Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-6587

Allow CLI Container Managed Authentication

    Details

    • Type: Bug
    • Status: Closed (View Workflow)
    • Priority: Major
    • Resolution: Fixed
    • Component/s: cli
    • Labels:
      None
    • Environment:
      Platform: All, OS: All
    • Similar Issues:

      Description

      After the changes in JENKINS-3796, container managed authentication no longer works for CLI.

      Make the necessary changes to maintain the extensibility provided in JENKINS-3796, but also allow container based auth.

        Attachments

          Activity

          jpederzolli jpederzolli created issue -
          jpederzolli jpederzolli made changes -
          Field Original Value New Value
          Issue Type Improvement [ 4 ] Bug [ 1 ]
          Description Currently there is no way to supply Hudson credentials to hudson-cli, making it
          unusable to those who do not allow anonymous access to Hudson.
          After the changes in JENKINS-3796, container managed authentication no longer works for CLI.

          Make the necessary changes to maintain the extensibility provided in JENKINS-3796, but also allow container based auth.
          jpederzolli jpederzolli made changes -
          Assignee jpederzolli [ jpederzolli ]
          Fix Version/s current [ 10162 ]
          jpederzolli jpederzolli made changes -
          Fix Version/s current [ 10162 ]
          Hide
          jpederzolli jpederzolli added a comment -

          The reason for this issue is the following:

          The changes in JENKINS-3796 removed the passing of the Authentication object to the CliManagerImpl and made the CLI authentication more extensible. The one problem with it is that you need the Authentication to be passed into the CliManagerImpl class if one is using the LegacySecurityRealm (i.e. container auth). Without this issue being fixed, the CLI user will always be 'anonymous' if container based authentication is relied upon.

          A summary of the changes:

          1) Restore CliManager constructor to take an Authentication object which in turn will be passed on to the CLICommand implementation.
          2) Create an overloaded createCliAuthenticator method in SecurityRealm which takes an Authentication object
          3) Let it be up to the SecurityRealm implementation if createCliAuthenticator will consider the Authentication object when creating the CliAuthenticator
          4) Only the LegacySecurityRealm (currently at least) will override createCliAuthenticator(CLICommand command, Authentication auth) and use the Authentication object passed in for the creation of its CliAuthenticator. No other SecurityRealms will be affected by these changes.
          5) Update GroovyshCommand to include updates that appear to have been missed in JENKINS-3796 along with changes relative to this ticket.

          Show
          jpederzolli jpederzolli added a comment - The reason for this issue is the following: The changes in JENKINS-3796 removed the passing of the Authentication object to the CliManagerImpl and made the CLI authentication more extensible. The one problem with it is that you need the Authentication to be passed into the CliManagerImpl class if one is using the LegacySecurityRealm (i.e. container auth). Without this issue being fixed, the CLI user will always be 'anonymous' if container based authentication is relied upon. A summary of the changes: 1) Restore CliManager constructor to take an Authentication object which in turn will be passed on to the CLICommand implementation. 2) Create an overloaded createCliAuthenticator method in SecurityRealm which takes an Authentication object 3) Let it be up to the SecurityRealm implementation if createCliAuthenticator will consider the Authentication object when creating the CliAuthenticator 4) Only the LegacySecurityRealm (currently at least) will override createCliAuthenticator(CLICommand command, Authentication auth) and use the Authentication object passed in for the creation of its CliAuthenticator. No other SecurityRealms will be affected by these changes. 5) Update GroovyshCommand to include updates that appear to have been missed in JENKINS-3796 along with changes relative to this ticket.
          Hide
          jpederzolli jpederzolli added a comment -

          proposed changes

          Show
          jpederzolli jpederzolli added a comment - proposed changes
          jpederzolli jpederzolli made changes -
          Attachment cli_auth_updates.diff [ 19443 ]
          Hide
          scm_issue_link SCM/JIRA link daemon added a comment -

          Code changed in hudson
          User: : jpederzolli
          Path:
          trunk/hudson/main/core/src/main/java/hudson/cli/CLICommand.java
          trunk/hudson/main/core/src/main/java/hudson/cli/CliManagerImpl.java
          trunk/hudson/main/core/src/main/java/hudson/cli/GroovyshCommand.java
          trunk/hudson/main/core/src/main/java/hudson/cli/declarative/CLIRegisterer.java
          trunk/hudson/main/core/src/main/java/hudson/model/Hudson.java
          trunk/hudson/main/core/src/main/java/hudson/security/LegacySecurityRealm.java
          trunk/hudson/main/core/src/main/java/hudson/security/SecurityRealm.java
          trunk/hudson/main/test/src/test/java/hudson/model/listeners/ItemListenerTest.java
          http://jenkins-ci.org/commit/31878
          Log:
          Issue: JENKINS-6587

