New SSO plugin for Jenkins on Windows, based on KerberosSSO, using Waffle...
1,363 views
Skip to first unread message
Bryson Gibbons
Nov 14, 2014, 12:44:24 AM11/14/14
to jenkin...@googlegroups.com
Story: Where I work, the Jenkins server uses the Active Directory plugin for authentication. I was tired of having to log back in every 10 minutes (if I went to do something else), so I started looking for a Single Sign On solution. I tried the KerberosSSO before seeing the fine print that they have not gotten it working on Windows yet. I tried for a bit, and was never successful. In looking for other possibilities, I found Waffle (https://github.com/dblock/waffle), and decided to see if I could do some code modification to the KerberosSSO plugin to make it use Waffle instead of the Java GSSPI. It turned out that the Waffle code already had a filter, so I copied the code entry side to the KerberosSSO plugin to a separate plugin, since configuration was also very different.
What I have: A working single sign on plugin that will authenticate against Active Directory (when running on Windows) with minimal configuration. The way it ties into Jenkins is identical to how the KerberosSSO plugin ties in.
-Waffle is Windows ONLY. It does not work on Linux.
-Necessary configuration is to make sure that appropriate HTTP/computer.domain.com SPNs exist on Active Directory, and that Jenkins is running as a service with user Local System.
-It uses a modified NegotiateSecurityFilter from Waffle - the modifications were to pass the authentication information to Jenkins.
In terms of testing, it works with Firefox, Internet Explorer, and Chrome on Windows, and with Safari and Chrome on Mac OS X. I don't have access to a Linux system (with a GUI) at work.
The question I have: Where does this belong?
- Should it be put into the KerberosSSO plugin for a Windows-specific configuration?
- Should this be tied into the Windows-only configuration available with the Active Directory plugin?
- Should it be a new, separate plugin?
I don't care which way it goes, I just think it should be made publicly available. I'm not going to make the code publicly available in the short run, unless there's some agreement that it should be a separate plugin.
Also, since the KerberosSSO plugin is MIT licensed and Waffle is EPLv1.0, and I did copy some code from Waffle, I am assuming that any release of my modified source code would need to be under the EPL license.
What I have: A working single sign on plugin that will authenticate against Active Directory (when running on Windows) with minimal configuration. The way it ties into Jenkins is identical to how the KerberosSSO plugin ties in.
-Waffle is Windows ONLY. It does not work on Linux.
-Necessary configuration is to make sure that appropriate HTTP/computer.domain.com SPNs exist on Active Directory, and that Jenkins is running as a service with user Local System.
-It uses a modified NegotiateSecurityFilter from Waffle - the modifications were to pass the authentication information to Jenkins.
In terms of testing, it works with Firefox, Internet Explorer, and Chrome on Windows, and with Safari and Chrome on Mac OS X. I don't have access to a Linux system (with a GUI) at work.
The question I have: Where does this belong?
- Should it be put into the KerberosSSO plugin for a Windows-specific configuration?
- Should this be tied into the Windows-only configuration available with the Active Directory plugin?
- Should it be a new, separate plugin?
I don't care which way it goes, I just think it should be made publicly available. I'm not going to make the code publicly available in the short run, unless there's some agreement that it should be a separate plugin.
Also, since the KerberosSSO plugin is MIT licensed and Waffle is EPLv1.0, and I did copy some code from Waffle, I am assuming that any release of my modified source code would need to be under the EPL license.
Robert Sandell
Nov 14, 2014, 5:23:27 AM11/14/14
to jenkin...@googlegroups.com
It would have been nice to see this incorporated into the Kerberos SSO plugin, but as you say; <IANAL> the derivative works clause seems to "prevent" that as you've copied and changed some code from Waffle.
It would be the same issue for the Active Directory Plugin.
I've seen some projects where the majority of the code base has been MIT and a few files mixed in as BSD, but I don't know how legit that is.
So I guess a new "waffle-kerberos-sso-plugin" or similar is the least worst solution, and just send some kudos to the kerberos-sso plugin in the readme or something.
</IANAL>
/B
--
You received this message because you are subscribed to the Google Groups "Jenkins Developers" group.
