Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-2305

Project-based Matrix Security is not working after Hudson restart

    • Icon: Bug Bug
    • Resolution: Fixed
    • Icon: Critical Critical
    • _unsorted
    • None
    • Platform: All, OS: All

      This issue has come up in a thread on the Hudson mailing list so thought I'd
      transfer here for an "official" record:

      "I am having a problem when I restart hudson after "successfully" setting up
      matrix based security.

      To set up the Hudson security, I am selecting "Enable Security", then choosing
      "Hudson's own user database" and "Project-based Matrix Authorization Strategy".

      I then give the anonymous account, "Overall-Read" and "Job-Build" rights, and I
      create an admin account that has the right to do everything except "SCM-Tag".

      I save this config and everything works great until I try to restart hudson.

      When I try to restart hudson I can no longer click around and view the builds as
      the non logged in anonymous user like I could before the restart.

      Instead I am only prompted for a username and password. When I enter the admin
      username and password (which worked many times before therestart), I get this
      error message:

      Access Denied
      org.acegisecurity.providers.UsernamePasswordAuthenticationToken@410ce2ce:
      Username: hudson.security.HudsonPrivateSecurityRealm$Details@8e7f54; Password:
      [PROTECTED]; Authenticated: true; Details:
      org.acegisecurity.ui.WebAuthenticationDetails@7798: RemoteIpAddress:
      129.150.66.123; SessionId: 49daddb10088039a2d196487a5ae0a73; Granted
      Authorities: authenticated is missing Read

      I am using Hudson 1.248
      and JDK build 1.5.0_09"

      +

      "I'm experiencing the same problem. While using "Hudson's own user database,"
      I have tried using both the general matrix auth strategy as well as the
      project based version. In both cases I also cannot log in to hudson after
      restarting Tomcat. The error message I get is:
      org.acegisecurity.providers.UsernamePasswordAuthenticationToken@3efe96a3:
      Username: hudson.security.HudsonPrivateSecurityRealm$Details@5777b4d3;
      Password: [PROTECTED]; Authenticated: true; Details:
      org.acegisecurity.ui.WebAuthenticationDetails@fffc7f0c: RemoteIpAddress:
      127.0.0.1; SessionId: A9A673194D39F0426C655FB715F1BB4B; Granted Authorities:
      authenticated is missing Read

      I am using:
      Hudson 1.245
      Tomcat 6.0.16
      Apache 2.2.3 (reverse proxy to hudson on Tomcat)
      Java 1.6.0_06"

      +

      I have the same issue with 1.245 running as Windows service.

          [JENKINS-2305] Project-based Matrix Security is not working after Hudson restart

          cacorp added a comment -

          Just for completion of the issue description:

          I'm using hudson 1.260. It happens using ldap or any other authentication
          method.

          After succesfully setting up the project based matrix and restarting hudson it
          goes back to global matrix authentication.

          cacorp added a comment - Just for completion of the issue description: I'm using hudson 1.260. It happens using ldap or any other authentication method. After succesfully setting up the project based matrix and restarting hudson it goes back to global matrix authentication.

          Dean Yu added a comment -

          This looks like it was broken in 1.255, by the bug to fix the serialized form of
          matrix security permissions. The fix is a straightforward replacement of new
          GlobalMatrixAuthorizationStrategy() with new
          ProjectMatrixAuthorizationStrategy() in
          hudson.security.ProjectMatrixAuthorizationStrategy.ConverterImpl.

          Dean Yu added a comment - This looks like it was broken in 1.255, by the bug to fix the serialized form of matrix security permissions. The fix is a straightforward replacement of new GlobalMatrixAuthorizationStrategy() with new ProjectMatrixAuthorizationStrategy() in hudson.security.ProjectMatrixAuthorizationStrategy.ConverterImpl.

          Code changed in hudson
          User: : dty
          Path:
          trunk/hudson/main/core/src/main/java/hudson/security/ProjectMatrixAuthorizationStrategy.java
          trunk/www/changelog.html
          http://fisheye4.cenqua.com/changelog/hudson/?cs=13148
          Log:
          FIX JENKINS-2305 - Project based Matrix Authorization Strategy reverts to
          Global Matrix Authorization Strategy on Hudson restart.

