[2.0] feedback on setup wizard
Kohsuke Kawaguchi
The new security setup wizard in alpha-3 requies that the new user provides a security token that's printed to console to proceed, but knowing where it goes really isn't easy. You see some beginning of it in this Wiki page, but this is still far from complete.
For example, on Windows %JENKINS_HOME% is something the user can override during the setup, which I think defaults to either c:\jenkins or %APPDATA%\jenkins that I can't remember. The latter location would be different depending on Windows versions. And if you are a kind of guy who just clicks Next, Next, and Next, you probably don't know where it is.
On OS X, we support two ways of installing it, and they put things to different locations. I don't know exactly where so I couldn't add it to the page.
Then there's a whole can of worm about running Jenkins on a servlet container, which can do any number of things depending on how you installed the said servlet container.
I think this is too much hassle, especially given that I cannot think of any other tools that do this much. For example, Atlassian tools show the setup wizard to anyone accessing it.
I suggest we consider alternative ways of authenticating the user:
- Create a random file name under $JENKINS_HOME and ask the user to touch that file by showing the path.
- Instead of printing it out to stdout, create a file under $JENKINS_HOME and ask the user to paste in its content.
Both of these remove any ambiguity and sufficiently authenticate the user.
Daniel raised that this approach reveals the location of $JENKINS_HOME but I don't consider that a vulnerability by itself. This only happens briefly during the setup anyway.
During the setup wizard, Jenkins asks if I want to create an admin user or skip it. When I choose skip, it'll still create an admin user anyway.
This is unintuitive. The expectation with the 'Skip' label is that I'm NOT creating an admin user. There are legitimate reasons to do this - for example if I'm setting up Jenkins with a real security realm like LDAP, I really do not want the admin user.
The problem is further made worse by the fact that this default admin user has the security token as the password, which you can never recover if you haven't written it down.
I think we are going too far here. We make it very obvious and natural for people to create an admin user, and 'Skip' is very under-emphasized already. This should be sufficient. It shouldn't get in the way of people who know what they are doing, just like we let people not install any recommended plugins.
If we insist on forcing people to create an admin user just to install LDAP plugin & throw that user away, then I'd rather not have the "Skip" button. As a reference, Atlassian tools for example doesn't let you skip creating admin user. You always have to create one.
Daniel Beck
On 16.03.2016, at 18:54, Kohsuke Kawaguchi <k...@kohsuke.org> wrote:
> https://issues.jenkins-ci.org/browse/JENKINS-33599
> …
> • Instead of printing it out to stdout, create a file under $JENKINS_HOME and ask the user to paste in its content.
This is my favored approach and probably the easiest one for production instances, as opposed to dev/test instances, for which the log content is easier to retrieve.
---
> https://issues.jenkins-ci.org/browse/JENKINS-33601
> …
> The problem is further made worse by the fact that this default admin user has the security token as the password, which you can never recover if you haven't written it down.
> I think we are going too far here. We make it very obvious and natural for people to create an admin user, and 'Skip' is very under-emphasized already. This should be sufficient. It shouldn't get in the way of people who know what they are doing, just like we let people not install any recommended plugins.
> If we insist on forcing people to create an admin user just to install LDAP plugin & throw that user away, then I'd rather not have the "Skip" button. As a reference, Atlassian tools for example doesn't let you skip creating admin user. You always have to create one.