To unsubscribe from this group and stop receiving emails from it, send an email to jenkinsci-de...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
Robert Sandell
Software Engineer
CloudBees Inc.
Bryson Gibbons
Nov 15, 2014, 4:09:18 PM11/15/14
to jenkin...@googlegroups.com
A few ideas that I haven't been able to fully look into:
If I can implement an "IAuthWindowsProvider" that provides the necessary functionality (tying into an existing security realm), could that allow this to be released under the MIT license, provided I do not just copy the provided implementation and add the necessary code (since the EPL license allows distribution of the program, if it is not distributed in source code format)? My understanding of that clause is that as long as I am only using the "binary", and have not copied code from Waffle, it can be released under a license other than the EPL.
Also, I do wonder if this might be better situated (outside of the licensing issues) as part of the Active Directory plugin, since it already has a configuration that is only usable on Windows, with an alternate configuration allowing it to be used on Linux. There are also active Jira tickets concerning the desire to allow single sign on with the Active Directory plugin.
Anyway, I would like to get rid of the copy of the class from Waffle, since the changes I made involved adding a function to trigger the Jenkins authentication, as well as modifying the logging calls since Waffle uses a different logger. I would prefer to have a more abstract implementation that will be easier to maintain and extend, rather than what I currently have. Waffle is also designed to do full authentication by itself, so it may be better if I changed to implementation to be a security plugin (and that may remove all licensing issues, if I could have Waffle function as the security provider... but I don't even know where to start).
If I can implement an "IAuthWindowsProvider" that provides the necessary functionality (tying into an existing security realm), could that allow this to be released under the MIT license, provided I do not just copy the provided implementation and add the necessary code (since the EPL license allows distribution of the program, if it is not distributed in source code format)? My understanding of that clause is that as long as I am only using the "binary", and have not copied code from Waffle, it can be released under a license other than the EPL.
Also, I do wonder if this might be better situated (outside of the licensing issues) as part of the Active Directory plugin, since it already has a configuration that is only usable on Windows, with an alternate configuration allowing it to be used on Linux. There are also active Jira tickets concerning the desire to allow single sign on with the Active Directory plugin.
Anyway, I would like to get rid of the copy of the class from Waffle, since the changes I made involved adding a function to trigger the Jenkins authentication, as well as modifying the logging calls since Waffle uses a different logger. I would prefer to have a more abstract implementation that will be easier to maintain and extend, rather than what I currently have. Waffle is also designed to do full authentication by itself, so it may be better if I changed to implementation to be a security plugin (and that may remove all licensing issues, if I could have Waffle function as the security provider... but I don't even know where to start).
Bryson Gibbons
Nov 24, 2014, 1:41:44 AM11/24/14
to jenkin...@googlegroups.com
Well, I found one possible way around the licensing issues: if I extend the Windows authentication implementation that Waffle uses with the NegotiateSecurityFilter, I can override the necessary functions so that they call the original function, and then call an additional function to provide authentication information to Jenkins. I can set the NegotiateSecurityFilter to use the extended class. Also, I extended the NegotiateSecurityFilter class specifically to call the advertiseHeaders function, but I don't know if that is really necessary.
Besides that, I am trying to figure out the process in the groovy file to show a select box to the user in the configuration, since there are two configurable properties that deal with how the user information is handled in Waffle. I just haven't figured out how to have the groovy script look in the right spot for the "doFillxyzItems()" function, or where the function is supposed to be to be discovered.
On a quick side note, I wonder if this might be part of the problem with using Kerberos SSO plugin on Windows.
Thank you for any help,
Bryson
Besides that, I am trying to figure out the process in the groovy file to show a select box to the user in the configuration, since there are two configurable properties that deal with how the user information is handled in Waffle. I just haven't figured out how to have the groovy script look in the right spot for the "doFillxyzItems()" function, or where the function is supposed to be to be discovered.
On a quick side note, I wonder if this might be part of the problem with using Kerberos SSO plugin on Windows.
Thank you for any help,
Bryson
Robert Sandell
Nov 24, 2014, 4:53:29 AM11/24/14
to jenkin...@googlegroups.com
We needed to do advertise headers in order for CLI to work.
doFillxyzItems should be declared in the descriptor and replace xyz with the name of the field, the f:select tag takes care of the data binding.
