問題

Certain actions within Bamboo present a java.lang.IllegalArgumentException: Unknown cipher data id 0 exception after switching Bamboo to run as a Windows Service. Actions include but not limited to:

• Creating / deleting / viewing a repository.
• Shared credentials UI.
• Variables UI.
• Starting a plan or build.

診断

A stack trace similar to the following is shown in the UI (and logged to atlassian-bamboo.log) when performing certain actions in Bamboo:

2017-05-18 22:29:26,005 WARN [10-BAM::PlanExec:pool-18-thread-4] [PlanExecutionManagerImpl] Unknown error during doWithProcessLock
io.atlassian.util.concurrent.LazyReference$InitializationException: java.lang.IllegalArgumentException: Unknown cipher data id 0
 at io.atlassian.util.concurrent.LazyReference.getInterruptibly(LazyReference.java:156)
 at io.atlassian.util.concurrent.LazyReference.get(LazyReference.java:116)
 at com.atlassian.bamboo.plan.cache.AbstractImmutableChain.getPlanRepositoryDefinitions(AbstractImmutableChain.java:263)
...
Caused by: java.lang.IllegalArgumentException: Unknown cipher data id 0
	at com.google.common.base.Preconditions.checkArgument(Preconditions.java:122)
	at com.atlassian.bamboo.crypto.instance.InstanceSecretStorage.getCipherData(InstanceSecretStorage.java:105)
	at com.atlassian.bamboo.crypto.instance.InstanceSecretStorage.getKeyAndIv(InstanceSecretStorage.java:95)

Both of the below criteria are true:

• <BAMBOO-HOME>/xml-data/configuration/cipher/cipher.key_0 exists as a non 0 byte file.

• The below SQL statement returns two rows:

  SELECT * 
    FROM BANDANA
  WHERE BANDANA_KEY LIKE '%cipher%';

原因

Bamboo 5.15.x shipped with a new System-wide encryption feature. The encryption key is stored in the database and on the filesystem. Both the filesystem and the database key parts are required to perform successful decryption. The key part stored on your filesystem is located under <BAMBOO-HOME>/xml-data/configuration/cipher.

When Bamboo first generates the filesystem key part, it limits ownership and access of this file to only the user running Bamboo. We see this cause issues on Windows as the the user running the process often gets changed when configuring Bamboo to run as a service as opposed to a console application. When the process is started as a different user to the user running Bamboo when the filesystem key part was first generated, Bamboo can no longer access the filesystem key part.

ソリューション

Correct the Security ACL (Right click > Properties > Security) on both the cipher directory and cipher key so that the user that's starting Bamboo has ownership:

- <BAMBOO-HOME>/xml-data/configuration/cipher/
-- <BAMBOO-HOME>/xml-data/configuration/cipher/cipher.key_0