[JIRA] (JENKINS-59107) User logged out after successful configuration of "Run as Specific User" (as of Jenkins 2.150.2)

24 views
Skip to first unread message

rene.scheibe@gmail.com (JIRA)

unread,
Aug 27, 2019, 3:36:02 PM8/27/19
to jenkinsc...@googlegroups.com
René Scheibe created an issue
 
Jenkins / Bug JENKINS-59107
User logged out after successful configuration of "Run as Specific User" (as of Jenkins 2.150.2)
Issue Type: Bug Bug
Assignee: Unassigned
Components: authorize-project-plugin
Created: 2019-08-27 19:35
Environment: Jenkins >=2.150.2, authorize-project-plugin v1.3.0
Priority: Minor Minor
Reporter: René Scheibe

Actual behaviour

As user "A" when configuring authorization
using the "Run as Specific User" strategy to run a job as user "B"
after successful authentication with the password of user "B"
user "A" is logged out.

Expected behaviour

User "A" is still logged in.

Root Cause Analysis

This issue is present starting with Jenkins 2.150.2 which implemented new security measures for user sessions (see changelog https://jenkins.io/changelog-stable/#v2.150.2). It seems that the below call from here invalidates the current user session:

Jenkins.getActiveInstance().getSecurityRealm().getSecurityComponents().manager.authenticate(
    new UsernamePasswordAuthenticationToken(userId, password)
);
Add Comment Add Comment
 
This message was sent by Atlassian Jira (v7.11.2#711002-sha1:fdc329d)

rene.scheibe@gmail.com (JIRA)

unread,
Aug 27, 2019, 3:37:02 PM8/27/19
to jenkinsc...@googlegroups.com

devld@ikedam.jp (JIRA)

unread,
Aug 31, 2019, 9:18:01 PM8/31/19
to jenkinsc...@googlegroups.com
ikedam commented on Bug JENKINS-59107

Actually, I don't have any idea for this.

This might be a bug of Jenkins core as setting session seed of user B to user A doesn't look appropriate behavior.
On the other hand, Jenkins core doesn't expect "authenticate" is used by other users.

devld@ikedam.jp (JIRA)

unread,
Aug 31, 2019, 9:21:02 PM8/31/19
to jenkinsc...@googlegroups.com
ikedam assigned an issue to Wadeck Follonier
 

Wadeck Follonier Would you have a look on this issue?
(I mention you as you look the author of the fix for SECURITY-901)

I want your comment about this:


> This might be a bug of Jenkins core as setting session seed of user B to user A doesn't look appropriate behavior.
Change By: ikedam
Component/s: core
Assignee: Wadeck Follonier

wfollonier@cloudbees.com (JIRA)

unread,
Sep 6, 2019, 8:20:02 AM9/6/19
to jenkinsc...@googlegroups.com

msicker@cloudbees.com (JIRA)

unread,
Dec 10, 2019, 3:50:02 PM12/10/19
to jenkinsc...@googlegroups.com

I've isolated this problem to the code in UserSeedSecurityListener.authenticated() which will overwrite the current session's user seed with the authorized user's seed instead. This seed is not restored after the build completes (or ever), so essentially, you end up with the authorize user's session which doesn't work.
This message was sent by Atlassian Jira (v7.13.6#713006-sha1:cc4451f)
Atlassian logo

msicker@cloudbees.com (JIRA)

unread,
Dec 13, 2019, 11:07:16 AM12/13/19
to jenkinsc...@googlegroups.com
Matt Sicker assigned an issue to Matt Sicker
 
Change By: Matt Sicker
Assignee: Wadeck Follonier Matt Sicker

msicker@cloudbees.com (JIRA)

unread,
Dec 13, 2019, 11:07:16 AM12/13/19
to jenkinsc...@googlegroups.com
Matt Sicker started work on Bug JENKINS-59107
 
Change By: Matt Sicker
Status: Open In Progress

msicker@cloudbees.com (JIRA)

unread,
Dec 13, 2019, 12:13:03 PM12/13/19
to jenkinsc...@googlegroups.com

msicker@cloudbees.com (JIRA)

unread,
Dec 13, 2019, 12:13:03 PM12/13/19
to jenkinsc...@googlegroups.com
Change By: Matt Sicker
Status: In Progress Review

wfollonier@cloudbees.com (JIRA)

unread,
Dec 16, 2019, 2:20:02 AM12/16/19
to jenkinsc...@googlegroups.com
Wadeck Follonier commented on Bug JENKINS-59107
 
Re: User logged out after successful configuration of "Run as Specific User" (as of Jenkins 2.150.2)

Important point to mention in the description, to trigger the "password" field to appear, you need to lack admin permission as the user A. I installed matrix-auth to achieve that easily.

msicker@cloudbees.com (JIRA)

unread,
Dec 16, 2019, 12:32:04 PM12/16/19
to jenkinsc...@googlegroups.com

Ah, that explains some test failures I came across at one point when testing out different combinations of versions.

o.v.nenashev@gmail.com (JIRA)

unread,
Dec 22, 2019, 6:43:04 PM12/22/19
to jenkinsc...@googlegroups.com
Oleg Nenashev updated Bug JENKINS-59107
 

Released in Jenkins 2.210, will mark as LTS candidate
Change By: Oleg Nenashev
Status: In Review Resolved
Resolution: Fixed
Released As: Jenkins 2.210

o.v.nenashev@gmail.com (JIRA)

unread,
Dec 22, 2019, 6:43:05 PM12/22/19
to jenkinsc...@googlegroups.com
Oleg Nenashev updated an issue
Change By: Oleg Nenashev
Labels: lts-candidate

ogondza@gmail.com (JIRA)

unread,
Jan 13, 2020, 1:48:03 PM1/13/20
to jenkinsc...@googlegroups.com
Oliver Gondža updated an issue
Change By: Oliver Gondža
Labels: lts 2.204.2 - candidate fixed
Reply all
Reply to author
Forward
0 new messages