Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-59107

User logged out after successful configuration of "Run as Specific User" (as of Jenkins 2.150.2)

    Details

    • Similar Issues:
    • Released As:
      Jenkins 2.210

      Description

      Actual behaviour

      As user "A" when configuring authorization
      using the "Run as Specific User" strategy to run a job as user "B"
      after successful authentication with the password of user "B"
      user "A" is logged out.

      Expected behaviour

      User "A" is still logged in.

      Root Cause Analysis

      This issue is present starting with Jenkins 2.150.2 which implemented new security measures for user sessions (see changelog https://jenkins.io/changelog-stable/#v2.150.2). It seems that the below call from here invalidates the current user session:

      Jenkins.getActiveInstance().getSecurityRealm().getSecurityComponents().manager.authenticate(
          new UsernamePasswordAuthenticationToken(userId, password)
      );
      

        Attachments

          Activity

          Hide
          jvz Matt Sicker added a comment -

          I've isolated this problem to the code in UserSeedSecurityListener.authenticated() which will overwrite the current session's user seed with the authorized user's seed instead. This seed is not restored after the build completes (or ever), so essentially, you end up with the authorize user's session which doesn't work.

          Show
          jvz Matt Sicker added a comment - I've isolated this problem to the code in UserSeedSecurityListener.authenticated() which will overwrite the current session's user seed with the authorized user's seed instead. This seed is not restored after the build completes (or ever), so essentially, you end up with the authorize user's session which doesn't work.
          Hide
          jvz Matt Sicker added a comment -

          PR to fix this open for review: https://github.com/jenkinsci/jenkins/pull/4394

          Show
          jvz Matt Sicker added a comment - PR to fix this open for review: https://github.com/jenkinsci/jenkins/pull/4394
          Hide
          wfollonier Wadeck Follonier added a comment -

          Important point to mention in the description, to trigger the "password" field to appear, you need to lack admin permission as the user A. I installed matrix-auth to achieve that easily.

          Show
          wfollonier Wadeck Follonier added a comment - Important point to mention in the description, to trigger the "password" field to appear, you need to lack admin permission as the user A. I installed matrix-auth to achieve that easily.
          Hide
          jvz Matt Sicker added a comment -

          Ah, that explains some test failures I came across at one point when testing out different combinations of versions.

          Show
          jvz Matt Sicker added a comment - Ah, that explains some test failures I came across at one point when testing out different combinations of versions.
          Hide
          oleg_nenashev Oleg Nenashev added a comment -

          Released in Jenkins 2.210, will mark as LTS candidate

          Show
          oleg_nenashev Oleg Nenashev added a comment - Released in Jenkins 2.210, will mark as LTS candidate

            People

            • Assignee:
              jvz Matt Sicker
              Reporter:
              renescheibe René Scheibe
            • Votes:
              0 Vote for this issue
              Watchers:
              6 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved: