Details

    • Type: Bug
    • Status: Closed (View Workflow)
    • Priority: Major
    • Resolution: Fixed
    • Labels:
      None
    • Environment:
      Freshly installed 1.656 with only Authorize Project and Active Directory plugins installed.
    • Similar Issues:

      Description

      When authentication is set to use the Active Directory plugin, Authorize Plugin fails if job authorization is set to anything but SYSTEM.

      Setting a job to "Run as user who triggered the build", the job just hangs in the job queue indefinitely waiting for access to an executor - when triggered by a logged-in user.

        Attachments

          Activity

          Hide
          larsskj larsskj added a comment -

          Hi,

          Your observations are pretty correct - but I might enlighten you a little on my comment about "other security concerns": When authenticating using AD or any other LDAP directory - or any other directory at large, for that sake - it's considered best practice always to authenticate as the user in case, not by using an overall login.

          The reason for this is that when you're authenticating as the real user in all cases, you minimize the risk of the using getting access to information from the directory that you did not intend the user to be allowed to. If the authenticator is authenticating as something else than the current user, you risk exposing sensitive information to the user in case, as the authenticator user will almost certainly have access to much more information than the actual user.

          Regards,
          Lars

          Show
          larsskj larsskj added a comment - Hi, Your observations are pretty correct - but I might enlighten you a little on my comment about "other security concerns": When authenticating using AD or any other LDAP directory - or any other directory at large, for that sake - it's considered best practice always to authenticate as the user in case, not by using an overall login. The reason for this is that when you're authenticating as the real user in all cases, you minimize the risk of the using getting access to information from the directory that you did not intend the user to be allowed to. If the authenticator is authenticating as something else than the current user, you risk exposing sensitive information to the user in case, as the authenticator user will almost certainly have access to much more information than the actual user. Regards, Lars
          Hide
          ikedam ikedam added a comment -

          I agree it's useful if security realms don't require administrative credentials.
          But in fact, security realms often require them to retrieve authorizations from user names (without their passwords).

          For example, I believe "Remember me" of login requires retrieve authorizations from user names, and it should not work when always authenticating as the real users.

          As "Run as user who triggered the build" resolves authorizations with user names (it works like "Remember me"), it doesn't work without administrative credentials.

          Show
          ikedam ikedam added a comment - I agree it's useful if security realms don't require administrative credentials. But in fact, security realms often require them to retrieve authorizations from user names (without their passwords). For example, I believe "Remember me" of login requires retrieve authorizations from user names, and it should not work when always authenticating as the real users. As "Run as user who triggered the build" resolves authorizations with user names (it works like "Remember me"), it doesn't work without administrative credentials.
          Hide
          scm_issue_link SCM/JIRA link daemon added a comment -

          Code changed in jenkins
          User: ikedam
          Path:
          src/main/java/org/jenkinsci/plugins/authorizeproject/strategy/SpecificUsersAuthorizationStrategy.java
          src/main/java/org/jenkinsci/plugins/authorizeproject/strategy/TriggeringUsersAuthorizationStrategy.java
          src/test/java/org/jenkinsci/plugins/authorizeproject/strategy/SpecificUsersAuthorizationStrategyTest.java
          src/test/java/org/jenkinsci/plugins/authorizeproject/strategy/TriggeringUsersAuthorizationStrategyTest.java
          src/test/java/org/jenkinsci/plugins/authorizeproject/testutil/SecurityRealmWithUserFilter.java
          http://jenkins-ci.org/commit/authorize-project-plugin/e4ff3a19bc775b46361f4bfdac7d0a4b0f114b06
          Log:
          [FIXED JENKINS-34279] Handle UsernameNotFoundException.

          Show
          scm_issue_link SCM/JIRA link daemon added a comment - Code changed in jenkins User: ikedam Path: src/main/java/org/jenkinsci/plugins/authorizeproject/strategy/SpecificUsersAuthorizationStrategy.java src/main/java/org/jenkinsci/plugins/authorizeproject/strategy/TriggeringUsersAuthorizationStrategy.java src/test/java/org/jenkinsci/plugins/authorizeproject/strategy/SpecificUsersAuthorizationStrategyTest.java src/test/java/org/jenkinsci/plugins/authorizeproject/strategy/TriggeringUsersAuthorizationStrategyTest.java src/test/java/org/jenkinsci/plugins/authorizeproject/testutil/SecurityRealmWithUserFilter.java http://jenkins-ci.org/commit/authorize-project-plugin/e4ff3a19bc775b46361f4bfdac7d0a4b0f114b06 Log: [FIXED JENKINS-34279] Handle UsernameNotFoundException.
          Hide
          scm_issue_link SCM/JIRA link daemon added a comment -

          Code changed in jenkins
          User: ikedam
          Path:
          src/main/java/org/jenkinsci/plugins/authorizeproject/strategy/SpecificUsersAuthorizationStrategy.java
          src/main/java/org/jenkinsci/plugins/authorizeproject/strategy/TriggeringUsersAuthorizationStrategy.java
          src/test/java/org/jenkinsci/plugins/authorizeproject/strategy/SpecificUsersAuthorizationStrategyTest.java
          src/test/java/org/jenkinsci/plugins/authorizeproject/strategy/TriggeringUsersAuthorizationStrategyTest.java
          src/test/java/org/jenkinsci/plugins/authorizeproject/testutil/SecurityRealmWithUserFilter.java
          http://jenkins-ci.org/commit/authorize-project-plugin/cf96cbb0120200b1353e10bf60b048130c5b980e
          Log:
          Merge pull request #24 from ikedam/feature/JENKINS-34279_UsernameNotFound

          [FIXED JENKINS-34279] Handle UsernameNotFoundException.

          Compare: https://github.com/jenkinsci/authorize-project-plugin/compare/5a3088e771fa...cf96cbb01202

          Show
          scm_issue_link SCM/JIRA link daemon added a comment - Code changed in jenkins User: ikedam Path: src/main/java/org/jenkinsci/plugins/authorizeproject/strategy/SpecificUsersAuthorizationStrategy.java src/main/java/org/jenkinsci/plugins/authorizeproject/strategy/TriggeringUsersAuthorizationStrategy.java src/test/java/org/jenkinsci/plugins/authorizeproject/strategy/SpecificUsersAuthorizationStrategyTest.java src/test/java/org/jenkinsci/plugins/authorizeproject/strategy/TriggeringUsersAuthorizationStrategyTest.java src/test/java/org/jenkinsci/plugins/authorizeproject/testutil/SecurityRealmWithUserFilter.java http://jenkins-ci.org/commit/authorize-project-plugin/cf96cbb0120200b1353e10bf60b048130c5b980e Log: Merge pull request #24 from ikedam/feature/ JENKINS-34279 _UsernameNotFound [FIXED JENKINS-34279] Handle UsernameNotFoundException. Compare: https://github.com/jenkinsci/authorize-project-plugin/compare/5a3088e771fa...cf96cbb01202
          Hide
          ikedam ikedam added a comment -

          Fixed in 1.2.2.
          It will be available in the update center in a day.
          Please try that.

          But as I described before, that fix results builds running as anonymous user for users Active Directory failed to access user information.
          You have to configure Active Directory plugin to allow to access user information even without user credentials.

          Show
          ikedam ikedam added a comment - Fixed in 1.2.2. It will be available in the update center in a day. Please try that. But as I described before, that fix results builds running as anonymous user for users Active Directory failed to access user information. You have to configure Active Directory plugin to allow to access user information even without user credentials.

            People

            • Assignee:
              larsskj larsskj
              Reporter:
              larsskj larsskj
            • Votes:
              0 Vote for this issue
              Watchers:
              3 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved: