Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-52045

Advanced configuration missing on Configure Global Security

    Details

    • Type: Bug
    • Status: Resolved (View Workflow)
    • Priority: Blocker
    • Resolution: Fixed
    • Labels:
      None
    • Environment:
      Jenkins 2.121.1
      Active Directory Plugin 2.7
      Jenkins running in Windows Server
    • Similar Issues:

      Description

      I just upgraded from Jenkins 2.107.3 to 2.121.1 along with all the plugins I needed, including Active Directory going from 2.6 to 2.7. The Advanced configuration button is no longer present. Since this upgrade also triggers TLS Configuration is not correct and TLS is hidden by said button, I cannot use this version of the plugin.

        Attachments

          Issue Links

            Activity

            krachynski Ken Rachynski created issue -
            fbelzunc Félix Belzunce Arcos made changes -
            Field Original Value New Value
            Status Open [ 1 ] In Progress [ 3 ]
            fbelzunc Félix Belzunce Arcos made changes -
            Hide
            fbelzunc Félix Belzunce Arcos added a comment -

            Ken Rachynski Nick Jones Hello, I have just set-up a Windows Server to be able to better understand this problem. AFAIK the problem is only affected by users running Jenkins on a Windows Server doing native authentication.

            In the image below you have all the options available in the advanced button. If I understand correctly, for native authentication - not any custom server, from all those options, it only makes sense to have available:

            • Environment Properties
            • Enable cache
            • Use Jenkins Internal Database

            The rest of the options, including TLS should not make sense to have available since you are doing Native Authentication, right?

            Then, the TLS alert should never appear since TLS is not being used over there.

            • Would you mind to confirm to me these assumptions?
            Show
            fbelzunc Félix Belzunce Arcos added a comment - Ken Rachynski Nick Jones Hello, I have just set-up a Windows Server to be able to better understand this problem. AFAIK the problem is only affected by users running Jenkins on a Windows Server doing native authentication. In the image below you have all the options available in the advanced button. If I understand correctly, for native authentication - not any custom server, from all those options, it only makes sense to have available: Environment Properties Enable cache Use Jenkins Internal Database The rest of the options, including TLS should not make sense to have available since you are doing Native Authentication, right? Then, the TLS alert should never appear since TLS is not being used over there. Would you mind to confirm to me these assumptions?
            Hide
            fbelzunc Félix Belzunce Arcos added a comment -

            So If I understand correctly, the main issue here is the TLS banner - so the plugin still works correctly.

            • Is that correct?
            Show
            fbelzunc Félix Belzunce Arcos added a comment - So If I understand correctly, the main issue here is the TLS banner - so the plugin still works correctly. Is that correct?
            Hide
            medianick Nick Jones added a comment -

            Yes, Félix Belzunce Arcos, the 2.7 plugin appears to work correctly, at least in my limited testing – I was able to log out and in, configure AD groups with access, and see my current user's groups enumerated. The only issue I had was the banner, and no obvious way to clear it aside from downgrading to 2.6.

            I'm not sure I understand your description of the problem as "only affected by users running Jenkins on a Windows Server doing native authentication" – unless by "native" you mean Active Directory in the domain the server resides in (so, automatically detecting the domain controller(s) using ADSI), rather than configuring a custom AD server. Is that it?

            Show
            medianick Nick Jones added a comment - Yes, Félix Belzunce Arcos , the 2.7 plugin appears to work correctly, at least in my limited testing – I was able to log out and in, configure AD groups with access, and see my current user's groups enumerated. The only issue I had was the banner, and no obvious way to clear it aside from downgrading to 2.6. I'm not sure I understand your description of the problem as "only affected by users running Jenkins on a Windows Server doing native authentication" – unless by "native" you mean Active Directory in the domain the server resides in (so, automatically detecting the domain controller(s) using ADSI), rather than configuring a custom AD server. Is that it?
            medianick Nick Jones made changes -
            Attachment image-2018-06-20-09-38-18-299.png [ 43033 ]
            Hide
            medianick Nick Jones added a comment -

            My current Access Control setup looks like this:

            Show
            medianick Nick Jones added a comment - My current Access Control setup looks like this:
            krachynski Ken Rachynski made changes -
            Link This issue blocks JENKINS-52047 [ JENKINS-52047 ]
            Hide
            krachynski Ken Rachynski added a comment -

            In my case, I am using custom domains due to a badly joined forest. 

            I did some further testing yesterday but hadn't reported yet. If I manually add startTls and tlsConfiguration to my configuration xml file, then the plugin actually works. Otherwise, no, this plugin is not working properly.

            Further, in this state, if I save the current configuration even without changing anything, the startTls and tlsConfiguration settings are removed from the configuration file.

            Show
            krachynski Ken Rachynski added a comment - In my case, I am using custom domains due to a badly joined forest.  I did some further testing yesterday but hadn't reported yet. If I manually add startTls and tlsConfiguration to my configuration xml file, then the plugin actually works. Otherwise, no, this plugin is not working properly. Further, in this state, if I save the current configuration even without changing anything, the startTls and tlsConfiguration settings are removed from the configuration file.
            Hide
            fbelzunc Félix Belzunce Arcos added a comment -

            Ken Rachynski Would you mind to expose the problem on your end - remove tlsConfiguration + startTls - and provide on this ticket the stacktrace you are getting on the Jenkins logs to understand what is going on?

            Show
            fbelzunc Félix Belzunce Arcos added a comment - Ken Rachynski Would you mind to expose the problem on your end - remove tlsConfiguration + startTls - and provide on this ticket the stacktrace you are getting on the Jenkins logs to understand what is going on?
            Hide
            krachynski Ken Rachynski added a comment -

            This is the log for just the plugin. Looking at this, I do see that binding is working properly; it's just the existing users and groups that are generating stack traces which is part of JENKINS-52047.

             

            Show
            krachynski Ken Rachynski added a comment - This is the log for just the plugin. Looking at this, I do see that binding is working properly; it's just the existing users and groups that are generating stack traces which is part of JENKINS-52047 .  
            krachynski Ken Rachynski made changes -
            Attachment active-directory-plugin.log [ 43034 ]
            Hide
            medianick Nick Jones added a comment -

            In my case the only unusual aspect of the configuration I can think of is that the machine's actual name (JenkinsTest2) is different from the DNS name we use when accessing it (JenkinsTest – which is a DNS alias for JenkinsTest2), and the latter name is also what is configured in the "Jenkins URL" in the system configuration. If I access the server under its actual name, I get the expected "It appears that your reverse proxy set up is broken." message. I'm not sure if that could be causing the TLS warning message when running under 2.7, but it's the only unusual aspect I can think of.
             

            Show
            medianick Nick Jones added a comment - In my case the only unusual aspect of the configuration I can think of is that the machine's actual name (JenkinsTest2) is different from the DNS name we use when accessing it (JenkinsTest – which is a DNS alias for JenkinsTest2), and the latter name is also what is configured in the "Jenkins URL" in the system configuration. If I access the server under its actual name, I get the expected "It appears that your reverse proxy set up is broken." message. I'm not sure if that could be causing the TLS warning message when running under 2.7, but it's the only unusual aspect I can think of.  
            Hide
            krachynski Ken Rachynski added a comment -

            That's an interesting observation. My master also has a different domain name to dns name (ie-ci-master vs jenkins.ie.local)

             

            Show
            krachynski Ken Rachynski added a comment - That's an interesting observation. My master also has a different domain name to dns name (ie-ci-master vs jenkins.ie.local)  
            Hide
            medianick Nick Jones added a comment -

            I just reinstalled 2.7 (after setting up a logger for "hudson.plugins.active_directory", inspired by Ken Rachynski), and now I'm not seeing the TLS warning message. Examining the config history, it appears that resaving the config under 2.6 caused 

            <groupLookupStrategy>AUTO</groupLookupStrategy>

            and 

            <tlsConfiguration>TRUST_ALL_CERTIFICATES</tlsConfiguration>

            to be added. Subsequently resaving the the config with 2.7 installed causes those to be removed, and the warning comes back.

            Show
            medianick Nick Jones added a comment - I just reinstalled 2.7 (after setting up a logger for "hudson.plugins.active_directory", inspired by Ken Rachynski ), and now I'm not seeing the TLS warning message. Examining the config history, it appears that resaving the config under 2.6 caused  <groupLookupStrategy>AUTO</groupLookupStrategy> and  <tlsConfiguration>TRUST_ALL_CERTIFICATES</tlsConfiguration> to be added. Subsequently resaving the the config with 2.7 installed causes those to be removed, and the warning comes back.
            Hide
            fbelzunc Félix Belzunce Arcos added a comment -

            Thanks everybody for the contributions.

            I think that I finally understood the issue.

            1. This issue only happens for users running Jenkins on Windows Servers
            2. If Specify a custom Active Directory domain name is not selected. Then, the only issue here is that we should never show up the banner since we are doing native authentication.
            3. If Specify a custom Active Directory domain name is selected, then we should show the Advanced section because we are not doing native authentication and at this point, ActiveDirectoryUnixAuthenticationProvider is used instead of ActiveDirectoryAuthenticationProvider.

            I will try to fix this as soon as I have a few "spare" time available.

            Show
            fbelzunc Félix Belzunce Arcos added a comment - Thanks everybody for the contributions. I think that I finally understood the issue. 1. This issue only happens for users running Jenkins on Windows Servers 2. If Specify a custom Active Directory domain name is not selected. Then, the only issue here is that we should never show up the banner since we are doing native authentication. 3. If Specify a custom Active Directory domain name is selected, then we should show the Advanced section because we are not doing native authentication and at this point, ActiveDirectoryUnixAuthenticationProvider is used instead of ActiveDirectoryAuthenticationProvider . I will try to fix this as soon as I have a few "spare" time available.
            fbelzunc Félix Belzunce Arcos made changes -
            Attachment active-directory.hpi [ 43054 ]
            Hide
            fbelzunc Félix Belzunce Arcos added a comment -

            Nick JonesKen Rachynski

            • Would you mind to check this snapshot to confirm all the issues are fixed?
            Show
            fbelzunc Félix Belzunce Arcos added a comment - Nick Jones Ken Rachynski Would you mind to check this snapshot to confirm all the issues are fixed? active-directory.hpi
            Hide
            medianick Nick Jones added a comment -

            Félix Belzunce Arcos, I've installed the 2.8-SNAPSHOT build and am not seeing the warning banner anymore. The only change I see in the system config is simply the expected plugin version in the <securityRealm> element. So, I'm good to go. Thanks!

            Show
            medianick Nick Jones added a comment - Félix Belzunce Arcos , I've installed the 2.8-SNAPSHOT build and am not seeing the warning banner anymore. The only change I see in the system config is simply the expected plugin version in the <securityRealm> element. So, I'm good to go. Thanks!
            Hide
            fbelzunc Félix Belzunce Arcos added a comment -

            Ken Rachynski Would you mind to test, please? I think that will fix the problem - I will submit then a PR and release.

            Show
            fbelzunc Félix Belzunce Arcos added a comment - Ken Rachynski Would you mind to test, please? I think that will fix the problem - I will submit then a PR and release.
            Hide
            krachynski Ken Rachynski added a comment -

            I apologize for the delay. Yes, this snapshot appears to address all of my issues. I now have the advanced section back and all my users and groups are validated properly.

            Show
            krachynski Ken Rachynski added a comment - I apologize for the delay. Yes, this snapshot appears to address all of my issues. I now have the advanced section back and all my users and groups are validated properly.
            miraha jang hyemi (Inactive) made changes -
            Status In Progress [ 3 ] In Review [ 10005 ]
            fbelzunc Félix Belzunce Arcos made changes -
            Link This issue is related to JENKINS-52047 [ JENKINS-52047 ]
            Hide
            fbelzunc Félix Belzunce Arcos added a comment -

            This should be fixed in https://github.com/jenkinsci/active-directory-plugin/pull/85 - and it is being released as active-directory-2.8

            Show
            fbelzunc Félix Belzunce Arcos added a comment - This should be fixed in https://github.com/jenkinsci/active-directory-plugin/pull/85 - and it is being released as active-directory-2.8
            fbelzunc Félix Belzunce Arcos made changes -
            Link This issue is related to JENKINS-52047 [ JENKINS-52047 ]
            fbelzunc Félix Belzunce Arcos made changes -
            Status In Review [ 10005 ] Resolved [ 5 ]
            Resolution Fixed [ 1 ]
            fbelzunc Félix Belzunce Arcos made changes -
            Environment Jenkins 2.121.1
            Active Directory Plugin 2.7
            Jenkins 2.121.1
            Active Directory Plugin 2.7
            Jenkins running in Windows Server
            fbelzunc Félix Belzunce Arcos made changes -
            Remote Link This issue links to "Page (Jenkins Wiki)" [ 20950 ]

              People

              • Assignee:
                fbelzunc Félix Belzunce Arcos
                Reporter:
                krachynski Ken Rachynski
              • Votes:
                2 Vote for this issue
                Watchers:
                3 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved: