代码之家  ›  专栏  ›  技术社区  ›  Delaram Hamraz

在jenkins中使用密钥斗篷插件时的无限循环

jenkins-plugins keycloak devops jenkins
  •  0
  • Delaram Hamraz  · 技术社区  · 1 年前

    所以我在一个虚拟机上安装了jenkins,现在,我们通过jenikns用户的数据库连接到它。我想通过keycloft为我们所有的应用程序进行单一登录。 我关注了詹金斯网站上的芭蕾舞裙和youtube上的视频,不幸的是,它们都不起作用。

    问题是,我在jenkins上使用密钥斗篷身份验证插件。我在key斗篷上配置了领域和客户端,并将key斗篷提供的安装json代码提供给jenkins上的key斗篷json。当我注销并想再次登录时,我们进入了一个无限循环。

    我检查了日志,看看问题是从哪里来的: 代币中没有受众 

    2024-04-24 14:21:09.679+0000 [id=366]   SEVERE  o.j.p.KeycloakSecurityRealm#doFinishLogin: Authentication Exception
org.keycloak.common.VerificationException: No audience in the token
        at org.keycloak.TokenVerifier$AudienceCheck.test(TokenVerifier.java:153)
        at org.keycloak.TokenVerifier.verify(TokenVerifier.java:476)
        at org.keycloak.adapters.rotation.AdapterTokenVerifier.verifyToken(AdapterTokenVerifier.java:54)
        at org.jenkinsci.plugins.KeycloakSecurityRealm.doFinishLogin(KeycloakSecurityRealm.java:262)
        at java.base/java.lang.invoke.MethodHandle.invokeWithArguments(MethodHandle.java:710)
        at org.kohsuke.stapler.Function$MethodFunction.invoke(Function.java:397)
        at org.kohsuke.stapler.Function$InstanceFunction.invoke(Function.java:409)
        at org.kohsuke.stapler.Function.bindAndInvoke(Function.java:207)
        at org.kohsuke.stapler.Function.bindAndInvokeAndServeResponse(Function.java:140)
        at org.kohsuke.stapler.MetaClass$11.doDispatch(MetaClass.java:558)
        at org.kohsuke.stapler.NameBasedDispatcher.dispatch(NameBasedDispatcher.java:59)
        at org.kohsuke.stapler.Stapler.tryInvoke(Stapler.java:762)
        at org.kohsuke.stapler.Stapler.invoke(Stapler.java:894)
        at org.kohsuke.stapler.MetaClass$2.doDispatch(MetaClass.java:224)
        at org.kohsuke.stapler.NameBasedDispatcher.dispatch(NameBasedDispatcher.java:59)
        at org.kohsuke.stapler.Stapler.tryInvoke(Stapler.java:762)
        at org.kohsuke.stapler.Stapler.invoke(Stapler.java:894)
        at org.kohsuke.stapler.Stapler.invoke(Stapler.java:690)
        at org.kohsuke.stapler.Stapler.service(Stapler.java:240)
        at javax.servlet.http.HttpServlet.service(HttpServlet.java:590)
        at org.eclipse.jetty.servlet.ServletHolder.handle(ServletHolder.java:764)
        at org.eclipse.jetty.servlet.ServletHandler$ChainEnd.doFilter(ServletHandler.java:1665)
        at hudson.util.PluginServletFilter$1.doFilter(PluginServletFilter.java:157)
        at org.jenkinsci.plugins.RefreshFilter.doFilter(RefreshFilter.java:96)
        at hudson.util.PluginServletFilter$1.doFilter(PluginServletFilter.java:154)
        at org.jenkinsci.plugins.ssegateway.Endpoint$SSEListenChannelFilter.doFilter(Endpoint.java:248)
        at hudson.util.PluginServletFilter$1.doFilter(PluginServletFilter.java:154)
        at jenkins.telemetry.impl.UserLanguages$AcceptLanguageFilter.doFilter(UserLanguages.java:129)
        at hudson.util.PluginServletFilter$1.doFilter(PluginServletFilter.java:154)
        at jenkins.security.ResourceDomainFilter.doFilter(ResourceDomainFilter.java:81)
        at hudson.util.PluginServletFilter$1.doFilter(PluginServletFilter.java:154)
        at io.jenkins.blueocean.ResourceCacheControl.doFilter(ResourceCacheControl.java:134)
        at hudson.util.PluginServletFilter$1.doFilter(PluginServletFilter.java:154)
        at io.jenkins.blueocean.auth.jwt.impl.JwtAuthenticationFilter.doFilter(JwtAuthenticationFilter.java:60)
        at hudson.util.PluginServletFilter$1.doFilter(PluginServletFilter.java:154)
        at jenkins.metrics.impl.MetricsFilter.doFilter(MetricsFilter.java:125)
        at hudson.util.PluginServletFilter$1.doFilter(PluginServletFilter.java:154)
        at hudson.util.PluginServletFilter.doFilter(PluginServletFilter.java:160)
        at org.eclipse.jetty.servlet.FilterHolder.doFilter(FilterHolder.java:202)
        at org.eclipse.jetty.servlet.ServletHandler$Chain.doFilter(ServletHandler.java:1635)
        at hudson.security.csrf.CrumbFilter.doFilter(CrumbFilter.java:160)
        at org.eclipse.jetty.servlet.FilterHolder.doFilter(FilterHolder.java:202)
        at org.eclipse.jetty.servlet.ServletHandler$Chain.doFilter(ServletHandler.java:1635)
        at hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:94)
        at jenkins.security.AcegiSecurityExceptionFilter.doFilter(AcegiSecurityExceptionFilter.java:52)
        at hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:99)
        at hudson.security.UnwrapSecurityExceptionFilter.doFilter(UnwrapSecurityExceptionFilter.java:54)
        at hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:99)
        at org.springframework.security.web.access.ExceptionTranslationFilter.doFilter(ExceptionTranslationFilter.java:122)
        at org.springframework.security.web.access.ExceptionTranslationFilter.doFilter(ExceptionTranslationFilter.java:116)
        at hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:99)
        at org.springframework.security.web.authentication.AnonymousAuthenticationFilter.doFilter(AnonymousAuthenticationFilter.java:109)
        at hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:99)
        at org.springframework.security.web.authentication.rememberme.RememberMeAuthenticationFilter.doFilter(RememberMeAuthenticationFilter.java:141)
        at org.springframework.security.web.authentication.rememberme.RememberMeAuthenticationFilter.doFilter(RememberMeAuthenticationFilter.java:97)
        at hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:99)
        at org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter.doFilter(AbstractAuthenticationProcessingFilter.java:223)
        at org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter.doFilter(AbstractAuthenticationProcessingFilter.java:217)
        at hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:99)
        at jenkins.security.BasicHeaderProcessor.doFilter(BasicHeaderProcessor.java:97)
        at hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:99)
        at org.springframework.security.web.context.SecurityContextPersistenceFilter.doFilter(SecurityContextPersistenceFilter.java:112)
        at org.springframework.security.web.context.SecurityContextPersistenceFilter.doFilter(SecurityContextPersistenceFilter.java:82)
        at hudson.security.HttpSessionContextIntegrationFilter2.doFilter(HttpSessionContextIntegrationFilter2.java:63)
        at hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:99)
        at hudson.security.ChainedServletFilter.doFilter(ChainedServletFilter.java:111)
        at hudson.security.HudsonFilter.doFilter(HudsonFilter.java:172)
        at org.eclipse.jetty.servlet.FilterHolder.doFilter(FilterHolder.java:202)
        at org.eclipse.jetty.servlet.ServletHandler$Chain.doFilter(ServletHandler.java:1635)
        at org.kohsuke.stapler.compression.CompressionFilter.doFilter(CompressionFilter.java:53)
        at org.eclipse.jetty.servlet.FilterHolder.doFilter(FilterHolder.java:202)
        at org.eclipse.jetty.servlet.ServletHandler$Chain.doFilter(ServletHandler.java:1635)
        at hudson.util.CharacterEncodingFilter.doFilter(CharacterEncodingFilter.java:86)
        at org.eclipse.jetty.servlet.FilterHolder.doFilter(FilterHolder.java:202)
        at org.eclipse.jetty.servlet.ServletHandler$Chain.doFilter(ServletHandler.java:1635)
        at org.kohsuke.stapler.DiagnosticThreadNameFilter.doFilter(DiagnosticThreadNameFilter.java:30)
        at org.eclipse.jetty.servlet.FilterHolder.doFilter(FilterHolder.java:202)
        at org.eclipse.jetty.servlet.ServletHandler$Chain.doFilter(ServletHandler.java:1635)
        at jenkins.security.SuspiciousRequestFilter.doFilter(SuspiciousRequestFilter.java:38)
        at org.eclipse.jetty.servlet.FilterHolder.doFilter(FilterHolder.java:202)
        at org.eclipse.jetty.servlet.ServletHandler$Chain.doFilter(ServletHandler.java:1635)
        at org.eclipse.jetty.servlet.ServletHandler.doHandle(ServletHandler.java:527)
        at org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:131)
        at org.eclipse.jetty.security.SecurityHandler.handle(SecurityHandler.java:549)
        at org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:122)
        at org.eclipse.jetty.server.handler.ScopedHandler.nextHandle(ScopedHandler.java:223)
        at org.eclipse.jetty.server.session.SessionHandler.doHandle(SessionHandler.java:1571)
        at org.eclipse.jetty.server.handler.ScopedHandler.nextHandle(ScopedHandler.java:221)
        at org.eclipse.jetty.server.handler.ContextHandler.doHandle(ContextHandler.java:1383)
        at org.eclipse.jetty.server.handler.ScopedHandler.nextScope(ScopedHandler.java:176)
        at org.eclipse.jetty.servlet.ServletHandler.doScope(ServletHandler.java:484)
        at org.eclipse.jetty.server.session.SessionHandler.doScope(SessionHandler.java:1544)
        at org.eclipse.jetty.server.handler.ScopedHandler.nextScope(ScopedHandler.java:174)
        at org.eclipse.jetty.server.handler.ContextHandler.doScope(ContextHandler.java:1305)
        at org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:129)
        at org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:122)
        at org.eclipse.jetty.server.Server.handle(Server.java:563)
        at org.eclipse.jetty.server.HttpChannel.lambda$handle$0(HttpChannel.java:505)
        at org.eclipse.jetty.server.HttpChannel.dispatch(HttpChannel.java:762)
        at org.eclipse.jetty.server.HttpChannel.handle(HttpChannel.java:497)
        at org.eclipse.jetty.server.HttpConnection.onFillable(HttpConnection.java:282)
        at org.eclipse.jetty.io.AbstractConnection$ReadCallback.succeeded(AbstractConnection.java:314)
        at org.eclipse.jetty.io.FillInterest.fillable(FillInterest.java:100)
        at org.eclipse.jetty.io.SelectableChannelEndPoint$1.run(SelectableChannelEndPoint.java:53)
        at org.eclipse.jetty.util.thread.strategy.AdaptiveExecutionStrategy.runTask(AdaptiveExecutionStrategy.java:421)
        at org.eclipse.jetty.util.thread.strategy.AdaptiveExecutionStrategy.consumeTask(AdaptiveExecutionStrategy.java:390)
        at org.eclipse.jetty.util.thread.strategy.AdaptiveExecutionStrategy.tryProduce(AdaptiveExecutionStrategy.java:277)
        at org.eclipse.jetty.util.thread.strategy.AdaptiveExecutionStrategy.lambda$new$0(AdaptiveExecutionStrategy.java:139)
        at org.eclipse.jetty.util.thread.ReservedThreadExecutor$ReservedThread.run(ReservedThreadExecutor.java:411)
        at org.eclipse.jetty.util.thread.QueuedThreadPool.runJob(QueuedThreadPool.java:933)
        at org.eclipse.jetty.util.thread.QueuedThreadPool$Runner.run(QueuedThreadPool.java:1077)
        at java.base/java.lang.Thread.run(Thread.java:829)

    这是我给jenkins的json代码: 

    {
  "realm": "Prod",
  "auth-server-url": "https://login.****.org/auth/",
  "ssl-required": "none",
  "resource": "Jenkins",
  "verify-token-audience": true,
  "credentials": {
    "secret": "*******"
  },
  "use-resource-role-mappings": true,
  "confidential-port": 0
}

    因此,如果有人知道如何解决这个问题或是什么原因导致的,我们将不胜感激。

    0 回复  |  直到 1 年前
        1
  •  0
  •   Matt Ramey    1 年前

    我是密钥斗篷詹金斯插件的主要维护者。一个快速的解决方法是删除 "verify-token-audience": true, 从您的json,它应该可以工作(我在本地测试了它,并能够解决它)。如果因为循环而无法访问jenkins,则可以打开jenkins的config.xml文件,从securityRealm元素中删除该行,然后重新启动服务。

    我正在调查为什么会发生这种情况,并为这个bug创建了一个票证- https://issues.jenkins.io/browse/JENKINS-73072 。请按照此进行任何更新。我希望在下一个插件版本中添加另一个bug修复程序,所以一旦我测试了修复程序,我就会发布一个新版本。

    谢谢

    编辑: 对不起,我以前没有在代币中使用过受众。一个完整的(呃)解决方法是将受众从你的密钥斗篷添加到你的代币中。我能够在本地做到这一点的一个简单方法是:

    1. 在密钥斗篷管理UI控制台中转到我的客户端
    2. 单击“客户端作用域”选项卡
    3. 点击专用的客户端作用域(我的客户端叫jenkins,所以我点击的作用域是“jenkinsdedicated”)。
    4. 单击“添加映射器”->按配置
    5. 选择“受众”映射器
    6. 填写信息,我将我的受众命名为“受众”,并在“包括的客户受众”区域中,从下拉列表中单击“jenkins”。
    7. 单击“保存”,然后重新登录到Jenkins。(您可能需要清除浏览器缓存或打开新会话)。
    推荐文章
    meta  ·  Jenkins slack插件slackUserIdsFromCommitters返回空列表
    3 年前
    SmartDev  ·  当-DskipTests参数通过时,不会跳过Jenkins上的JUnit测试
    3 年前
    Daniel Müller  ·  Powershell中的Jenkins(管道)布尔参数
    3 年前
    Stat.Enthus  ·  在bash脚本中设置aws cli配置文件
    3 年前
    Pritish  ·  如何定制Jenkins pipeline舞台视图?
    3 年前
    mslz  ·  从groovy活动引用参数中的json列表返回子列表
    3 年前
    asaf  ·  如果Jenkins管道花费的时间太少,则强制构建阶段失败
    3 年前
    Christian Bongiorno  ·  Jenkins文件在Jenkins上返回布尔值,但在实际groovy中返回ArrayList。为什么?
    7 年前
    Frak  ·  非常棒。按中嵌套映射的键对映射数组排序
    7 年前
    Yash  ·  我怎么知道詹金斯管道的哪个阶段失败了
    7 年前
    关于   移动版
    代码之家 - 一站式码农服务社区
    沪ICP备11025650号