          SCM/JIRA link daemon added a comment - Code changed in hudson User: : dty Path: trunk/hudson/main/core/src/main/java/hudson/security/ProjectMatrixAuthorizationStrategy.java trunk/www/changelog.html http://fisheye4.cenqua.com/changelog/hudson/?cs=13148 Log: FIX JENKINS-2305 - Project based Matrix Authorization Strategy reverts to Global Matrix Authorization Strategy on Hudson restart.

          elser added a comment -

          The new version of Hudson (1.261) does not completely solve the problem. After
          restart I get the ProjectMatrixAuthorizationStrategy unmarshalled successfully
          in global configuration, but the per-job boolean information "Enable
          project-based security" is lost.
          (I use java version "1.5.0_15", Windows XP)

          elser added a comment - The new version of Hudson (1.261) does not completely solve the problem. After restart I get the ProjectMatrixAuthorizationStrategy unmarshalled successfully in global configuration, but the per-job boolean information "Enable project-based security" is lost. (I use java version "1.5.0_15", Windows XP)

          domd added a comment -

          Confirming that this is issue is not completely resolved in 1.261, java 1.5,
          Tomcat 6.0, linux.

          domd added a comment - Confirming that this is issue is not completely resolved in 1.261, java 1.5, Tomcat 6.0, linux.

          Code changed in hudson
          User: : dty
          Path:
          trunk/hudson/main/core/src/main/java/hudson/security/AuthorizationMatrixProperty.java
          trunk/hudson/main/core/src/main/java/hudson/security/ProjectMatrixAuthorizationStrategy.java
          trunk/www/changelog.html
          http://fisheye4.cenqua.com/changelog/hudson/?cs=13223
          Log:
          FIX JENKINS-2305 - Use Project Security setting not being persisted.

          SCM/JIRA link daemon added a comment - Code changed in hudson User: : dty Path: trunk/hudson/main/core/src/main/java/hudson/security/AuthorizationMatrixProperty.java trunk/hudson/main/core/src/main/java/hudson/security/ProjectMatrixAuthorizationStrategy.java trunk/www/changelog.html http://fisheye4.cenqua.com/changelog/hudson/?cs=13223 Log: FIX JENKINS-2305 - Use Project Security setting not being persisted.

          Dean Yu added a comment -

          I believe this is completely fixed with 1.262.

          Dean Yu added a comment - I believe this is completely fixed with 1.262.

          holgergp added a comment -

          I am still getting complaints when using Project-based Matrix Security:

          Access Denied

          org.acegisecurity.providers.UsernamePasswordAuthenticationToken@932218e3:
          Username: hudson.security.HudsonPrivateSecurityRealm$Details@f2c499; Password:
          [PROTECTED]; Authenticated: true; Details:
          org.acegisecurity.ui.WebAuthenticationDetails@0: RemoteIpAddress: 192.168.5.43;
          SessionId: D53F6B32BB4C41115A77FDBA9BE2F136; Granted Authorities: authenticated
          is missing Administer.

          I am using v. 1.262
          JDK 1.6.0_10
          Tomcat 6.0.18 running as Windows service

          I am using Project-based Matrix Security with one administrative role (having
          every single right)and various users lacking the "administer"-right. I both
          tried the internal user db and Active Directory. If I configure my project
          logged in as a "user" then those aforementioned error messages appear on the
          configuration page.

          holgergp added a comment - I am still getting complaints when using Project-based Matrix Security: Access Denied org.acegisecurity.providers.UsernamePasswordAuthenticationToken@932218e3: Username: hudson.security.HudsonPrivateSecurityRealm$Details@f2c499; Password: [PROTECTED] ; Authenticated: true; Details: org.acegisecurity.ui.WebAuthenticationDetails@0: RemoteIpAddress: 192.168.5.43; SessionId: D53F6B32BB4C41115A77FDBA9BE2F136; Granted Authorities: authenticated is missing Administer. I am using v. 1.262 JDK 1.6.0_10 Tomcat 6.0.18 running as Windows service I am using Project-based Matrix Security with one administrative role (having every single right)and various users lacking the "administer"-right. I both tried the internal user db and Active Directory. If I configure my project logged in as a "user" then those aforementioned error messages appear on the configuration page.

          Dean Yu added a comment -

          Do you have this problem only after you restart Hudson? Or does it not work ever?

          Dean Yu added a comment - Do you have this problem only after you restart Hudson? Or does it not work ever?

          Alan Harder added a comment -

          Probably the remaining issue from that last comment is from validators.. those
          permission checks now fixed from issue #2715. Closing this one again, reopen if
          there is still any issue in 1.268 or newer.

          Alan Harder added a comment - Probably the remaining issue from that last comment is from validators.. those permission checks now fixed from issue #2715. Closing this one again, reopen if there is still any issue in 1.268 or newer.

            Unassigned Unassigned
            r2b2_nz Richard Bywater
            Votes:
            0 Vote for this issue
            Watchers:
            0 Start watching this issue

              Created:
              Updated:
              Resolved: