Fix intermittent auth failure to artifactory from Jenkins #9658

retronym · 2021-06-07T05:55:46Z

In 41e376a, the build was updated to support publishing from
Travis CI.

However, on Jenkins, the old means of supplying the publish
credentials to pr-validation snapshots was retained, it has
a ~/.credentials file. So we provided two credentials for the
same host/realm to SBT, and on Jenkins the DirectCredentials
contains an empty password.

Which one of these would SBT pick?

sbt 'setupPublishCore https://scala-ci.typesafe.com/artifactory/scala-pr-validation-snapshots/' 'show credentials'
[info] compiler / credentials
[info] 	List(DirectCredentials("Artifactory Realm", "scala-ci.typesafe.com", "scala-ci", ****), FileCredentials("/Users/jz/.credentials"))
[info] scalap / credentials
[info] 	List(DirectCredentials("Artifactory Realm", "scala-ci.typesafe.com", "scala-ci", ****), FileCredentials("/Users/jz/.credentials"))
...    <10 more like this>
[info] credentials
[info] 	List(DirectCredentials("Artifactory Realm", "scala-ci.typesafe.com", "scala-ci", ****))

The ivySbt task in SBT registers the credentials in order in a global map
in Ivy (CredentialStore). So on Jenkins, the invalid DirectCredentials
would be overwritten in the map by he FileCredentials.

But the fact that this is global state in Ivy appears to be a source of cross
talk between the configured credentials for different modules in the build.
Even though the publish task is serialized through the ivy lock, this lock
does not enclose the previous execution of the ivySbt which sets up the
credentials in CredentialStore.

In our build, notice that the root project does not have the
FileCredentials set. So if the ivySBT task for this project runs last,
the global map will have the incorrect DirectCredentials.

The fix in our build is easy, avoid configuring the DirectCredentials if the
environment variables are absent. We can also standardize on using
Global/credentials := .

The principled fix in SBT would be to thread the credentials down to the HTTP
client without using global state. It could also emit a warning if conflicting
credentials are configured for a given host/realm.

retronym · 2021-06-07T06:35:02Z

Reported the bug to SBT: sbt/sbt#6533

In 41e376a, the build was updated to support publishing from Travis CI. However, on Jenkins, the old means of supplying the publish credentials to pr-validation snapshots was retained, it has a ~/.credentials file. So we provided two credentials for the same host/realm to SBT, and on Jenkins the DirectCredentials contains an empty password. Which one of these would SBT pick? ``` sbt 'setupPublishCore https://scala-ci.typesafe.com/artifactory/scala-pr-validation-snapshots/' 'show credentials' [info] compiler / credentials [info] List(DirectCredentials("Artifactory Realm", "scala-ci.typesafe.com", "scala-ci", ****), FileCredentials("/Users/jz/.credentials")) [info] scalap / credentials ... <10 more like this> [info] credentials [info] List(DirectCredentials("Artifactory Realm", "scala-ci.typesafe.com", "scala-ci", ****)) ``` The `ivySbt` task in SBT registers the credentials in order in a global map in Ivy (`CredentialStore`). So on Jenkins, the invalid `DirectCredentials` would be overwritten in the map by he `FileCredentials`. But the fact that this is global state in Ivy appears to be a source of cross talk between the configured credentials for different modules in the build. Even though the publish task is serialized through the ivy lock, this lock does not enclose the previous execution of the `ivySbt` which sets up the credentials in `CredentialStore`. In our build, notice that the root project does _not_ have the `FileCredentials` set. So if the `ivySBT` task for this project runs last, the global map will have the incorrect `DirectCredentials`. The fix in our build is easy, avoid configuring the `DirectCredentials` if the environment variables are absent. We can also standardize on using `Global/credentials := `. The principled fix in SBT would be to thread the credentials down to the HTTP client without using global state. It could also emit a warning if conflicting credentials are configured for a given host/realm.

scala-jenkins added this to the 2.13.7 milestone Jun 7, 2021

retronym added internal not resulting in user-visible changes (build changes, tests, internal cleanups) backport candidate labels Jun 7, 2021

retronym mentioned this pull request Jun 7, 2021

Cross talk between credentials := settings due to global mutable state in Ivy sbt/sbt#6533

Open

retronym force-pushed the topic/credentials branch from 170dfee to a8ec10d Compare June 7, 2021 06:41

dwijnand approved these changes Jun 7, 2021

View reviewed changes

retronym mentioned this pull request Jun 7, 2021

[backport] Fix intermittent auth failure to artifactory from Jenkins #9659

Merged

retronym merged commit c7debd6 into scala:2.13.x Jun 7, 2021

retronym deleted the topic/credentials branch June 7, 2021 08:26

SethTisue mentioned this pull request Sep 13, 2021

Release 2.12.15 scala/scala-dev#783

Closed

21 tasks

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Fix intermittent auth failure to artifactory from Jenkins #9658

Fix intermittent auth failure to artifactory from Jenkins #9658

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Fix intermittent auth failure to artifactory from Jenkins #9658

Fix intermittent auth failure to artifactory from Jenkins #9658

Uh oh!

Conversation

Uh oh!

Uh oh!

Uh oh!

Uh oh!