Cannot find local user with latest plugin

[strobeti]

We are using local jenkins users to connect agents via swarm. With the latest version this fails as the User is not created.

Version report

Jenkins and plugins versions report:

Jenkins: 2.289.2
azure-ad:175.v5513346d764a
---
Parameterized-Remote-Trigger:3.1.5.1
ace-editor:1.1
amazon-ecr:1.6
analysis-model-api:10.2.5
ansicolor:1.0.0
ant:1.11
antisamy-markup-formatter:2.1
apache-httpcomponents-client-4-api:4.5.13-1.0
artifactory:3.10.6
audit-trail:3.8
authentication-tokens:1.4
authorize-project:1.4.0
aws-credentials:1.29
aws-java-sdk:1.11.995
azure-ad:175.v5513346d764a
azure-sdk:23.v5682688d0eef
badge:1.8
basic-branch-build-strategies:1.3.2
bitbucket:1.1.29
blueocean-autofavorite:1.2.4
blueocean-bitbucket-pipeline:1.24.7
blueocean-commons:1.24.7
blueocean-config:1.24.7
blueocean-core-js:1.24.7
blueocean-dashboard:1.24.7
blueocean-display-url:2.4.1
blueocean-events:1.24.7
blueocean-git-pipeline:1.24.7
blueocean-github-pipeline:1.24.7
blueocean-i18n:1.24.7
blueocean-jwt:1.24.7
blueocean-personalization:1.24.7
blueocean-pipeline-api-impl:1.24.7
blueocean-pipeline-editor:1.24.7
blueocean-pipeline-scm-api:1.24.7
blueocean-rest-impl:1.24.7
blueocean-rest:1.24.7
blueocean-web:1.24.7
blueocean:1.24.7
bootstrap4-api:4.6.0-3
bootstrap5-api:5.0.1-2
bouncycastle-api:2.20
branch-api:2.6.4
build-failure-analyzer:2.0.0
build-metrics:1.3
build-monitor-plugin:1.12+build.201809061734
build-timeout:1.20
caffeine-api:2.9.1-23.v51c4e2c879c8
checks-api:1.7.0
cloudbees-bitbucket-branch-source:2.9.9
cloudbees-disk-usage-simple:0.10
cloudbees-folder:6.15
cobertura:1.16
code-coverage-api:1.4.0
command-launcher:1.6
conditional-buildstep:1.4.1
config-file-provider:3.8.1
configuration-as-code-groovy:1.2-SNAPSHOT
configuration-as-code-secret-ssm:1.0.1
configuration-as-code:1.51
copyartifact:1.46.1
credentials-binding:1.27
credentials:2.5
data-tables-api:1.10.25-1
display-url-api:2.3.5
docker-commons:1.17
docker-workflow:1.26
doxygen:0.18
dtkit-api:3.0.0
durable-task:1.37
echarts-api:5.1.2-2
email-ext:2.83
extended-read-permission:3.2
external-monitor-job:1.4
favorite:2.3.3
font-awesome-api:5.15.3-3
forensics-api:1.2.0
generic-webhook-trigger:1.74
ghprb:1.42.2
git-client:3.7.2
git-forensics:1.1.0
git-parameter:0.9.13
git-server:1.10
git:4.7.2
github-api:1.123
github-branch-source:2.11.1
github:1.33.1
global-build-stats:1.5
gradle:1.37.1
groovy-postbuild:2.5
groovy:2.4
handlebars:3.0.8
handy-uri-templates-2-api:2.1.8-1.0
hashicorp-vault-plugin:3.8.0
htmlpublisher:1.25
http-post:1.2
http_request:1.9.0
influxdb:2.6.0.0.4
ivy:2.1
jackson2-api:2.12.3
javadoc:1.6
jdk-tool:1.0
jenkins-design-language:1.24.7
jjwt-api:0.11.2-9.c8b45b8bb173
job-dsl:1.77
jobConfigHistory:2.28
jquery3-api:3.6.0-1
jquery:1.12.4-1
jsch:0.1.55.2
junit-realtime-test-reporter:0.6
junit:1.51
ldap:2.0
lockable-resources:2.11
mailer:1.34
matlab:2.5.1
matrix-auth:2.6.7
matrix-project:1.19
maven-plugin:3.12
mercurial:2.15
metrics:4.0.2.8
momentjs:1.1.1
monitoring:1.87.0
multibranch-scan-webhook-trigger:1.0.9
oic-auth:1.8
okhttp-api:3.14.9
pam-auth:1.5.1
parameterized-trigger:2.41
pipeline-build-step:2.13
pipeline-graph-analysis:1.11
pipeline-input-step:2.12
pipeline-milestone-step:1.3.2
pipeline-model-api:1.8.5
pipeline-model-definition:1.8.5
pipeline-model-extensions:1.8.5
pipeline-rest-api:2.19
pipeline-stage-step:2.5
pipeline-stage-tags-metadata:1.8.5
pipeline-stage-view:2.19
pipeline-utility-steps:2.8.0
plain-credentials:1.7
plot:2.1.9
plugin-util-api:2.3.0
popper-api:1.16.1-2
popper2-api:2.5.4-2
prometheus:2.0.7
prqa-plugin:3.3.3
pubsub-light:1.16
python:1.3
rebuild:1.32
resource-disposer:0.16
role-strategy:3.1.1
run-condition:1.5
scm-api:2.6.4
scmskip:1.0.3
script-security:1.77
slack:2.48
snakeyaml-api:1.29.1
sonar:2.13.1
sse-gateway:1.24
ssh-credentials:1.19
sshd:3.0.4
structs:1.23
swarm:3.27
test-results-analyzer:0.3.5
testcomplete-xunit:1.1
timestamper:1.13
token-macro:2.15
trilead-api:1.0.13
variant:1.4
warnings-ng:9.3.0
windows-slaves:1.0
workflow-aggregator:2.6
workflow-api:2.46
workflow-basic-steps:2.23
workflow-cps-global-lib:2.21
workflow-cps:2.92
workflow-durable-task-step:2.39
workflow-job:2.41
workflow-multibranch:2.26
workflow-scm-step:2.13
workflow-step-api:2.24
workflow-support:3.8
ws-cleanup:0.39
xunit:3.0.2

• What Operating System are you using (both controller, and any agents involved in the problem)?

Linux 5.8.0-1038-aws 20.04.1-Ubuntu

Reproduction steps

Add local jenkins user while configuring Security Realm as Azure Active Directory. User is not available in Azure AD.

Results

Expected result: Local user was usable in prior versions

Actual result:

API token matched for user agent but the impersonation failed
org.springframework.security.core.userdetails.UsernameNotFoundException: Cannot find user: agent

[timja]

Could you give more details please,

Why are you doing this? How were you creating the users before?

Seems related to https://github.com/jenkinsci/azure-ad-plugin/issues/92#issuecomment-815165936

(The only plugin I'm aware of with support for this is the Active Directory plugin, although I've never used it myself, it wouldn't work with an SSO plugin unless we created a login page with username/password and an azure-ad button)

[strobeti]

Hi @timja,

we are using a groovy script to create local users and tokens on startup of jenkins. This is only done for technical users and how we have done it since day one. We didn't use Azure AD right from the beginning.

However, we have not changed anything in this setup. It just no longer works with the latest Azure AD plugin. Version 158.v437429002c6b works for us, but produces "user not found" logs. There were earlier versions that worked perfectly.

I assumed that local users get created but are disbaled by the plugin afterwards because they are not part of the security realm? API token matched for user agent but the impersonation failed

[timja]

Regardless of it working perfectly before that was an implementation detail and not a supported feature.

It was likely broken when Azure AD users got support for using an API token.

Why are you using this? and can you use an Azure AD user instead (they don't need an O365 license assigned)

[strobeti]

Basically two reasons:

• Convenience: not to have to create users in AD
• Reliability: to be able to log in / run jobs when Azure AD is not reachable.

Should not be a problem to create that user in AD 👍 Wasn't aware that it's not a supported feature

[minhtd1981]

I faced the same issue. I need a user who has only permission to read prometheus metrics but I do not want this user in Azure AD. I will try if API token can be used but I feel a bit scared with @timja comment.