Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-22470

SpecificUsersAuthorizationStrategy cannot be used with non-password-based security realms

    Details

    • Similar Issues:

      Description

      SpecificUsersAuthorizationStrategy allows a user to save a configuration mentioning another user, but (unless the current user is an administrator) this can only work if the security realm is a AbstractPasswordBasedSecurityRealm. It will not work for SSO or container-based security.

      I would suggest allowing an API token to be used instead of a password. This would work with any security realm. Using an API token also reduces the impact of a password field compromise during form submission. (Normally a password is only sent to /j_acegi_security_check which people would be very conscious of and which involves no Jenkins code; job submission forms are more likely to be captured in various exception messages, loggers, and so on.)

      It may also make sense to have a separate strategy, or mode of SpecificUsersAuthorizationStrategy, which would always run as the last person to configure the job. This would be appropriate when a job is configured by several people on the same team, all with similar permissions. You can get this effect with the current UI but only if each configuring user remembers to enter their own username each time, which is awkward.

        Attachments

          Issue Links

            Activity

            Hide
            ikedam ikedam added a comment -

            This can be done using ApiTokenProperty (a subclass of UserProperty).

            Show
            ikedam ikedam added a comment - This can be done using ApiTokenProperty (a subclass of UserProperty).
            Hide
            scm_issue_link SCM/JIRA link daemon added a comment -

            Code changed in jenkins
            User: ikedam
            Path:
            src/main/java/org/jenkinsci/plugins/authorizeproject/strategy/SpecificUsersAuthorizationStrategy.java
            src/main/resources/org/jenkinsci/plugins/authorizeproject/strategy/SpecificUsersAuthorizationStrategy/config.jelly
            src/main/resources/org/jenkinsci/plugins/authorizeproject/strategy/SpecificUsersAuthorizationStrategy/config_ja.properties
            src/main/resources/org/jenkinsci/plugins/authorizeproject/strategy/SpecificUsersAuthorizationStrategy/help-password.html
            src/main/resources/org/jenkinsci/plugins/authorizeproject/strategy/SpecificUsersAuthorizationStrategy/help-password_ja.html
            src/main/resources/org/jenkinsci/plugins/authorizeproject/strategy/SpecificUsersAuthorizationStrategy/passwordApiTokenSwitch.js
            src/test/java/org/jenkinsci/plugins/authorizeproject/strategy/SpecificUsersAuthorizationStrategyTest.java
            http://jenkins-ci.org/commit/authorize-project-plugin/99d8c7e949c0b5ab7a5bf4d74b61afa14903e837
            Log:
            [FIXED JENKINS-22470] Supports apitoken for authentication.

            Show
            scm_issue_link SCM/JIRA link daemon added a comment - Code changed in jenkins User: ikedam Path: src/main/java/org/jenkinsci/plugins/authorizeproject/strategy/SpecificUsersAuthorizationStrategy.java src/main/resources/org/jenkinsci/plugins/authorizeproject/strategy/SpecificUsersAuthorizationStrategy/config.jelly src/main/resources/org/jenkinsci/plugins/authorizeproject/strategy/SpecificUsersAuthorizationStrategy/config_ja.properties src/main/resources/org/jenkinsci/plugins/authorizeproject/strategy/SpecificUsersAuthorizationStrategy/help-password.html src/main/resources/org/jenkinsci/plugins/authorizeproject/strategy/SpecificUsersAuthorizationStrategy/help-password_ja.html src/main/resources/org/jenkinsci/plugins/authorizeproject/strategy/SpecificUsersAuthorizationStrategy/passwordApiTokenSwitch.js src/test/java/org/jenkinsci/plugins/authorizeproject/strategy/SpecificUsersAuthorizationStrategyTest.java http://jenkins-ci.org/commit/authorize-project-plugin/99d8c7e949c0b5ab7a5bf4d74b61afa14903e837 Log: [FIXED JENKINS-22470] Supports apitoken for authentication.
            Hide
            scm_issue_link SCM/JIRA link daemon added a comment -

            Code changed in jenkins
            User: ikedam
            Path:
            src/main/java/org/jenkinsci/plugins/authorizeproject/strategy/SpecificUsersAuthorizationStrategy.java
            src/main/resources/org/jenkinsci/plugins/authorizeproject/strategy/SpecificUsersAuthorizationStrategy/config.jelly
            src/main/resources/org/jenkinsci/plugins/authorizeproject/strategy/SpecificUsersAuthorizationStrategy/config_ja.properties
            src/main/resources/org/jenkinsci/plugins/authorizeproject/strategy/SpecificUsersAuthorizationStrategy/help-password.html
            src/main/resources/org/jenkinsci/plugins/authorizeproject/strategy/SpecificUsersAuthorizationStrategy/help-password_ja.html
            src/main/resources/org/jenkinsci/plugins/authorizeproject/strategy/SpecificUsersAuthorizationStrategy/passwordApiTokenSwitch.js
            src/test/java/org/jenkinsci/plugins/authorizeproject/strategy/SpecificUsersAuthorizationStrategyTest.java
            http://jenkins-ci.org/commit/authorize-project-plugin/a753afbe08182b682151aaf4219a16c82f367e55
            Log:
            Merge pull request #11 from ikedam/feature/JENKINS-22470_SupportsApiToken

            JENKINS-22470 Supports apitoken for authentication.

            Compare: https://github.com/jenkinsci/authorize-project-plugin/compare/34ab30783ea9...a753afbe0818

            Show
            scm_issue_link SCM/JIRA link daemon added a comment - Code changed in jenkins User: ikedam Path: src/main/java/org/jenkinsci/plugins/authorizeproject/strategy/SpecificUsersAuthorizationStrategy.java src/main/resources/org/jenkinsci/plugins/authorizeproject/strategy/SpecificUsersAuthorizationStrategy/config.jelly src/main/resources/org/jenkinsci/plugins/authorizeproject/strategy/SpecificUsersAuthorizationStrategy/config_ja.properties src/main/resources/org/jenkinsci/plugins/authorizeproject/strategy/SpecificUsersAuthorizationStrategy/help-password.html src/main/resources/org/jenkinsci/plugins/authorizeproject/strategy/SpecificUsersAuthorizationStrategy/help-password_ja.html src/main/resources/org/jenkinsci/plugins/authorizeproject/strategy/SpecificUsersAuthorizationStrategy/passwordApiTokenSwitch.js src/test/java/org/jenkinsci/plugins/authorizeproject/strategy/SpecificUsersAuthorizationStrategyTest.java http://jenkins-ci.org/commit/authorize-project-plugin/a753afbe08182b682151aaf4219a16c82f367e55 Log: Merge pull request #11 from ikedam/feature/ JENKINS-22470 _SupportsApiToken JENKINS-22470 Supports apitoken for authentication. Compare: https://github.com/jenkinsci/authorize-project-plugin/compare/34ab30783ea9...a753afbe0818
            Hide
            ikedam ikedam added a comment -

            Apitoken is supported in authorize-project 1.1.0.
            It will be available in the update center in a day.

            Show
            ikedam ikedam added a comment - Apitoken is supported in authorize-project 1.1.0. It will be available in the update center in a day.

              People

              • Assignee:
                ikedam ikedam
                Reporter:
                jglick Jesse Glick
              • Votes:
                1 Vote for this issue
                Watchers:
                4 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved: