[JIRA] [core] (JENKINS-31870) Unable to use LDAP user credentials in build configuration

2 views
Skip to first unread message

mark.earl.waite@gmail.com (JIRA)

unread,
Dec 8, 2015, 11:39:02 PM12/8/15
to jenkinsc...@googlegroups.com
Mark Waite updated an issue
 
Jenkins / Bug JENKINS-31870
Unable to use LDAP user credentials in build configuration
Change By: Mark Waite
Summary: Unable to use  LDAP  user credentials in build configuration
Add Comment Add Comment
 
This message was sent by Atlassian JIRA (v6.4.2#64017-sha1:e244265)
Atlassian logo

recena@gmail.com (JIRA)

unread,
Dec 10, 2015, 11:47:02 AM12/10/15
to jenkinsc...@googlegroups.com
Manuel Jesús Recena Soto updated an issue
Change By: Manuel Jesús Recena Soto
Component/s: subversion-plugin

olikuhn@gmail.com (JIRA)

unread,
Feb 17, 2016, 8:38:03 AM2/17/16
to jenkinsc...@googlegroups.com

olikuhn@gmail.com (JIRA)

unread,
Feb 17, 2016, 8:38:03 AM2/17/16
to jenkinsc...@googlegroups.com
Olivier updated an issue
 
Change By: Olivier
Environment: Jenkins ver. 1. 625 642 . 2 1  (LTS version)
Credential plugin 1.24 (same with 1.18)
Debian 8 64bits
Tomcat 8.0.29
OpenJDK 64-Bit Server VM (build 25.72-b05, mixed mode)

stephenconnolly@java.net (JIRA)

unread,
May 20, 2016, 5:39:02 PM5/20/16
to jenkinsc...@googlegroups.com
stephenconnolly commented on Bug JENKINS-31870
 
Re: Unable to use LDAP user credentials in build configuration

I will repeat, this is all down to how each individual SCM plugin has chosen to build the list of credentials.

I do not see any facile way to handle this short of the Authorize Project Plugin moving its configuration from the Job Configuration screen and into a separate screen so that the Configure screen can know what authorization it will run as

ikedam WDYT about Job/Authorization as a screen beside Job/Configure so that the configure screen will know the default authentication of the job?

devld@ikedam.jp (JIRA)

unread,
May 21, 2016, 2:33:01 AM5/21/16
to jenkinsc...@googlegroups.com
ikedam commented on Bug JENKINS-31870

stephenconnolly
Let me see what you mean:

  • Separate the authorization configuration from the project configuration. This allows Jenkins to decide the authorization of builds during configuring projects.
  • When a plugin lists up credentials, 
    public ListBoxModel doFillCredentialsIdItems(@AncestorInPath Job project) {
    Authentication auth = Tasks.getAuthenticationOf(project);
    return new StandardUsernameListBoxModel().withEmptySelection().withAll(
        CredentialsProvider.lookupCredentials(StandardUsernameCredentials.class, auth);
}
  • Even if the authorization is changed after the project configuration is saved, it doesn't cause a security issue as the access to the credential is blocked at build time.

That makes sense to me.

stephenconnolly@java.net (JIRA)

unread,
May 23, 2016, 6:08:01 AM5/23/16
to jenkinsc...@googlegroups.com

ikedam yep that's what I'm thinking... we'd just add a new side action called Authorization or Authentication or something like that. It would be a single page which would allow configuration of the build authorization. It could also simplify some of the configuration issues that we currently have as we can then lock down that screen so that a user can configure the build but not change the authorization (though we still have to keep the guards on config.xml submission and anyone letting somebody configure a job is basically giving them access to all the credentials that job can access, but for the use case of creating a special user that has the credentials available for the job I think that it is acceptable

devld@ikedam.jp (JIRA)

unread,
May 23, 2016, 7:49:01 PM5/23/16
to jenkinsc...@googlegroups.com
ikedam commented on Bug JENKINS-31870

Created: JENKINS-35081 Separate authorization configuration page

stephenconnolly@java.net (JIRA)

unread,
May 25, 2016, 8:00:06 PM5/25/16
to jenkinsc...@googlegroups.com
stephenconnolly resolved as Not A Defect
 

Really this is an issue in the individual plugins that provide the credentials drop down selector. They need to be build authentication aware. Currently they cannot be build authentication aware as that information is currently subject to change on the screen where they are being configured. When JENKINS-35081 is implemented the plugins would then be able to correctly infer the build authentication and then display the user credentials in those cases where the job runs as user.

As such, this is not an issue with the credentials plugin rather at best this is a series of issues with credential consuming plugins.

Marking this issue as not a defect on that basis
Change By: stephenconnolly
Status: Open Resolved
Resolution: Not A Defect

mark.earl.waite@gmail.com (JIRA)

unread,
Oct 22, 2019, 9:33:10 PM10/22/19
to jenkinsc...@googlegroups.com
Mark Waite closed an issue as Not A Defect
Change By: Mark Waite
Status: Resolved Closed
This message was sent by Atlassian Jira (v7.13.6#713006-sha1:cc4451f)
Atlassian logo
Reply all
Reply to author
Forward
0 new messages