Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-2329

Access Denied (Project-based Matrix Authorization Strategy)

    XMLWordPrintable

Details

    • Bug
    • Status: Closed (View Workflow)
    • Blocker
    • Resolution: Fixed
    • _unsorted
    • None
    • Platform: All, OS: All

    Description

      Hi @ll,

      I've set up hudson (user administration of hudson itself) with Project-based
      Matrix Authorization Strategy. I've added my name and gave myself all privileges
      (including Read...). If I now close hudson (without doing something else) and
      restart it by commandline, I get the following message and have no more access
      to the configuration or anything else...

      ========================
      Access Denied

      org.acegisecurity.providers.UsernamePasswordAuthenticationToken@923d1bfd:
      Username: hudson.security.HudsonPrivateSecurityRealm$Details@1d8417c; Password:
      [PROTECTED]; Authenticated: true; Details:
      org.acegisecurity.ui.WebAuthenticationDetails@255f8: RemoteIpAddress:
      XXX.XXX.XXX.XXX; SessionId: 8013c98834de5a46ef9f6277930606ce; Granted
      Authorities: authenticated is missing Read
      ========================

      Attachments

        Issue Links

          Activity

            mindless Alan Harder added a comment -

            I found that the remember-me service uses the UserDetailsService created in
            Hudson's LDAPSecurityRealm.createSecurityComponents() to do the user lookup, and
            the LdapUserSearch used in there does not do a group lookup. I can add this,
            doing just what acegi's LdapAuthenticationProvider.createUserDetails() does to
            lookup and add granted authorities before returning the final UserDetails.

            mindless Alan Harder added a comment - I found that the remember-me service uses the UserDetailsService created in Hudson's LDAPSecurityRealm.createSecurityComponents() to do the user lookup, and the LdapUserSearch used in there does not do a group lookup. I can add this, doing just what acegi's LdapAuthenticationProvider.createUserDetails() does to lookup and add granted authorities before returning the final UserDetails.
            mindless Alan Harder added a comment -

            r15290 | mindless | 2009-02-13 09:49:36 -0700 (Fri, 13 Feb 2009) | 2 lines
            Changed paths:
            M /trunk/hudson/main/core/src/main/java/hudson/security/LDAPSecurityRealm.java
            M /trunk/www/changelog.html

            [FIXED JENKINS-2329] LDAP group permissions were not applied when logged in via
            remember-me cookie.

            mindless Alan Harder added a comment - r15290 | mindless | 2009-02-13 09:49:36 -0700 (Fri, 13 Feb 2009) | 2 lines Changed paths: M /trunk/hudson/main/core/src/main/java/hudson/security/LDAPSecurityRealm.java M /trunk/www/changelog.html [FIXED JENKINS-2329] LDAP group permissions were not applied when logged in via remember-me cookie.

            For me the issue with remember-me cookie now works (tested on Hudson ver. 1.288).
            Although I still need to apply the patch to LDAPBindSecurityRealm.groovy to
            tweak it to my LDAP structure, but that seems to be a different issue.
            Thanks for resolving it!

            Kind regards,
            Krystian Nowak

            krystian_nowak Krystian Nowak added a comment - For me the issue with remember-me cookie now works (tested on Hudson ver. 1.288). Although I still need to apply the patch to LDAPBindSecurityRealm.groovy to tweak it to my LDAP structure, but that seems to be a different issue. Thanks for resolving it! Kind regards, Krystian Nowak
            mindless Alan Harder added a comment -

            great, thanks.. FYI, soon you shouldn't need the groovy patch.. it seems in some
            restructuring in 1.280 that setting was lost, but we'll get it added back. see
            issue #2256

            mindless Alan Harder added a comment - great, thanks.. FYI, soon you shouldn't need the groovy patch.. it seems in some restructuring in 1.280 that setting was lost, but we'll get it added back. see issue #2256

            Thanks for info on #2256! So, I'll just wait for Hudson 1.289 and we'll see

            Regards,
            Krystian Nowak

            krystian_nowak Krystian Nowak added a comment - Thanks for info on #2256! So, I'll just wait for Hudson 1.289 and we'll see Regards, Krystian Nowak

            People

              mindless Alan Harder
              klattenhoff klattenhoff
              Votes:
              0 Vote for this issue
              Watchers:
              3 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: