Jenkins currently does not support multiple security realm.
However, it should be a reasonable use case that allow both AD / LDAP logins for individuals (e.g. developers) and logins local Jenkins' own user database for administrative roles (e.g. user maintenance team) and emergency situations (e.g. AD server out of work) in a sizable organization.
I have searched the issue list and found the following related / similar issues, and no :
JENKINS-3404 mix LDAP and local Hudson usersJENKINS-15063 support for multiple security realms with failoverJENKINS-29162 Jenkins internal user in order to be able to log-in under an authentication failure with LDAP AD, ...Since I have not seen any existing solution such as Jenkins API enhancement or new plugin to support multiple security realms, I want to kick start the discussion by proposing my workaround idea.
The idea is simple: create a new security realm (composite) which delegates methods calls to some chosen security realms (components).
Here is the prototype:
Composite security realm plugin For the prototype, the following assumptions are made:
1. It only supports password-based component security realms.
2. The user name collision among different security realms is avoided by using the order in the configuration as the precedence.
3. To
avoid account locking because of same user name with different
passwords in different component security realms, the method
SecurityRealm.loadUserByUsername(String username) should work properly instead of throwing exception.
Please share your points of view regarding to the workaround, whether it is feasible or has fatal issues.
If you have implemented a more mature private plugin for support of multiple security realm and are willing to make it open source, you may also post the link of the source code here for discussion.