          Show
          scm_issue_link SCM/JIRA link daemon added a comment - Code changed in hudson User: : jpederzolli Path: trunk/hudson/main/core/src/main/java/hudson/cli/CLICommand.java trunk/hudson/main/core/src/main/java/hudson/cli/CliManagerImpl.java trunk/hudson/main/core/src/main/java/hudson/cli/GroovyshCommand.java trunk/hudson/main/core/src/main/java/hudson/cli/declarative/CLIRegisterer.java trunk/hudson/main/core/src/main/java/hudson/model/Hudson.java trunk/hudson/main/core/src/main/java/hudson/security/LegacySecurityRealm.java trunk/hudson/main/core/src/main/java/hudson/security/SecurityRealm.java trunk/hudson/main/test/src/test/java/hudson/model/listeners/ItemListenerTest.java http://jenkins-ci.org/commit/31878 Log: Issue: JENKINS-6587
          Hide
          scm_issue_link SCM/JIRA link daemon added a comment -

          Code changed in hudson
          User: : jpederzolli
          Path:
          trunk/www/changelog.html
          http://jenkins-ci.org/commit/31879
          Log:
          Issue: JENKINS-6587

          Show
          scm_issue_link SCM/JIRA link daemon added a comment - Code changed in hudson User: : jpederzolli Path: trunk/www/changelog.html http://jenkins-ci.org/commit/31879 Log: Issue: JENKINS-6587
          jpederzolli jpederzolli made changes -
          Status Open [ 1 ] Resolved [ 5 ]
          Fix Version/s current [ 10162 ]
          Resolution Fixed [ 1 ]
          Hide
          scm_issue_link SCM/JIRA link daemon added a comment -

          Code changed in hudson
          User: : kohsuke
          Path:
          trunk/hudson/main/core/src/main/java/hudson/cli/CLICommand.java
          trunk/hudson/main/core/src/main/java/hudson/cli/CliManagerImpl.java
          trunk/hudson/main/core/src/main/java/hudson/cli/GroovyshCommand.java
          trunk/hudson/main/core/src/main/java/hudson/cli/declarative/CLIRegisterer.java
          trunk/hudson/main/core/src/main/java/hudson/model/Hudson.java
          trunk/hudson/main/core/src/main/java/hudson/security/CliAuthenticator.java
          trunk/hudson/main/core/src/main/java/hudson/security/LegacySecurityRealm.java
          trunk/hudson/main/core/src/main/java/hudson/security/SecurityRealm.java
          trunk/hudson/main/remoting/src/main/java/hudson/remoting/Channel.java
          trunk/hudson/main/remoting/src/main/java/hudson/remoting/ChannelProperty.java
          trunk/hudson/main/test/src/test/java/hudson/model/listeners/ItemListenerTest.java
          http://jenkins-ci.org/commit/31900
          Log:
          JENKINS-6587 rolling back rev.31878. I think a better fix, given the current existing code and method signatures, is to expose the transport level authentication in a bit more implicit way.

          Show
          scm_issue_link SCM/JIRA link daemon added a comment - Code changed in hudson User: : kohsuke Path: trunk/hudson/main/core/src/main/java/hudson/cli/CLICommand.java trunk/hudson/main/core/src/main/java/hudson/cli/CliManagerImpl.java trunk/hudson/main/core/src/main/java/hudson/cli/GroovyshCommand.java trunk/hudson/main/core/src/main/java/hudson/cli/declarative/CLIRegisterer.java trunk/hudson/main/core/src/main/java/hudson/model/Hudson.java trunk/hudson/main/core/src/main/java/hudson/security/CliAuthenticator.java trunk/hudson/main/core/src/main/java/hudson/security/LegacySecurityRealm.java trunk/hudson/main/core/src/main/java/hudson/security/SecurityRealm.java trunk/hudson/main/remoting/src/main/java/hudson/remoting/Channel.java trunk/hudson/main/remoting/src/main/java/hudson/remoting/ChannelProperty.java trunk/hudson/main/test/src/test/java/hudson/model/listeners/ItemListenerTest.java http://jenkins-ci.org/commit/31900 Log: JENKINS-6587 rolling back rev.31878. I think a better fix, given the current existing code and method signatures, is to expose the transport level authentication in a bit more implicit way.
          Hide
          kohsuke Kohsuke Kawaguchi added a comment - - edited

          Just to be clear, my commit in rev.31900 includes the change I outlined. Come to think of it, I should have committed them as two separate commits.

          Show
          kohsuke Kohsuke Kawaguchi added a comment - - edited Just to be clear, my commit in rev.31900 includes the change I outlined. Come to think of it, I should have committed them as two separate commits.
          abayer Andrew Bayer made changes -
          Status Resolved [ 5 ] Closed [ 6 ]
          rtyler R. Tyler Croy made changes -
          Workflow JNJira [ 136682 ] JNJira + In-Review [ 204169 ]

            People

            • Assignee:
              jpederzolli jpederzolli
              Reporter:
              jpederzolli jpederzolli
            • Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved: