Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-12585

SECURITY: LDAP authenticated users switch accounts randomly

    • Icon: Bug Bug
    • Resolution: Fixed
    • Icon: Critical Critical
    • _unsorted
    • None

      Running Jenkins behind Apache: mod_proxy with HTTPS
      https://wiki.jenkins-ci.org/display/JENKINS/Running+Jenkins+behind+Apache
      So our setup is
      Open Directory group
      jenkins-admin - Jenkins Admins all
      dev-group-a - Developers can view kick off builds

      Project-based Matrix Authorization Strategy
      Admin all checked
      dev-group-a checked: Overall:Read Job:Read,Build Run:Update
      dev-group-b checked: Overall:Read Job:Read

      issue is I'm an admin and random developer will login and see that there user id is mine and can admin jenkins.

      there has been reported cases that developer A will login and actually be reported by jenkins as Developer B
      were they can no longer trigger CI builds

      My biggest concern is when users login and are reporting as admins and have full access to jenkins.

          [JENKINS-12585] SECURITY: LDAP authenticated users switch accounts randomly

          guillermo c created issue -

          Christian Höltje added a comment - - edited

          I have the same issue. One user can hit refresh repeatedly and get different users or even logged out and then back in!

          My setup is:
          Jenkins 1.456
          JRE 7u3
          Plugins of interest: Role-based Authorization Strategy
          Authentication: LDAP

          Christian Höltje added a comment - - edited I have the same issue. One user can hit refresh repeatedly and get different users or even logged out and then back in! My setup is: Jenkins 1.456 JRE 7u3 Plugins of interest: Role-based Authorization Strategy Authentication: LDAP
          Christian Höltje made changes -
          Summary Original: ACCESSS: LDAP:PMA Login authed users accounts switch New: SECURITY: LDAP authenticated users switch accounts randomly

          Tanmay Sinha added a comment -

          +1

          This is causing major issues as users are gaining unauthorized access to controls.

          Tanmay Sinha added a comment - +1 This is causing major issues as users are gaining unauthorized access to controls.

          A better description of symptoms:

          • I, as a user with admin powers, log in. After a while, I'll notice I'm logged in as normal user "singer". I have to log out and log back in to regain my normal account and admin powers.
          • "bambi" and "singer" can become me by conjuring the new hover thingies and then going to a new page. This includes admin powers.
          • "sniper" can hit refresh repeatedly on a page and become "singer" or logged out. "sniper" is also an admin.

          Note: The usernames have been changed to protect the guilty.

          Christian Höltje added a comment - A better description of symptoms: I, as a user with admin powers, log in. After a while, I'll notice I'm logged in as normal user "singer". I have to log out and log back in to regain my normal account and admin powers. "bambi" and "singer" can become me by conjuring the new hover thingies and then going to a new page. This includes admin powers. "sniper" can hit refresh repeatedly on a page and become "singer" or logged out. "sniper" is also an admin. Note: The usernames have been changed to protect the guilty.

          Related bug: JENKINS-13203

          This is the symptoms described with "bambi" and "singer" above (number 2).

          Christian Höltje added a comment - Related bug: JENKINS-13203 This is the symptoms described with "bambi" and "singer" above (number 2).

          Also: I'd be happy to help troubleshoot/debug this. I can get some of the Java experts here to help me look at thread dumps or whatever else might be useful.

          Christian Höltje added a comment - Also: I'd be happy to help troubleshoot/debug this. I can get some of the Java experts here to help me look at thread dumps or whatever else might be useful.

          Kohsuke Kawaguchi added a comment - - edited

          Looking into this.

          For other people seeing this, please report

          • the way you run Jenkins (be it via "java -jar jenkins.war" or on some other servlet containers)
          • version of Jenkins
          • The user realm that you use (does anyone see this with something other than LDAP?)

          Kohsuke Kawaguchi added a comment - - edited Looking into this. For other people seeing this, please report the way you run Jenkins (be it via "java -jar jenkins.war" or on some other servlet containers) version of Jenkins The user realm that you use (does anyone see this with something other than LDAP?)
          Kohsuke Kawaguchi made changes -
          Assignee New: Kohsuke Kawaguchi [ kohsuke ]

          Rob Petti added a comment -

          For those who are seeing this issue, are you all running behind a reverse-proxy?

          Rob Petti added a comment - For those who are seeing this issue, are you all running behind a reverse-proxy?

            kohsuke Kohsuke Kawaguchi
            geevez guillermo c
            Votes:
            10 Vote for this issue
            Watchers:
            4 Start watching this issue

              Created:
              Updated:
              Resolved: