Issue
- I cannot login to Jenkins. The Jenkins logs shows an exception similar to
Caused by: org.acegisecurity.AccessDeniedException: Please login to access job <itemName>
at jenkins.model.Jenkins.getItem(Jenkins.java:2399)
at jenkins.model.Jenkins.getItem(Jenkins.java:307)
at jenkins.model.Jenkins.getItemByFullName(Jenkins.java:2505)
at hudson.model.Run.fromExternalizableId(Run.java:2282)
at org.jenkinsci.plugins.workflow.support.steps.ExecutorStepExecution$PlaceholderTask.runForDisplay(ExecutorStepExecution.java:307)
at sun.reflect.GeneratedMethodAccessor959.invoke(Unknown Source)
- Upstream builds succeed but build logs show the following exception:
Notifying upstream projects of job completion
FATAL: Please login to access job upstream
org.acegisecurity.AccessDeniedException: Please login to access job <itemName>
at jenkins.model.Jenkins.getItem(Jenkins.java:2724)
at jenkins.model.Jenkins.getItem(Jenkins.java:324)
at jenkins.model.Jenkins.getItemByFullName(Jenkins.java:2830)
at jenkins.model.Jenkins.getItemByFullName(Jenkins.java:2849)
at jenkins.triggers.ReverseBuildTrigger.shouldTrigger(ReverseBuildTrigger.java:116)
at jenkins.triggers.ReverseBuildTrigger.access$000(ReverseBuildTrigger.java:89)
at jenkins.triggers.ReverseBuildTrigger$1.shouldTriggerBuild(ReverseBuildTrigger.java:146)
at hudson.tasks.BuildTrigger.execute(BuildTrigger.java:247)
at hudson.model.AbstractBuild$AbstractBuildExecution.cleanUp(AbstractBuild.java:681)
at hudson.model.Build$BuildExecution.cleanUp(Build.java:200)
at hudson.model.Run.execute(Run.java:1775)
at hudson.model.FreeStyleBuild.run(FreeStyleBuild.java:43)
at hudson.model.ResourceController.execute(ResourceController.java:98)
at hudson.model.Executor.run(Executor.java:404)
Environment
- Jenkins
- Jenkins LTS
- CloudBees Jenkins Enterprise (CJE)
- CloudBees Request Filter plugin
Issues Related
- JENKINS-42556 for PlaceholderTask.runForDisplay
- JENKINS-42577 for ReverseBuildTrigger.shouldTrigger
- JENKINS-42586 for OldDataMonitor.referTo
- JENKINS-42707
Resolution
This happens when anonymous is granted the permissions Overall/Read and Item/Discover but not Item/Read. This a mode that is used to force login redirects from job URLs. You can find more information about this in the article Q&A: Setting Up Role-based Access Control
The stacktrace may actually exposes a bug for a particular component in Jenkins that does not impersonate as SYSTEM user when accessing an item. A non-exhaustive list of issues is mentioned above. Please check on these Jira to check if there is a fix implemented for it. If you are seeing a similar stacktrace as Please login to access job <itemName> but for a different component/scenario, please open a new Support request for review or directly file a new issue in Jira.
Otherwise, a workaround is to remove the Item/Discover permission from the anonymous user.
0 Comments