):

• curl -v -u "dduportal:${ARTIFACTORY_PASSWORD}" https://repo.jenkins-ci.org/public/org/jenkins-ci/plugins/plugin/1.419/plugin-1.419.pom answers 200
• curl -v -u "notexisting:${ARTIFACTORY_PASSWORD}" https://repo.jenkins-ci.org/public/org/jenkins-ci/plugins/plugin/1.419/plugin-1.419.pom answers 401 as expected

[dduportal]

Side note: The URL https://repo.jenkins-ci.org/setup/settings.xml is not expected to accept an authentication only based on username + password: it is a full webservice that requires a web token (I assume JWT, or anything like this) to avoid CSRF. I got the same 403 error as your even with a correctly configured credentials.

My bad: I realize that it is what the documentation tells you to do. Can you try with the UI setup instead please?

cc @daniel-beck sorry to bother you with this but the step https://www.jenkins.io/doc/developer/publishing/releasing-manually/#using-curl is not working for me, same 403 error as @DuMaM , while the UI thing works very well (just tested).

[DuMaM]

@DuMaM the job ran successfully but no mention of any password synchronization.

Roger

Can you confirm that you are able to log-in to repo.jenkins-ci.org with your account's credentials?

Yes, I can.

You can test authentication with the URL of an artifact though (like Maven would do):

Success here.

My bad: I realize that it is what the documentation tells you to do. Can you try with the UI setup instead please?

At first I followed manual tutorial. I got rejected. I assumed that something is wrong with my manual setup.
Then I tried one from Set me up page in artifactory and also without luck. Then I came here. :)

So far so good. 👍 Thanks @dduportal
I will try perform release tomorrow. I have all setup on my other machine.

[dduportal]

@DuMaM thanks for re-testing and confirming! I'll close the issue (as no more action are required from the Jenkins Infra team as far as I can tell), feel free to reopen if you see any other issue.

[dduportal]

I've opened jenkins-infra/jenkins.io#5609 to track the plugin documentation's problem.

[dduportal]

Post-note: the curl step was failing due to a missing permission in Artifactory's administration. Fixed by @daniel-beck . Many thanks!

[DuMaM]

I tried to deploy plugin today. Sadly its still dont work for me.
[ERROR] Failed to execute goal org.apache.maven.plugins:maven-deploy-plugin:2.8.2:deploy (default-deploy) on project crowd2: Failed to deploy artifacts: Could not transfer artifact org.jenkins-ci.plugins:crowd2:hpi:3.2.0 from/to maven.jenkins-ci.org (https://repo.jenkins-ci.org/releases/): authentication failed for https://repo.jenkins-ci.org/releases/org/jenkins-ci/plugins/crowd2/3.2.0/crowd2-3.2.0.hpi, status: 401 Unauthorized -> [Help 1]

I checked with gui settings, with encrypted password, with unencrypted password and still nothing. 😢
Maybe there are some project settings which locks me to do this.

[DuMaM]

settings xml

<settings xmlns="http://maven.apache.org/SETTINGS/1.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://maven.apache.org/SETTINGS/1.0.0
                    http://maven.apache.org/xsd/settings-1.0.0.xsd">
    <servers>
        <server>
            <id>repo.jenkins-ci.org</id>
            <username>dumam</username>
            <password>my_pass</password>
        </server>
    </servers>

    <profiles>
        <!-- Give access to Jenkins plugins -->
        <profile>
            <id>jenkins</id>
            <activation>
                <activeByDefault>true</activeByDefault>
            </activation>

            <repositories>
                <repository>
                    <id>repo.jenkins-ci.org</id>
                    <url>https://repo.jenkins-ci.org/public/</url>
                </repository>
            </repositories>

            <pluginRepositories>
                <pluginRepository>
                    <id>repo.jenkins-ci.org</id>
                    <url>https://repo.jenkins-ci.org/public/</url>
                </pluginRepository>
            </pluginRepositories>
        </profile>
    </profiles>
    <activeProfiles>
        <activeProfile>jenkins</activeProfile>
    </activeProfiles>
</settings>

[DuMaM]

Small update:
curl -u dumam:<nonencrypted_password> https://repo.jenkins-ci.org/setup/settings.xml
This works for me now

[DuMaM]

@dduportal could you reopen this ticket?

[daniel-beck]

status: 401 Unauthorized

This means Maven doesn't send credentials, or that they're wrong. Make sure you're using the encrypted password provided by Artifactory using the (newly working) curl approach (or from the file generated via the UI).

[DuMaM]

I used config returned by curl for this, and still i have the same output

[DuMaM]

So this means something is wrong in my pom.xml
https://github.com/jenkinsci/crowd2-plugin/blob/master/pom.xml

or
settings xml
#3158 (comment)

[DuMaM]

ok, i fixed ci for my plugin. there was some problems with 4.43.1 parent pom xml. After i downgraded to 4.42 everything started to work as it was before and i was able to release plugin.