Backup jobs fails: User is missing the Overall RunScripts permission

Article ID:115001038328
2 minute readKnowledge base

Issue

The following stacktrace -or a similar one - appears on the build console logs after running a backup job.

Started by user ajones
Building in workspace /Users/fbelzunc/cloudbees/plugins/infradna-backup-plugin/work/jobs/backup-job/workspace
This job was last saved by a user without the right level of permission.
Please, configure the backup job with an user with the right permission.
ERROR: Build step failed with exception
hudson.security.AccessDeniedException2: ajones is missing the Overall/RunScripts permission
	at hudson.security.ACL.checkPermission(ACL.java:63)
	at hudson.model.Node.checkPermission(Node.java:441)
	at com.infradna.hudson.plugins.backup.store.LocalFileStore.create(LocalFileStore.java:59)
	at com.infradna.hudson.plugins.backup.BackupBuilder.doPerform(BackupBuilder.java:156)
	at com.infradna.hudson.plugins.backup.BackupBuilder.perform(BackupBuilder.java:143)
	at hudson.tasks.BuildStepMonitor$1.perform(BuildStepMonitor.java:20)
	at hudson.model.AbstractBuild$AbstractBuildExecution.perform(AbstractBuild.java:785)
	at hudson.model.Build$BuildExecution.build(Build.java:205)
	at hudson.model.Build$BuildExecution.doRun(Build.java:162)
	at hudson.model.AbstractBuild$AbstractBuildExecution.run(AbstractBuild.java:537)
	at hudson.model.Run.execute(Run.java:1741)
	at hudson.model.Build.run(Build.java:113)
	at hudson.model.ResourceController.execute(ResourceController.java:98)
	at hudson.model.Executor.run(Executor.java:408)
Build step 'Take backup' marked build as failure
Finished: FAILURE

Environment

  • CloudBees Jenkins Enterprise (CJE)

  • CloudBees Jenkins Operation Center (CJOC)

  • hhttps://docs.cloudbees.com/plugins/ci/infradna-backup[CloudBees Backup Plugin]

  • Any of the Matrix-based Authorization strategies including: Matrix-based security, Project-based Matrix Authorization or Role-based matrix authorization (CloudBees RBAC plugin)

Resolution

This is usually the result of either a permission or an authentication issue.

Permission issue

Backup jobs need to be saved by an user with current Overall/RunScripts permission. If this job was saved by an user with this permission and now you are getting this stacktrace, probably this user lacks now the Overall/RunScripts permission.

Save this BackUp job with an user with Overall/RunScripts permission. To achieve this:

1) Log in the instance with a User with Overall/RunScripts permission 2) Go to this BackUp job > Configure > Save it. Optionally, you could edit the current configuration as you wish. 3) Run this BackUp job. It should work.

Authentication issue

The issue could might happen as well when the user who saved the job is mapped with a Jenkins external group on the Security realm - and this one is not correctly configured. To workaround the issue you can just map the user with the corresponded Jenkins group instead of using an external group.

In case you are sure that the backup job was saved by an user with the right permission, then this issue might be that the Security Realm is not correctly configured. Even if whoAmI is reporting that this user is a member of the groups, it might happen that the authentication plugin you are using is not reporting correctly the groups: i.e LDAP plugin is configured with Group membership attribute= memberOf but this configuration is wrong.

A logger for com.infradna.hudson.plugins.backup can be created to check the GrantedAuthorities for the user who is trying to build the backup job.

User ajones was found on the BackupBuilder descriptor. Authentication details are: org.acegisecurity.providers.UsernamePasswordAuthenticationToken@c1671d8b: Username: ajones; Password: [PROTECTED]; Authenticated: true; Details: null; Granted Authorities: ROLE_INSERTIONORDER, ROLE_SALES, authenticated, china_adsense, insertionorder, ROLE_ADVERTISING, advertising, adops, ROLE_BRODATE, brodate, ROLE_SFOFFICE, ROLE_EVERYONE, sales, ROLE_ADOPS, everyone, ROLE_CHINA_ADSENSE, sfoffice