-
Type:
Bug
-
Status: Resolved (View Workflow)
-
Priority:
Major
-
Resolution: Fixed
-
Component/s: reverse-proxy-auth-plugin
-
Labels:None
-
Environment:Jenkins 2.90
reverse-proxy-auth-plugin 1.6.2
-
Similar Issues:
After configuring the reverse-proxy-auth-plugin, users are not authenticated in Jenkins.
it appears that ReverseProxySecurityRealm is correctly identifying the user from the following logs:
PM FINE org.jenkinsci.plugins.reverse_proxy_auth.ReverseProxySecurityRealm USER LOGGED IN: tad@simple.com
However, DefaultReverseProxyAuthenticator does not appear to receive the username:
PM INFO org.jenkinsci.plugins.reverse_proxy_auth.auth.DefaultReverseProxyAuthenticator authenticate DefaultReverseProxyAuthenticator::authenticate ==> null to [Lorg.acegisecurity.GrantedAuthority;@6d8c3052
We are not using LDAP authentication.
Here is the relevant section of config.xml:
<securityRealm class="org.jenkinsci.plugins.reverse_proxy_auth.ReverseProxySecurityRealm" plugin="reverse-proxy-auth-plugin@1.6.2">
<proxyTemplate/>
<inhibitInferRootDN>false</inhibitInferRootDN>
<userSearchBase></userSearchBase>
<userSearch>uid={0}</userSearch>
<updateInterval>15</updateInterval>
<forwardedUser>X-Simple-Internal-User</forwardedUser>
<retrievedUser>vanvlack@simple.com</retrievedUser>
<headerGroups></headerGroups>
<headerGroupsDelimiter>|</headerGroupsDelimiter>
<disableLdapEmailResolver>true</disableLdapEmailResolver>
<displayNameLdapAttribute></displayNameLdapAttribute>
<emailAddressLdapAttribute></emailAddressLdapAttribute>
</securityRealm>
What's interesting is the persistence of "retrievedUser", which might mean a leak of transient state.
Attached is a sanitized dump of /whoAmI.
Oleg Nenashev Yes, I'd be able to help. Are you available on IRC somewhere?
Usually "yes". oleg_nenashev in standard Jenkins channels. Traveling today tho
I am experiencing the same or similar issue, Jenkins ver. 2.105 and
Reverse Proxy Auth Plugin v1.6.2
When I go to https://myjenkinsurl/whoAmI/ I see that the header which is in my case ( X-Remote-User = my.username) is present but I am still authenticated as Anonimous.
For some reason it does not respect the header anymore after I upgraded.
Krasimir Popov could you please take a Snapshot build from https://github.com/jenkinsci/reverse-proxy-auth-plugin/pull/36 and confirm whether it works for you?
How do I do this where can I download .jar or pull docker image or something?
Krasimir Popov You can download plugin HPI from https://ci.jenkins.io/job/Plugins/job/reverse-proxy-auth-plugin/job/PR-36/1/artifact/target/reverse-proxy-auth-plugin.hpi and then install it in Plugin Manager
Worked as a charm, Looking forward for the stable version to roll in production.
Thanks!
Will release it tomorrow once I have a network which allows releasing
Code changed in jenkins
User: Tad Fisher
Path:
src/main/java/org/jenkinsci/plugins/reverse_proxy_auth/ReverseProxySecurityRealm.java
src/test/java/org/jenkinsci/plugins/reverse_proxy_auth/ReverseProxySecurityRealmTest.java
http://jenkins-ci.org/commit/reverse-proxy-auth-plugin/85f1a6b0b6ebd2b24e6e6b5498b2ce3ee035798b
Log:
JENKINS-49274 Run reverse-proxy filter after default filter
Code changed in jenkins
User: Oleg Nenashev
Path:
src/main/java/org/jenkinsci/plugins/reverse_proxy_auth/ReverseProxySecurityRealm.java
src/test/java/org/jenkinsci/plugins/reverse_proxy_auth/ReverseProxySecurityRealmTest.java
http://jenkins-ci.org/commit/reverse-proxy-auth-plugin/0f3dc2d8e13a2fc3de29f6e14bf6840ecaa8f032
Log:
Merge pull request #36 from tadfisher/jenkins-49274
JENKINS-49274 Run reverse-proxy filter after default filter
Compare: https://github.com/jenkinsci/reverse-proxy-auth-plugin/compare/cc9829233246...0f3dc2d8e13a
It has been released in 1.6.3
Same problem with 1.6.3 :
févr. 09, 2018 7:38:33 AM org.jenkinsci.plugins.reverse_proxy_auth.auth.DefaultReverseProxyAuthenticator authenticate
INFOS: DefaultReverseProxyAuthenticator::authenticate ==> null to null
févr. 09, 2018 7:38:33 AM org.jenkinsci.plugins.reverse_proxy_auth.auth.DefaultReverseProxyAuthenticator authenticate
INFOS: DefaultReverseProxyAuthenticator::authenticate ==> null to null
févr. 09, 2018 7:38:33 AM org.jenkinsci.plugins.reverse_proxy_auth.auth.DefaultReverseProxyAuthenticator authenticate
INFOS: DefaultReverseProxyAuthenticator::authenticate ==> null to null
Need to revert to 1.5
For me it works fine with the Snapshot build and with the official 1.6.3 release.
Jenkins ver. 2.105 and Plugin v1.6.3 in production since this morning and no issues since then.
Laurent Le Grandois give more details about your entire setup so we can reproduce.
Hi,
here is the configuration :
Centos 7 :
- httpd-2.4.6-67.el7.centos.6.x86_64
- jenkins-2.105-1.1.noarch
Jenkins config :
<securityRealm class="org.jenkinsci.plugins.reverse_proxy_auth.ReverseProxySecurityRealm" plugin="reverse-proxy-auth-plugin@1.5"> <proxyTemplate/> <authContext/> <authorityUpdateCache/> <inhibitInferRootDN>false</inhibitInferRootDN> <userSearchBase></userSearchBase> <userSearch>uid={0}</userSearch> <updateInterval>15</updateInterval> <forwardedUser>X-Alfresco-Remote-User</forwardedUser> <headerGroups>X-Forwarded-Groups</headerGroups> <headerGroupsDelimiter>|</headerGroupsDelimiter> <disableLdapEmailResolver>false</disableLdapEmailResolver> <displayNameLdapAttribute></displayNameLdapAttribute> <emailAddressLdapAttribute></emailAddressLdapAttribute> </securityRealm>
Apache config :
<Location /> AuthBasicProvider file ldap AuthType Basic AuthName "Ldap Authentication" AuthUserFile "/etc/httpd/security/passwd" AuthLDAPURL ldaps:************************?uid AuthLDAPBindDN uid=*************************** AuthLDAPBindPassword "***************" Require valid-user RewriteEngine On RewriteCond %{LA-U:REMOTE_USER} (.+) RewriteRule . - [E=RU:%1,NS] RequestHeader set X-Alfresco-Remote-User "%{RU}e" RewriteRule ^ - [E=X-Alfresco-Remote-User:${uc:%{LA-U:X-Alfresco-Remote-User}},NS,L] Options +Indexes </Location> RewriteCond %{REQUEST_URI} ^/computer/.*$ RewriteRule ^/computer/(.*)$ /jenkins/computer/$1 [L,R] ProxyPass /jenkins http://localhost:8080/jenkins ProxyPassReverse /jenkins http://localhost:8080/jenkins
When you visit https://yourjenkinsurl/whoAmI/
do you have the
X-Alfresco-Remote-User
present there?
Authorization: Basic is correctly setted and other backends behind this reverse-proxy (Alfresco, Nexus, etc ..) got user id from Apache.
PS : sorry, didn't see your html file : no, header doesn't appear
I was just digging into a problem with Jenkins swarm plugin that I had after the upgrade and I noticed then now they changed the order of authentication somehow and if Authorization: Basic is present it will take advantage over the custom header you are sending to the Reverse proxy auth plugin. The result of this is that you will get 401 HTTP error from the Jetty server.
You need to configure your apache to remove the Authorization header.
For nginx I did
proxy_set_header Authorization "";
Not sure what is the equivalent for Apache.
Hi Krasimir,
it works !!
Config for Apache is :
<Location /jenkins> RequestHeader set Authorization "" </Location>
Thanks
Glad to hear that.
Cheers...
I think I am also hitting this. I can auth as my user, but my swarm agents aren't able to get through. The proxy is authenticating them successfully, and should be forwarding the user via the X-Forwarded-For header which is how I've configured jenkins, but the agents just are stuck 401ing the whole time against the /plugin/swarm/slaveInfo url.
What kind of webserver you use to proxy the requests. You need to ensure that all other unnecessary authentication headers are removed (Not proxied to jenkins jetty server). In the case of swarm it is basic auth and the header that you have to remove is Authorization.
For nginx
proxy_set_header Authorization "";
For Apache
<Location /jenkins>
RequestHeader set Authorization ""
</Location>
I believe that this is more feature rather then a bug, jenkins security is improved and now there is better order of security layers. If Authorization header is present then jenkins follows to that and you will get 401. Your X-Forwarded-For header is ignored in that case.
For Apache I think the more proper setting is:
<Location /jenkins>
RequestHeader unset Authorization
</Location>
(verified this fixes the issues for me too)
Tad Fisher AFAICT it's still a follow-up to the original fix in
JENKINS-49236.the authenticator does not get the context correctly. Although we fixed NPEs in such case, a main objective would be to debug the plugin and to understand why it fails in such way. Would you be able to debug it on your instance?
CC Wadeck Follonier