This article references an issue that affects a product version that is no longer supported. Please verify the version listed in the article applies to your situation. If unsure, please submit a support ticket at: https://support.cloudbees.com/. |
Issue
-
I am using the SAML Security Realm
-
After upgrading CloudBees CI, I am not able to create RBAC groups from the UI. The requests fails with an error
403
and the messageNo valid crumb was included in request
-
The Jenkins logs show the following stacktrace when trying to create an RBAC group from the UI:
WARNING o.e.j.s.h.ContextHandler$Context#log: Error while serving $GROUP_CONTAINER_URL/groups/groupExistsCheck hudson.security.UserMayOrMayNotExistException2: <groupName> at org.jenkinsci.plugins.saml.SamlSecurityRealm.loadGroupByGroupname(SamlSecurityRealm.java:636) at nectar.plugins.rbac.groups.GroupContainerMixIn.doGroupExistsCheck(GroupContainerMixIn.java:191) at java.base/java.lang.invoke.MethodHandle.invokeWithArguments(MethodHandle.java:710) at org.kohsuke.stapler.Function$MethodFunction.invoke(Function.java:397) Caused: java.lang.reflect.InvocationTargetException [...]
Related Issue(s)
-
JENKINS-69958: SAML plugin wrongly throws UserMayOrMayNotExistException2 exception / BEE-27392: SAML plugin 4.352.vb_722786ea_79d causes RBAC endpoints to fails with invalid Crumb
Resolution
This issue was introduced in SAML plugin version 4.352.vb_722786ea_79d
included in CloudBees CI 2.361.2.1. It has been resolved in SAML PLugin version 4.372.v89f13e4c9e97
included in CloudBees CI 2.361.3.2.
The solution is to upgrade CloudBees CI to version 2.361.3.2 or later.
Workaround
If an upgrade of CloudBees CI is not possible, the workaround is to upgrade the SAML plugin to version 4.372.v89f13e4c9e97
or later. This requires that the dependency Jackson 2 API plugin be upgraded to version 2.13.4.20221013-295.v8e29ea_354141
or later.
Note: If a plugin upgrade is not possible, th following workarounds can also be used:
-
when creating a Group, enter the group name and hit "Enter" with the keyboard. If you do not click outside the group name text field and keep the focus on it, the check for group name existence will not happen. This check is what caused the problem
-
create groups using the REST API or the Jenkins CLI