[JIRA] [core] (JENKINS-15063) support for multiple security realms with failover

[jglick@cloudbees.com (JIRA)]

Jesse Glick updated an issue

Jenkins / JENKINS-15063 support for multiple security realms with failover Not possible without new core APIs and rework of existing security realm plugins to use them. Change By: Jesse Glick Labels: api security Add Comment

This message was sent by Atlassian JIRA (v6.4.2#64017-sha1:e244265)

[josh@hoblitt.com (JIRA)]

Joshua Hoblitt commented on JENKINS-15063

Re: support for multiple security realms with failover Would it be feasible to have a special security realm plugin that functions somewhat like pam, in the sense that it could be configured to call a number of other security modules? I realize this would require modified versions of the existing security realm plugins but perhaps it would be a way forward without an incompatible core change.

Add Comment

[josh@hoblitt.com (JIRA)]

Joshua Hoblitt edited a comment on JENKINS-15063

Re: support for multiple security realms with failover

Would it be feasible to have a special security realm plugin that functions somewhat like pam, in the sense that it could be configured to call a number of other security modules?  I realize this would require modified versions of the existing security realm plugins but perhaps it would be a way forward without an  (  incompatible |any)  core change.

Add Comment

[jglick@cloudbees.com (JIRA)]

Jesse Glick commented on JENKINS-15063

Re: support for multiple security realms with failover

Would it be feasible to have a special security realm plugin that functions somewhat like pam, in the sense that it could be configured to call a number of other security modules?

As noted above, not without a new API, which would best live in core, and calls to it from existing security realm plugins.

Add Comment

[lukas@familie-beumer.de (JIRA)]

Lukas Beumer commented on JENKINS-15063

Re: support for multiple security realms with failover

It's really a serious problem. As Robert Heinzmann said.

Add Comment

This message was sent by Atlassian JIRA (v7.3.0#73011-sha1:3c73d0e)

[dingo@matfyz.cz (JIRA)]

Mira Hedl commented on JENKINS-15063

Re: support for multiple security realms with failover

Indeed, this is serious problem for us as well. New API for this would be welcomed.

Add Comment

This message was sent by Atlassian JIRA (v7.10.1#710002-sha1:6efc396)

[turbo@bayour.com (JIRA)]

Turbo Fredriksson commented on JENKINS-15063

Re: support for multiple security realms with failover

Doing LDAP right, this is not a problem - run your LDAP slaves (more than two!) behind a load balancer (more than two!).

Add Comment

This message was sent by Atlassian Jira (v7.11.2#711002-sha1:fdc329d)

[tim@praqma.net (JIRA)]

Timothy Harris commented on JENKINS-15063

Re: support for multiple security realms with failover

You know, from what I can see this use case has been open for around ten years. See: https://issues.jenkins-ci.org/browse/JENKINS-3404. It seems to have been partially implemented by the Active directory plugin by providing a fallback user if ldap connection is broken.  Nothing has happened on ldap plugin about this issue. I love open source and am a big Jenkins fan. But this is the type of thing that is hard to defend when talking to business/operations about the benefits of open source.  It is not like this is some type of crazy wish. All Atlassian applications, like this Jira I am making this comment on, has support for multiple user directories. A built in internal user directory and support for adding others.

Add Comment

[tim@praqma.net (JIRA)]

Timothy Harris edited a comment on JENKINS-15063

Re: support for multiple security realms with failover

You know, from what I can see this use case has been open for around ten years. See: https://issues.jenkins-ci.org/browse/JENKINS-3404. It seems to have been partially implemented by the Active directory plugin by providing a fallback user if ldap

connection is broken.  Nothing has happened on ldap plugin about this issue.

I love open source and am a big Jenkins fan. But this is the type of thing that is hard to defend when talking to business/operations about the benefits of open source.

It is *not* like this is some type of crazy wish. All Atlassian applications, like this Jira I am making this comment on, has support for multiple user directories. A built in internal user directory and support for adding others.

Add Comment

[dbeck@cloudbees.com (JIRA)]

Daniel Beck commented on JENKINS-15063

Re: support for multiple security realms with failover

I love open source and am a big Jenkins fan. But this is the type of thing that is hard to defend when talking to business/operations about the benefits of open source. I think this is a nice example of the benefits of open source (at least in open communities like Jenkins'): You don't need to fight through multiple tiers of support (usually after buying a license) until your request reaches a product manager who may or may not consider it important enough to actually do, and even if you're lucky, you still need to wait for work to be prioritized. You can just do it yourself, or, if lacking the necessary skills, pay someone to do this specific thing. I'd be happy to review (and eventually merge) a well thought out implementation of this. I'm sure I can also get a few other maintainers to assist with reviews and provide feedback. If this needs extensive rework in core, I recommend starting with a JEP to make sure the design is sound.

Add Comment

[jglick@cloudbees.com (JIRA)]

Jesse Glick commented on JENKINS-15063

Re: support for multiple security realms with failover

This would need nontrivial changes in core in case existing SecurityRealm implementations sometimes assume they can checkcast the result of Jenkins.securityRealm, which I recall being the case. If not, in principle this could be done as a plugin defining a proxy implementation.

Add Comment

[totoiverson@hotmail.com (JIRA)]

Sharon Kwok commented on JENKINS-15063

Re: support for multiple security realms with failover

It is seriously needed for automation. Hope that Jenkins could support.

Add Comment

[tdh@nemlig.com (JIRA)]

Timothy Harris commented on JENKINS-15063

Re: support for multiple security realms with failover

Daniel Beck No reason to get your hackles up. Can I write code in Java? Yes. Do I know enough about the architecture of Jenkins to do this properly. No. Not without a lot of investment in time, which I do not have. Will my employer fund a plugin for this? No.  Where does that leave me, an advocate of Jenkins? On here hoping to highlight the need for this functionality.

Add Comment

[jglick@cloudbees.com (JIRA)]

Jesse Glick commented on JENKINS-15063

Re: support for multiple security realms with failover

That is all to be expected. I would just ask that people use the Vote feature in JIRA rather than adding comments, unless the comment consists of genuinely novel suggestions. Otherwise popular issues wind up with dozens of “me too” comments.

Add Comment

[andrew.barrett1986@gmail.com (JIRA)]

Andrew Barrett commented on JENKINS-15063

Re: support for multiple security realms with failover

Can't say enough how I would like this feature. My org is possibly not going to use ldap with Jenkins because they want a fallback plan. Being able to have a small subset of local user accounts would be the ideal solution. But with the separation of security realms, I'm not sure I can convince them.

Add Comment

[andrew.barrett1986@gmail.com (JIRA)]

Andrew Barrett updated an issue

Jenkins / JENKINS-15063

support for multiple security realms with failover

Change By: Andrew Barrett Comment: (y) Can't say enough how I would like this feature. My org is possibly not going to use ldap with Jenkins because they want a fallback plan. Being able to have a small subset of local user accounts would be the ideal solution. But with the separation of security realms, I'm not sure I can convince them.

Add Comment

[jglick@cloudbees.com (JIRA)]

Jesse Glick commented on JENKINS-15063

Re: support for multiple security realms with failover

which I recall being the case

Examples like this or this are not hard to find. So making the realm proxyable would at a minimum require some logic changes to various popular realm plugins, and perhaps require new core APIs to permit adequate context / state to be “threaded” through various interfaces rather than grabbing it from a global singleton.

Add Comment