After upgrading CloudBees CI I hit 'No valid crumb was included in request' when creating RBAC groups

2 minute readKnowledge base
This article references an issue that affects a product version that is no longer supported. Please verify the version listed in the article applies to your situation. If unsure, please submit a support ticket at: https://support.cloudbees.com/.

Issue

  • I am using the SAML Security Realm

  • After upgrading CloudBees CI, I am not able to create RBAC groups from the UI. The requests fails with an error 403 and the message No valid crumb was included in request

  • The Jenkins logs show the following stacktrace when trying to create an RBAC group from the UI:

WARNING	o.e.j.s.h.ContextHandler$Context#log: Error while serving $GROUP_CONTAINER_URL/groups/groupExistsCheck
hudson.security.UserMayOrMayNotExistException2: <groupName>
	at org.jenkinsci.plugins.saml.SamlSecurityRealm.loadGroupByGroupname(SamlSecurityRealm.java:636)
	at nectar.plugins.rbac.groups.GroupContainerMixIn.doGroupExistsCheck(GroupContainerMixIn.java:191)
	at java.base/java.lang.invoke.MethodHandle.invokeWithArguments(MethodHandle.java:710)
	at org.kohsuke.stapler.Function$MethodFunction.invoke(Function.java:397)
Caused: java.lang.reflect.InvocationTargetException
    [...]

Resolution

This issue was introduced in SAML plugin version 4.352.vb_722786ea_79d included in CloudBees CI 2.361.2.1. It has been resolved in SAML PLugin version 4.372.v89f13e4c9e97 included in CloudBees CI 2.361.3.2.

The solution is to upgrade CloudBees CI to version 2.361.3.2 or later.

Workaround

If an upgrade of CloudBees CI is not possible, the workaround is to upgrade the SAML plugin to version 4.372.v89f13e4c9e97 or later. This requires that the dependency Jackson 2 API plugin be upgraded to version 2.13.4.20221013-295.v8e29ea_354141 or later.

Note: If a plugin upgrade is not possible, th following workarounds can also be used:

  • when creating a Group, enter the group name and hit "Enter" with the keyboard. If you do not click outside the group name text field and keep the focus on it, the check for group name existence will not happen. This check is what caused the problem

  • create groups using the REST API or the Jenkins CLI