--
You received this message because you are subscribed to the Google Groups "Jenkins Developers" group.
To unsubscribe from this group and stop receiving emails from it, send an email to jenkinsci-de...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-dev/ea3fb967-3993-4434-beeb-d64eba474867%40googlegroups.com.
Bryson Gibbons
Nov 25, 2014, 12:57:47 AM11/25/14
to jenkin...@googlegroups.com
Are there any good examples of a main class extending Plugin and having a
descriptor that works that you can refer me to? I have tried looking, and
haven’t seen anything yet; I’ve tried what I can think of based on the what I
have been able to see, and all I ever get when trying to load the configuration
page is “java.lang.IllegalStateException: class
jenkins.model.GlobalPluginConfiguration doesn't have the
doFillPrincipalFormatItems method for filling a drop-down list”, the same thing
I was getting when I didn’t have any sort of Descriptor.
What I currently have:
public class PluginImpl extends Plugin implements
Describable<PluginImpl> {
... all other necessary
functions...
@Override
public final Descriptor<PluginImpl>
getDescriptor() {
return descriptor;
}
private static final PluginImplDescriptor
descriptor = new PluginImplDescriptor();
public static final class PluginImplDescriptor
extends Descriptor<PluginImpl> {
public PluginImplDescriptor()
{
super(self());
}
@Override
public String getDisplayName() {
return “”;
}
public ListBoxModel
doFillPluginImplFieldNameItems() {
return new
ListBoxModel() {contents...};
}
}
}
Thank you again,
Bryson
You received this
message because you are subscribed to a topic in the Google Groups "Jenkins
Developers" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/jenkinsci-dev/ywCwlY569dI/unsubscribe.
To unsubscribe from this group and all its topics, send an email to jenkinsci-de...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-dev/CALzHZS35Buq26gsHp3rPx8ir7ChLq3bV4PBN0VL11S0NMNXYDw%40mail.gmail.com.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/jenkinsci-dev/ywCwlY569dI/unsubscribe.
To unsubscribe from this group and all its topics, send an email to jenkinsci-de...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-dev/CALzHZS35Buq26gsHp3rPx8ir7ChLq3bV4PBN0VL11S0NMNXYDw%40mail.gmail.com.
Robert Sandell
Nov 25, 2014, 6:50:36 AM11/25/14
to jenkin...@googlegroups.com
Extending Plugin is a bit legacy, try implementing a GlobalConfiguration instead http://javadoc.jenkins-ci.org/jenkins/model/GlobalConfiguration.html maybe that could work.
/B
To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-dev/B664635968C741C696D9CFF7BFD1A635%40HAFBeast.
Daniel Doubrovkine
Feb 8, 2015, 7:04:35 PM2/8/15
to jenkin...@googlegroups.com
Jumping on this thread, I am the owner and author of Waffle (for the most part).
Please disregard EPL a limitation to what the best code or packaging is. If we need to replace the EPL license with MIT for the next release I'll be happy to do it.
To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-dev/CALzHZS3p6fK%2B_Me24ravXf4FL0tc9G8wi2yrJyW3HPBwXk3hRQ%40mail.gmail.com.
Bryson Gibbons
Feb 10, 2015, 1:17:49 AM2/10/15
to jenkin...@googlegroups.com
Well, hoping this will be seen, and to avoid an extra thread in the developer lists, I would like to request a repository among the Jenkins community repositories.
Plugin name: NegotiateSSO
GitHub ID: FarmGeek4Life
Code is only local to my computer, no repository to fork.
If I don't get a response in a few days, I'll make a separate thread requesting hosting.
Bryson Gibbons
Bryson Gibbons
Jul 19, 2015, 2:07:29 AM7/19/15
to jenkin...@googlegroups.com
Well, I have the code posted to GitHub; I think there would be the possibility of incorporating it into KerberosSSO, however the problem is the distinct configuration differences between spnego and waffle, and the workarounds I have been able to add.
I still need to put more work into the documentation.
Reply all
Reply to author
Forward
0 new messages