Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[JENKINS-72268] Missing permission due to desync with cache #256

Merged
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
Original file line number Diff line number Diff line change
Expand Up @@ -504,6 +504,9 @@ private GHMyself loadMyself(@NonNull String token) throws IOException {
// Also stick into usersByIdCache (to have latest copy)
String username = ghMyself.getLogin();
usersByIdCache.put(username, new GithubUser(ghMyself));
} else {
// force creation of the gh variable, esp. in case of impersonation
getGitHub();
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think this is the cause of the performance degradation

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@lprimak can you describe more about your environment and usage?

  • In what ways to you use auth? Just oauth web or GitHub personal access tokens, too?
  • How are your jobs organized? Are they in folders or grouped into views? What columns do you have enabled on the landing page if Jenkins for the All view?
  • Where were performance issues most noticeable?
  • How many users?
  • How many jobs and can you break down numbers by job type?

Hopefully, with enough info, it can be reproduced and fixed upon reproduction. Any answers you provide can help us figure out a performance profile and attempt to emulate your environment.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Also if you could describe how you evaluated the 20x performance reduction it will give us hints of where to look as a root cause. It's not always just the contributed area that could be the root cause, it's possible an unrelated area of code could trigger the conditions for this performance issue. So it would give us a hint for evaluating other areas if we understand exactly how you experienced the degradation.

Copy link

@lprimak lprimak Nov 4, 2023

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

In what ways to you use auth? Just oauth web or GitHub personal access tokens, too?

I use auth to sign in to jenkins with GH credentials, I believe that's all:
Here is my oath configuration (config-as-code)

jenkins:
  securityRealm:
    github:
      clientID: "XXX"
      clientSecret: "XXX"
      githubApiUri: "https://api.github.com"
      githubWebUri: "https://github.com"
      oauthScopes: "read:org,user:email,repo"

How are your jobs organized? Are they in folders or grouped into views?

There are less than 10 jobs. No folders

Where were performance issues most noticeable?

Running any declarative pipeline. It's slow as molasses

How many users?

Just me

Also if you could describe how you evaluated the 20x

Pipelines that used to take 1 minute now take 15 minutes :)

Thanks for your help

}
} catch (IOException e) {
LOGGER.log(Level.INFO, e.getMessage(), e);
Expand Down
11 changes: 8 additions & 3 deletions src/main/java/org/jenkinsci/plugins/GithubSecurityRealm.java
Original file line number Diff line number Diff line change
Expand Up @@ -753,10 +753,15 @@
@Override
public GroupDetails loadGroupByGroupname(String groupName)
throws UsernameNotFoundException, DataAccessException {
GithubAuthenticationToken authToken = (GithubAuthenticationToken) SecurityContextHolder.getContext().getAuthentication();

if(authToken == null)
Authentication authentication = SecurityContextHolder.getContext().getAuthentication();
if (authentication == null) {
throw new UsernameNotFoundException("No known group: " + groupName);
}
if (!(authentication instanceof GithubAuthenticationToken)) {
throw new UserMayOrMayNotExistException("The received token is not a GitHub one");
}

GithubAuthenticationToken authToken = (GithubAuthenticationToken) authentication;

Check warning on line 764 in src/main/java/org/jenkinsci/plugins/GithubSecurityRealm.java

View check run for this annotation

ci.jenkins.io / Code Coverage

Not covered lines

Lines 756-764 are not covered by tests

try {
int idx = groupName.indexOf(GithubOAuthGroupDetails.ORG_TEAM_SEPARATOR);
Expand Down