Propagate JAAS Subject from Core Jenkins to Custom step plugin

[Guillaume Delory]

Hi everyone,

I'm running Jenkins in WebSphere 8.5 to manage authentication. It works fine and I can get the JAAS Subject in the Script Console by doing:

println com.ibm.websphere.security.auth.WSSubject.getCallerSubject()

I also wrote a plugin that adds a simple custom step (extending the Builder class). I would like to use this plugin to contact some application also running in WAS. To do this I need to get the caller Subject as I did in the console. However, the code above in the perform method returns null. I guess Jenkins runs the step in a different thread without pushing the JAAS Subject.

Is there any way (by configuration or programmatically) to force Jenkins to push the Subject to the build step so I can use it? Or maybe a different way to get the caller Subject from the plugin?

Thank you very much for your help.

[Stephen Connolly]

You may want to look at the (very un-obvious named) Authorize Project plugin.

That lets projects build with the identity of the user that triggered the build.

It's not going to get you all you want, but should get you closer. You'll probably need to write an authorization strategy to capture the JAAS subject and store it as a UserProperty

--
You received this message because you are subscribed to the Google Groups "Jenkins Developers" group.
To unsubscribe from this group and stop receiving emails from it, send an email to jenkinsci-de...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-dev/b9be9c04-cb9a-4fdd-a7cc-903d88d78db9%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

--
Sent from my phone

[Guillaume Delory]

Hi,

Thank you very much for your help Stephen. It's been really helpful. I looked at the plugin and this is how they capture the current user and authenticate him:

Cause.UserIdCause cause = getRootUserIdCause(item);

if (cause != null) {

  User u = User.get(cause.getUserId(), false, Collections.emptyMap());

  if (u == null) {

    return Jenkins.ANONYMOUS;

  }

  return u.impersonate();

}

return null;

Then impersonate the user who started the build. That returns a org.acegisecurity.Authentication. It is progress.

It gives me the Jenkins user. But problem is I don't think it is the Web container user, and is even related to it. (That would mean a Jenkins admin could impersonate any user from the Realm and contact any other application, which doesn't make any sense).

My next question is:

• Do you think there is any way to get the Web Container user (Subject), knowing that it looks like the thread doesn't get the authentication (com.ibm.websphere.security.auth.WSSubject.getCallerSubject() returns null)
• Or do you think it is possible to convert the Jenkins Authentication to a Web Container Subject. I did create a Subject from the Jenkins Authentication (which is a Principal) but of course it didn't work since it is not related to the Web Container authentication and I had access forbidden. I doubt it because Jenkins can impersonate anyone, and maybe it will work only for the current user...

I don;t really know where to look next.

Thank you very much.

Le mercredi 27 mai 2015 09:25:02 UTC+2, Stephen Connolly a écrit :

You may want to look at the (very un-obvious named) Authorize Project plugin.

That lets projects build with the identity of the user that triggered the build.

It's not going to get you all you want, but should get you closer. You'll probably need to write an authorization strategy to capture the JAAS subject and store it as a UserProperty

On Tuesday, May 26, 2015, Guillaume Delory <gde...@gmail.com> wrote:

Hi everyone,

I'm running Jenkins in WebSphere 8.5 to manage authentication. It works fine and I can get the JAAS Subject in the Script Console by doing:

println com.ibm.websphere.security.auth.WSSubject.getCallerSubject()

I also wrote a plugin that adds a simple custom step (extending the Builder class). I would like to use this plugin to contact some application also running in WAS. To do this I need to get the caller Subject as I did in the console. However, the code above in the perform method returns null. I guess Jenkins runs the step in a different thread without pushing the JAAS Subject.

Is there any way (by configuration or programmatically) to force Jenkins to push the Subject to the build step so I can use it? Or maybe a different way to get the caller Subject from the plugin?

Thank you very much for your help.

--
You received this message because you are subscribed to the Google Groups "Jenkins Developers" group.

To unsubscribe from this group and stop receiving emails from it, send an email to jenkinsci-dev+unsubscribe@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-dev/b9be9c04-cb9a-4fdd-a7cc-903d88d78db9%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[Guillaume Delory]

Actually after thinking a bit more about that. I guess that the user is authenticated only when he start the job and add it to the queue. Then the executor wil take care of it but user has nothing to do with it. So it makes sense there is no Subject associated to it.

If I'm right, the only option would be to intercept the build creation and somehow store the Subject somewhere if it's available, to make it available for the actual build one by the Jenkins user. I have no idea if it's possible.

Any thoughts?

Thank you :)

[domi]

This is actually a subject a couple of user wanted to come up with, but at the end I think all discarded the idea…

If still wanna do this, then you also have to think about scheduled jobs, these are triggered by no user interaction, which JAAS subject would you use in these cases?

/Domi

--
You received this message because you are subscribed to the Google Groups "Jenkins Developers" group.

To unsubscribe from this group and stop receiving emails from it, send an email to jenkinsci-de...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-dev/fb1f9ab7-f118-42e6-9314-35f9aa509c9b%40googlegroups.com.