Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-27027

Log/notify REST authentication via API token

    Details

    • Similar Issues:

      Description

      Original request: SecurityListener should be notified when ApiTokenFilter approves or denies a REST authentication attempt. Jesse Glick says that the logic should be reviewed from scratch.

      TL;DR:

      • Investigate how it works
      • Send events when it does not

      Acceptance criteria:

      Not in scope:

      • SecurityListener Audit Trail patch is not in the scope. May be used as reference impl if we need to add new API

        Attachments

          Issue Links

            Activity

            jglick Jesse Glick created issue -
            jglick Jesse Glick made changes -
            Field Original Value New Value
            Link This issue depends on JENKINS-20999 [ JENKINS-20999 ]
            rtyler R. Tyler Croy made changes -
            Workflow JNJira [ 161218 ] JNJira + In-Review [ 180611 ]
            oleg_nenashev Oleg Nenashev made changes -
            Description {{SecurityListener}} should be notified when {{ApiTokenFilter}} approves or denies a REST authentication attempt. {{Original request: SecurityListener}} should be notified when {{ApiTokenFilter}} approves or denies a REST authentication attempt. [~jglick] says that the logic should be reviewed from scratch.

            Acceptance criteria:
             * We cover REST, CLI, Web UI...
             * Data should be forwarded to SecurityListener and logged here: [https://github.com/jenkinsci/jenkins/blob/08def67a18eee51de9f3f99bc2a792fee1c160e0/core/src/main/java/jenkins/security/SecurityListener.java#L91
             * Anybody should be able to attach to the Security Listener and get the information (via plugin or so)
             * Nice2have: Review Javadoc of the engine and ensure it is still correct
             * What should happen:
             ** When you login, you get event
             ** When the authentication is sent, you get event. Includes REST API (password != API token) and Web calls. Example: [https://github.com/jenkinsci/jenkins/blob/729016989e13632bc980957d05060510efddf41f/core/src/main/java/hudson/security/AbstractPasswordBasedSecurityRealm.java#L116]  

            Not in scope:
             * SecurityListener Audit Trail patch is not in the scope. May be used as reference impl if we need to add new API
            oleg_nenashev Oleg Nenashev made changes -
            Description {{Original request: SecurityListener}} should be notified when {{ApiTokenFilter}} approves or denies a REST authentication attempt. [~jglick] says that the logic should be reviewed from scratch.

            Acceptance criteria:
             * We cover REST, CLI, Web UI...
             * Data should be forwarded to SecurityListener and logged here: [https://github.com/jenkinsci/jenkins/blob/08def67a18eee51de9f3f99bc2a792fee1c160e0/core/src/main/java/jenkins/security/SecurityListener.java#L91
             * Anybody should be able to attach to the Security Listener and get the information (via plugin or so)
             * Nice2have: Review Javadoc of the engine and ensure it is still correct
             * What should happen:
             ** When you login, you get event
             ** When the authentication is sent, you get event. Includes REST API (password != API token) and Web calls. Example: [https://github.com/jenkinsci/jenkins/blob/729016989e13632bc980957d05060510efddf41f/core/src/main/java/hudson/security/AbstractPasswordBasedSecurityRealm.java#L116]  

            Not in scope:
             * SecurityListener Audit Trail patch is not in the scope. May be used as reference impl if we need to add new API
            {{Original request: SecurityListener}} should be notified when {{ApiTokenFilter}} approves or denies a REST authentication attempt. [~jglick] says that the logic should be reviewed from scratch.

            TL;DR:
             * Investigate how it works
             * Send events when it does not

            Acceptance criteria:
             * We cover REST, CLI, Web UI...
             * Data should be forwarded to SecurityListener and logged here: [https://github.com/jenkinsci/jenkins/blob/08def67a18eee51de9f3f99bc2a792fee1c160e0/core/src/main/java/jenkins/security/SecurityListener.java#L91
             * Anybody should be able to attach to the Security Listener and get the information (via plugin or so)
             * Nice2have: Review Javadoc of the engine and ensure it is still correct
             * What should happen:
             ** When you login, you get event
             ** When the authentication is sent, you get event. Includes REST API (password != API token) and Web calls. Example: [https://github.com/jenkinsci/jenkins/blob/729016989e13632bc980957d05060510efddf41f/core/src/main/java/hudson/security/AbstractPasswordBasedSecurityRealm.java#L116]  

            Not in scope:
             * SecurityListener Audit Trail patch is not in the scope. May be used as reference impl if we need to add new API
            wfollonier Wadeck Follonier made changes -
            Assignee Wadeck Follonier [ wfollonier ]
            wfollonier Wadeck Follonier made changes -
            Status Open [ 1 ] In Progress [ 3 ]
            oleg_nenashev Oleg Nenashev made changes -
            Description {{Original request: SecurityListener}} should be notified when {{ApiTokenFilter}} approves or denies a REST authentication attempt. [~jglick] says that the logic should be reviewed from scratch.

            TL;DR:
             * Investigate how it works
             * Send events when it does not

            Acceptance criteria:
             * We cover REST, CLI, Web UI...
             * Data should be forwarded to SecurityListener and logged here: [https://github.com/jenkinsci/jenkins/blob/08def67a18eee51de9f3f99bc2a792fee1c160e0/core/src/main/java/jenkins/security/SecurityListener.java#L91
             * Anybody should be able to attach to the Security Listener and get the information (via plugin or so)
             * Nice2have: Review Javadoc of the engine and ensure it is still correct
             * What should happen:
             ** When you login, you get event
             ** When the authentication is sent, you get event. Includes REST API (password != API token) and Web calls. Example: [https://github.com/jenkinsci/jenkins/blob/729016989e13632bc980957d05060510efddf41f/core/src/main/java/hudson/security/AbstractPasswordBasedSecurityRealm.java#L116]  

            Not in scope:
             * SecurityListener Audit Trail patch is not in the scope. May be used as reference impl if we need to add new API
            {{Original request: SecurityListener}} should be notified when {{ApiTokenFilter}} approves or denies a REST authentication attempt. [~jglick] says that the logic should be reviewed from scratch.

            TL;DR:
             * Investigate how it works
             * Send events when it does not

            Acceptance criteria:
             * We cover REST, CLI, Web UI...
             * Data should be forwarded to SecurityListener and logged here: [https://github.com/jenkinsci/jenkins/blob/08def67a18eee51de9f3f99bc2a792fee1c160e0/core/src/main/java/jenkins/security/SecurityListener.java#L91
             * Anybody should be able to attach to the Security Listener and get the information (via plugin or so)
             * Nice2have: Review Javadoc of the engine and ensure it is still correct
             * Nice2have: Document the login flow in Wiki (or Jenkins.io developer docs)
             * What should happen:
             ** When you login, you get event
             ** When the authentication is sent, you get event. Includes REST API (password != API token) and Web calls. Example: [https://github.com/jenkinsci/jenkins/blob/729016989e13632bc980957d05060510efddf41f/core/src/main/java/hudson/security/AbstractPasswordBasedSecurityRealm.java#L116]  

            Not in scope:
             * SecurityListener Audit Trail patch is not in the scope. May be used as reference impl if we need to add new API
            wfollonier Wadeck Follonier made changes -
            Remote Link This issue links to "#3074 (Web Link)" [ 17949 ]
            wfollonier Wadeck Follonier made changes -
            Remote Link This issue links to "#1192 (jenkins-io) (Web Link)" [ 17950 ]
            wfollonier Wadeck Follonier made changes -
            Status In Progress [ 3 ] In Review [ 10005 ]
            wfollonier Wadeck Follonier made changes -
            Status In Review [ 10005 ] Resolved [ 5 ]
            Resolution Fixed [ 1 ]

              People

              • Assignee:
                wfollonier Wadeck Follonier
                Reporter:
                jglick Jesse Glick
              • Votes:
                0 Vote for this issue
                Watchers:
                5 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved: