Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-26382

Prompt to create user when selecting internal user database

    • Icon: Improvement Improvement
    • Resolution: Fixed
    • Icon: Minor Minor
    • core
    • Initial configuration of a new Jenkins installation.

      During the initial configuration of Jenkins, if the Security Realm of "Jenkins own user database" is selected, it should prompt to create at least 1 administrative user (if none exist) before saving the configuration. Currently it's fairly easy to lock oneself out if no local users exist and this configuration is saved.

          [JENKINS-26382] Prompt to create user when selecting internal user database

          Daniel Beck added a comment -

          As long as you allow signup, the first user to do that becomes admin.
          As long as anonymous is allowed to administer, you can still create users.

          It's only relevant if you don't allow signup, and don't give the anonymous user any permissions. In that case, it's bad, true.

          Daniel Beck added a comment - As long as you allow signup, the first user to do that becomes admin. As long as anonymous is allowed to administer, you can still create users. It's only relevant if you don't allow signup, and don't give the anonymous user any permissions. In that case, it's bad, true.

          Jason Sipula added a comment -

          True. Perhaps when unchecking "Allow signup" and/or checking "only logged in users..." should prompt a warning. I hit this while setting up a new instance that is publicly accessible but limited to only users I allow... it seemed to make sense to disable "Allow signup" and set things to only allow logged in users to do things. Admittedly it's a simple fix (change the security setting in the ~/jenkins/config.xml temporarily), but probably best to try to avoid the issue all together by a simple prompt along the lines of "You should create at least one administrative user, would you like to do this now?".

          Jason Sipula added a comment - True. Perhaps when unchecking "Allow signup" and/or checking "only logged in users..." should prompt a warning. I hit this while setting up a new instance that is publicly accessible but limited to only users I allow... it seemed to make sense to disable "Allow signup" and set things to only allow logged in users to do things. Admittedly it's a simple fix (change the security setting in the ~/jenkins/config.xml temporarily), but probably best to try to avoid the issue all together by a simple prompt along the lines of "You should create at least one administrative user, would you like to do this now?".

          Daniel Beck added a comment -

          Alright, I reviewed what's going on.

          The security realm has a feature that allows the user who accesses the Jenkins home page ("/" URL) to sign up as admin if no user already exists.

          A few problems:

          • The major one: The form redirects to /manage, not /, so there's a login form shown, but there are no valid credentials. Why would anyone click the Jenkins logo to go to the home page to see a signup form?
          • The minor one: If a user record exists, independent of any permissions assigned to that user, the signup isn't shown.

          The minor issue is fairly unlikely in regular use IMO, it's just something I stumbled upon when investigating this.

          The major one should be fixed though.

          Daniel Beck added a comment - Alright, I reviewed what's going on. The security realm has a feature that allows the user who accesses the Jenkins home page ("/" URL) to sign up as admin if no user already exists. A few problems: The major one: The form redirects to /manage , not / , so there's a login form shown, but there are no valid credentials. Why would anyone click the Jenkins logo to go to the home page to see a signup form? The minor one: If a user record exists, independent of any permissions assigned to that user, the signup isn't shown. The minor issue is fairly unlikely in regular use IMO, it's just something I stumbled upon when investigating this. The major one should be fixed though.

          Jason Sipula added a comment -

          "Why would anyone click the Jenkins logo to go to the home page to see a signup form?"

          For my case I did not click the Jenkins logo... I clicked the "save" button to store the configuration and then was immediately redirected to the main Jenkins page which now showed the login page (but no user credentials existed). I had wrongly assumed my current session would remain active and I'd have the opportunity to create a regular user before logging out (and the new security settings taking affect). It had been a while since I last setup a Jenkins from scratch...

          Let me know if/when you would like me to test anything. Thanks for your time Daniel.

          Jason Sipula added a comment - "Why would anyone click the Jenkins logo to go to the home page to see a signup form?" For my case I did not click the Jenkins logo... I clicked the "save" button to store the configuration and then was immediately redirected to the main Jenkins page which now showed the login page (but no user credentials existed). I had wrongly assumed my current session would remain active and I'd have the opportunity to create a regular user before logging out (and the new security settings taking affect). It had been a while since I last setup a Jenkins from scratch... Let me know if/when you would like me to test anything. Thanks for your time Daniel.

          Daniel Beck added a comment -

          the main Jenkins page which now showed the login page

          That's exactly the problem. It is not the main page, but the login form for the /manage URL. The main page would actually allow creating a user.

          Pull request here: https://github.com/jenkinsci/jenkins/pull/1525

          PR build here; once it finishes you can download and test the jenkins.war containing the fix: https://jenkins.ci.cloudbees.com/job/core/job/jenkins-core/1935/

          Daniel Beck added a comment - the main Jenkins page which now showed the login page That's exactly the problem. It is not the main page, but the login form for the /manage URL. The main page would actually allow creating a user. Pull request here: https://github.com/jenkinsci/jenkins/pull/1525 PR build here; once it finishes you can download and test the jenkins.war containing the fix: https://jenkins.ci.cloudbees.com/job/core/job/jenkins-core/1935/

          Jason Sipula added a comment -

          Confirmed, build #1935 fixed it.

          Thanks Daniel!

          Jason Sipula added a comment - Confirmed, build #1935 fixed it. Thanks Daniel!

          Code changed in jenkins
          User: Daniel Beck
          Path:
          core/src/main/java/hudson/security/HudsonPrivateSecurityRealm.java
          http://jenkins-ci.org/commit/jenkins/8d1968f5bdfc60eefa5102671f456e4f3de54c94
          Log:
          [FIXED JENKINS-26382] Allow admin signup from /manage as well

          SCM/JIRA link daemon added a comment - Code changed in jenkins User: Daniel Beck Path: core/src/main/java/hudson/security/HudsonPrivateSecurityRealm.java http://jenkins-ci.org/commit/jenkins/8d1968f5bdfc60eefa5102671f456e4f3de54c94 Log: [FIXED JENKINS-26382] Allow admin signup from /manage as well

          SCM/JIRA link daemon added a comment - Code changed in jenkins User: Jesse Glick Path: changelog.html http://jenkins-ci.org/commit/jenkins/b0908bd5ae64e161ec310164ba293aec8bc1d29b Log: JENKINS-26382 Noting merge of #1525. Compare: https://github.com/jenkinsci/jenkins/compare/9309cd39ad44...b0908bd5ae64

          dogfood added a comment -

          Integrated in jenkins_main_trunk #3928
          [FIXED JENKINS-26382] Allow admin signup from /manage as well (Revision 8d1968f5bdfc60eefa5102671f456e4f3de54c94)
          JENKINS-26382 Noting merge of #1525. (Revision b0908bd5ae64e161ec310164ba293aec8bc1d29b)

          Result = SUCCESS
          daniel-beck : 8d1968f5bdfc60eefa5102671f456e4f3de54c94
          Files :

          • core/src/main/java/hudson/security/HudsonPrivateSecurityRealm.java

          jesse glick : b0908bd5ae64e161ec310164ba293aec8bc1d29b
          Files :

          • changelog.html

          dogfood added a comment - Integrated in jenkins_main_trunk #3928 [FIXED JENKINS-26382] Allow admin signup from /manage as well (Revision 8d1968f5bdfc60eefa5102671f456e4f3de54c94) JENKINS-26382 Noting merge of #1525. (Revision b0908bd5ae64e161ec310164ba293aec8bc1d29b) Result = SUCCESS daniel-beck : 8d1968f5bdfc60eefa5102671f456e4f3de54c94 Files : core/src/main/java/hudson/security/HudsonPrivateSecurityRealm.java jesse glick : b0908bd5ae64e161ec310164ba293aec8bc1d29b Files : changelog.html

            danielbeck Daniel Beck
            snakedoc Jason Sipula
            Votes:
            0 Vote for this issue
            Watchers:
            4 Start watching this issue

              Created:
              Updated:
              Resolved: