- After upgrading CloudBees CI to version 2.263.1.2 or later, users can not log in anymore to a Controller when it is disconnected from the Operations Center
- I am running CloudBees CI 2.263.1.2 or later and users cannot log in anymore to a Controller when it is disconnected from the Operations Center,
- The Single sign-on fallback behavior stopped working
- CloudBees CI (CloudBees Core) >= 2.263.1.2
- CloudBees CI (CloudBees Core) on modern cloud platforms - Managed Master >= 2.263.1.2
- CloudBees CI (CloudBees Core) on modern cloud platforms - Operations Center >= 2.263.1.2
- CloudBees CI (CloudBees Core) on traditional platforms - Client Master >= 2.263.1.2
- CloudBees CI (CloudBees Core) on traditional platforms - Operations Center >= 2.263.1.2
- CloudBees Jenkins Platform - Client Master >= 2.263.1.2
- CloudBees Jenkins Platform - Operations Center >= 2.263.1.2
- Operations Center Context Plugin >= 22.214.171.124 and <= 2.277.0.2
The Single sign-on fallback behavior guarantees that when a Controller is disconnected from Operations Center (if Operations Center is down or restarted), the controller falls back to the same Security Realm configured in Operations Center but run locally - known as the Offline Security Realm - until the connection to Operations Center is re-established. For this to work, a compatible version of the plugin used as Security Realm must be installed on both Operations Center and the Controllers.
Since version 2.263.1.2, the mechanism that synchronizes the Offline Security Realm configuration locally on the Controllers does not serialize Secrets properly. The Secrets are encrypted with both the Operations Center and the controller key, which causes the Controller to use a wrong Secret value when using the Offline Security Realm for Authentication (when disconnected from Operations Center).
- BEE-1204: When a controller is disconnected from Operations Center, the offline security realm on controller is broken
There is no workaround for this problem other than stabilizing the connection with the Operations Center.
HOWEVER, there are cases when this problem affects the Service that is backing the Jenkins Security Realm (LDAP, Active Directory, …). For example with Active Directory / LDAP Plugin, this can cause several successive Bind DN authentication failures due to a wrong password, which can cause the Bind DN user to be blocked in Active Directory / LDAP. In such cases, to avoid having a user blocked due to this problem, the workaround is to disable the Security Realm plugin used for a fallback in the controller. For example, if the Security Realm configured in Operations Center is configured using the LDAP plugin, disable the LDAP plugin in the controller(s).
The problem is fixed in version 2.277.0.2 of the Operations Center Context Plugin that is planned to be available in the May 2021 release.