Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-2305

Project-based Matrix Security is not working after Hudson restart

    • Icon: Bug Bug
    • Resolution: Fixed
    • Icon: Critical Critical
    • _unsorted
    • None
    • Platform: All, OS: All

      This issue has come up in a thread on the Hudson mailing list so thought I'd
      transfer here for an "official" record:

      "I am having a problem when I restart hudson after "successfully" setting up
      matrix based security.

      To set up the Hudson security, I am selecting "Enable Security", then choosing
      "Hudson's own user database" and "Project-based Matrix Authorization Strategy".

      I then give the anonymous account, "Overall-Read" and "Job-Build" rights, and I
      create an admin account that has the right to do everything except "SCM-Tag".

      I save this config and everything works great until I try to restart hudson.

      When I try to restart hudson I can no longer click around and view the builds as
      the non logged in anonymous user like I could before the restart.

      Instead I am only prompted for a username and password. When I enter the admin
      username and password (which worked many times before therestart), I get this
      error message:

      Access Denied
      org.acegisecurity.providers.UsernamePasswordAuthenticationToken@410ce2ce:
      Username: hudson.security.HudsonPrivateSecurityRealm$Details@8e7f54; Password:
      [PROTECTED]; Authenticated: true; Details:
      org.acegisecurity.ui.WebAuthenticationDetails@7798: RemoteIpAddress:
      129.150.66.123; SessionId: 49daddb10088039a2d196487a5ae0a73; Granted
      Authorities: authenticated is missing Read

      I am using Hudson 1.248
      and JDK build 1.5.0_09"

      +

      "I'm experiencing the same problem. While using "Hudson's own user database,"
      I have tried using both the general matrix auth strategy as well as the
      project based version. In both cases I also cannot log in to hudson after
      restarting Tomcat. The error message I get is:
      org.acegisecurity.providers.UsernamePasswordAuthenticationToken@3efe96a3:
      Username: hudson.security.HudsonPrivateSecurityRealm$Details@5777b4d3;
      Password: [PROTECTED]; Authenticated: true; Details:
      org.acegisecurity.ui.WebAuthenticationDetails@fffc7f0c: RemoteIpAddress:
      127.0.0.1; SessionId: A9A673194D39F0426C655FB715F1BB4B; Granted Authorities:
      authenticated is missing Read

      I am using:
      Hudson 1.245
      Tomcat 6.0.16
      Apache 2.2.3 (reverse proxy to hudson on Tomcat)
      Java 1.6.0_06"

      +

      I have the same issue with 1.245 running as Windows service.

          [JENKINS-2305] Project-based Matrix Security is not working after Hudson restart

          Richard Bywater created issue -

          magner added a comment -

          I also have this issue using the 'Project-based Matrix Authorization Strategy',
          but it seems like 'Matrix-based security' works fine. I use the LDAP security
          realm, and my security matrix is respected for both user and group.

          When looking at config.xml, it seems like project-based matrix isn't serializing
          right, it's not as neat and tidy as matrix-based security. And failing to
          deserialize the security settings would probably produce the exception we're
          getting.

          Hudson 1.252
          OpenJDK Runtime Environment 1.6.0_0-b11
          Tomcat 6.0.18

          magner added a comment - I also have this issue using the 'Project-based Matrix Authorization Strategy', but it seems like 'Matrix-based security' works fine. I use the LDAP security realm, and my security matrix is respected for both user and group. When looking at config.xml, it seems like project-based matrix isn't serializing right, it's not as neat and tidy as matrix-based security. And failing to deserialize the security settings would probably produce the exception we're getting. Hudson 1.252 OpenJDK Runtime Environment 1.6.0_0-b11 Tomcat 6.0.18

          lynggaard added a comment -

          I have seen this too...

          I had originally set
          anonymous to read,
          authenticated to build, workspace
          two admin account with full access rights

          To me it appears as if the anonymous permissions are not stored, thus the
          anonymous users cannot do anything, and authenticated users do not have read access

          lynggaard added a comment - I have seen this too... I had originally set anonymous to read, authenticated to build, workspace two admin account with full access rights To me it appears as if the anonymous permissions are not stored, thus the anonymous users cannot do anything, and authenticated users do not have read access

          cacorp added a comment -
              • Issue 2454 has been marked as a duplicate of this issue. ***

          cacorp added a comment - Issue 2454 has been marked as a duplicate of this issue. ***
          cacorp made changes -
          Link New: This issue is duplicated by JENKINS-2454 [ JENKINS-2454 ]

          cacorp added a comment -

          Just for completion of the issue description:

          I'm using hudson 1.260. It happens using ldap or any other authentication
          method.

          After succesfully setting up the project based matrix and restarting hudson it
          goes back to global matrix authentication.

          cacorp added a comment - Just for completion of the issue description: I'm using hudson 1.260. It happens using ldap or any other authentication method. After succesfully setting up the project based matrix and restarting hudson it goes back to global matrix authentication.

          Dean Yu added a comment -

          This looks like it was broken in 1.255, by the bug to fix the serialized form of
          matrix security permissions. The fix is a straightforward replacement of new
          GlobalMatrixAuthorizationStrategy() with new
          ProjectMatrixAuthorizationStrategy() in
          hudson.security.ProjectMatrixAuthorizationStrategy.ConverterImpl.

          Dean Yu added a comment - This looks like it was broken in 1.255, by the bug to fix the serialized form of matrix security permissions. The fix is a straightforward replacement of new GlobalMatrixAuthorizationStrategy() with new ProjectMatrixAuthorizationStrategy() in hudson.security.ProjectMatrixAuthorizationStrategy.ConverterImpl.
          Dean Yu made changes -
          Status Original: Open [ 1 ] New: In Progress [ 3 ]

          Code changed in hudson
          User: : dty
          Path:
          trunk/hudson/main/core/src/main/java/hudson/security/ProjectMatrixAuthorizationStrategy.java
          trunk/www/changelog.html
          http://fisheye4.cenqua.com/changelog/hudson/?cs=13148
          Log:
          FIX JENKINS-2305 - Project based Matrix Authorization Strategy reverts to
          Global Matrix Authorization Strategy on Hudson restart.

          SCM/JIRA link daemon added a comment - Code changed in hudson User: : dty Path: trunk/hudson/main/core/src/main/java/hudson/security/ProjectMatrixAuthorizationStrategy.java trunk/www/changelog.html http://fisheye4.cenqua.com/changelog/hudson/?cs=13148 Log: FIX JENKINS-2305 - Project based Matrix Authorization Strategy reverts to Global Matrix Authorization Strategy on Hudson restart.

          elser added a comment -

          The new version of Hudson (1.261) does not completely solve the problem. After
          restart I get the ProjectMatrixAuthorizationStrategy unmarshalled successfully
          in global configuration, but the per-job boolean information "Enable
          project-based security" is lost.
          (I use java version "1.5.0_15", Windows XP)

          elser added a comment - The new version of Hudson (1.261) does not completely solve the problem. After restart I get the ProjectMatrixAuthorizationStrategy unmarshalled successfully in global configuration, but the per-job boolean information "Enable project-based security" is lost. (I use java version "1.5.0_15", Windows XP)

            Unassigned Unassigned
            r2b2_nz Richard Bywater
            Votes:
            0 Vote for this issue
            Watchers:
            0 Start watching this issue

              Created:
              Updated:
              Resolved: