[JENKINS-53266] Legacy token for user "unknown" keeps reappearing

[timja]

Ever since the API token change introduced by JENKINS-32776, a legacy token is automagically generated on our install for the nonexistent user "unknown".

Legacy tokens have been disabled since updating to 2.130.

After manually revoking the token, it usually takes a few hours for it to magically reappear and then causes the red administrative monitor counter to (re-)appear in the toolbar.

Though I can revoke the token, I am unable to change it via the user admin page Change API Token button.

---

Originally reported by cafuego, imported from: Legacy token for user "unknown" keeps reappearing

• assignee: wfollonier
• status: Open
• priority: Minor
• resolution: Unresolved
• imported: 2022/01/10

[timja]

oleg_nenashev:

CC wfollonier

[timja]

wfollonier:

cafuego thank you for your report. Could you provide us the list of plugin and their version you currently have installed? This will help us investigating the case.

Thank you in advance

[timja]

cafuego:

Indeed I can, here is the full list: plugins.txt

[timja]

wfollonier:

Thank you cafuego for the quick answer, I will try to reproduce the case as soon I have time and keep you informed.

[timja]

pessoft:

I have the same issue. The "unknown" token reappears after every restart of Jenkins. I've created the list of plugins that are present on my instance AND in list provided by cafuego: plugins-merged.txt. Hopefully this will help to narrow the search.

 

[timja]

estyrke:

wfollonier I have this issue too. I have all the plugins from the "merged" set except "Build Pipeline Plugin", "Build Timeout", "Email Extension Plugin", "Environment Injector Plugin" and "Windows Slaves Plugin".

[timja]

froque:

I also have this problem. Two users that after revoking legacy tokens, keep coming back.

I have attached plugins-merged.lieverdink.kolinek.froque.txt with common plugins

[timja]

krachynski:

I can suggest three more removals from froque's list. I do not have Build Pipeline Plugin, Dashboard View, or Pipeline Graph Analysis Plugin on the server where I'm seeing this behaviour.

I set up a Docker instance and added most of my production plugins in by hand and have not been able to reproduce this behaviour yet. I say most because I have a NCover plugin in production that doesn't seem to exist any more. As I haven't been able to reproduce this empty token issue, I'm beginning to suspect that this is due to an upgrade somewhere along the lines.

[timja]

krachynski:

Since I suspect this is due to a plugin upgrade at some point, I decided to do some digging. It looks like revoking legacy tokens for some users isn't actually revoking them. I have one unknown user on my system that shows up every time I restart Jenkins. I've been revoking the token each time it comes up without luck.

Logging into my Jenkins host computer, I looked in the users folder for my unknown user. users.xml told me what directory it was in and the config.xml confirmed the legacy token.

    tokenhash

The new format looks more like

 
   
     
        uuid
        mytoken
        2019-11-28 18:37:11.655 UTC
       
          11
          tokenhash
       
     
   
 

Since I was looking to revoke the token outright, I just deleted the line in config.xml and restarted Jenkins.

 

[timja]

krachynski:

As near as I can tell right now, the Revoke selected token(s) button calls this method: https://github.com/jenkinsci/jenkins/blob/master/core/src/main/java/jenkins/security/apitoken/LegacyApiTokenAdministrativeMonitor.java#L159-L185

But none of the logging present there seems to be hitting my Jenkins logs.

[timja]

cafuego:

krachynski Yep, confirmed. I checked the users.xml file and also found an "unknown" entry in there pointing at an old format token in users/foo/config.xml. I've deleted said user, in theory that'll mean the warning doesn't come back after a restart.

I am pretty sure that entry in list of users is courtesy of GitHub integration; Jenkins tries to enumerate people its finds in git commits, whether they have actual Jenkins logins or not. The "unknown" user in question has an email address that does match a former staff member, but it's not one that we ever used in LDAP.

[timja]

krachynski:

Oh good catch. I have jglick as one of my users and I recall that's because I built his sample pipeline job from github directly. The unknown user in my case is one of our current staff members, but it's likely that record was added before I switched to Active Directory as my source.

 

[timja]

jpinto:

I've also been affected by this. Changing a user's name from "unknown" to something else allows the legacy token to be properly revoked.
The email of the user in question seems to be a default one generated by git (username@hostname) so it might indeed be one of the Git integrations creating a user from commits without a Git author configured.