Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-49532

autogenerated keystore should not be kept in temp directory

    Details

    • Type: Improvement
    • Status: Closed (View Workflow)
    • Priority: Minor
    • Resolution: Fixed
    • Component/s: saml-plugin
    • Labels:
      None
    • Environment:
      SAML-plugin 1.0.5
    • Similar Issues:

      Description

      The SAML plugin automatically generates a keystore in /tmp (when it has not been manually configured otherwise). However, /tmp files are subject to garbage collection; if the keystore is subsequently deleted by a cleanup process (e.g. tmpwatch, systemd-tmpfiles-clean, etc), it will break SAML authentication and require a restart of the Jenkins process.

      Being able to specify a path or directory for where to create the autogenerated keystore would solve this problem.

      The existing mechanism for specifying a keystore requires configuring the plugin manually with a key password and keystore password. We deploy and manage a fleet of Jenkins instances via Ansible and are limited to configuration options that can be scripted. The automatically generated keystore would be a satisfactory solution if it were not subject to garbage collection.

        Attachments

          Issue Links

            Activity

            Hide
            ifernandezcalvo Ivan Fernandez Calvo added a comment -

            as a workaround you can change the temporal folder with `java.io.tmpdir` java property, but probably this file should be created into the JENKINS_HOME folder

            Show
            ifernandezcalvo Ivan Fernandez Calvo added a comment - as a workaround you can change the temporal folder with `java.io.tmpdir` java property, but probably this file should be created into the JENKINS_HOME folder
            Hide
            qwrrty Tim Pierce added a comment -

            The workaround we are using for the time being is adding an exclusion in /etc/tmpfiles.d/jenkins.conf to keep the keystore from being deleted. I agree that JENKINS_HOME would be a more suitable location for the autogenerated keystore.

            Show
            qwrrty Tim Pierce added a comment - The workaround we are using for the time being is adding an exclusion in /etc/tmpfiles.d/jenkins.conf to keep the keystore from being deleted. I agree that JENKINS_HOME would be a more suitable location for the autogenerated keystore.
            Hide
            stradenko C added a comment -

            If the file does not exist, shouldn't it be re-created?

            Show
            stradenko C added a comment - If the file does not exist, shouldn't it be re-created?
            Hide
            scm_issue_link SCM/JIRA link daemon added a comment -

            Code changed in jenkins
            User: Ivan Fernandez Calvo
            Path:
            src/main/java/org/jenkinsci/plugins/saml/BundleKeyStore.java
            http://jenkins-ci.org/commit/saml-plugin/f0c2b160b0a862fe1a3f6d79317a092b013b5576
            Log:
            JENKINS-49532 autogenerated keystore should not be kept in temp directory (#42)

            Show
            scm_issue_link SCM/JIRA link daemon added a comment - Code changed in jenkins User: Ivan Fernandez Calvo Path: src/main/java/org/jenkinsci/plugins/saml/BundleKeyStore.java http://jenkins-ci.org/commit/saml-plugin/f0c2b160b0a862fe1a3f6d79317a092b013b5576 Log: JENKINS-49532 autogenerated keystore should not be kept in temp directory (#42)
            Hide
            pavan_tatikonda Venkata Siva Naga Tatikonda added a comment -

            I agree with Coltrey, if the file doesn't exist Jenkins should re-create and use it dynamically

            Show
            pavan_tatikonda Venkata Siva Naga Tatikonda added a comment - I agree with Coltrey, if the file doesn't exist Jenkins should re-create and use it dynamically
            Hide
            qwrrty Tim Pierce added a comment -

            It looks like the PR has been merged. Is there anything else that needs to be done to close the ticket? Is that my responsibility as the ticket owner?

            FWIW, I also agree that it makes sense to automatically re-create the file if it disappears in the middle of a session.

            Show
            qwrrty Tim Pierce added a comment - It looks like the PR has been merged. Is there anything else that needs to be done to close the ticket? Is that my responsibility as the ticket owner? FWIW, I also agree that it makes sense to automatically re-create the file if it disappears in the middle of a session.
            Hide
            ifernandezcalvo Ivan Fernandez Calvo added a comment - - edited

            Tim Pierce I am testing some stuff to save the configuration of the keystore ASAP I finished I will release an close this Jira.

            Show
            ifernandezcalvo Ivan Fernandez Calvo added a comment - - edited Tim Pierce I am testing some stuff to save the configuration of the keystore ASAP I finished I will release an close this Jira.
            Hide
            ifernandezcalvo Ivan Fernandez Calvo added a comment -

            released on SAML Plugin 1.0.6

            Show
            ifernandezcalvo Ivan Fernandez Calvo added a comment - released on SAML Plugin 1.0.6

              People

              • Assignee:
                ifernandezcalvo Ivan Fernandez Calvo
                Reporter:
                qwrrty Tim Pierce
              • Votes:
                0 Vote for this issue
                Watchers:
                5 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved: