Original request: SecurityListener should be notified when ApiTokenFilter approves or denies a REST authentication attempt. jglick says that the logic should be reviewed from scratch.
TL;DR:
- Investigate how it works
- Send events when it does not
Acceptance criteria:
- We cover REST, CLI, Web UI...
- Data should be forwarded to SecurityListener and logged here: https://github.com/jenkinsci/jenkins/blob/08def67a18eee51de9f3f99bc2a792fee1c160e0/core/src/main/java/jenkins/security/SecurityListener.java#L91
- Anybody should be able to attach to the Security Listener and get the information (via plugin or so)
- Nice2have: Review Javadoc of the engine and ensure it is still correct
- Nice2have: Document the login flow in Wiki (or Jenkins.io developer docs)
- What should happen:
- When you login, you get event
- When the authentication is sent, you get event. Includes REST API (password != API token) and Web calls. Example: https://github.com/jenkinsci/jenkins/blob/729016989e13632bc980957d05060510efddf41f/core/src/main/java/hudson/security/AbstractPasswordBasedSecurityRealm.java#L116
Not in scope:
- SecurityListener Audit Trail patch is not in the scope. May be used as reference impl if we need to add new API
- depends on
-
JENKINS-20999 Extension point for tracking login-related events
-
- Resolved
-
- links to
[JENKINS-27027] Log/notify REST authentication via API token
Link |
New:
This issue depends on |
Workflow | Original: JNJira [ 161218 ] | New: JNJira + In-Review [ 180611 ] |
Description | Original: {{SecurityListener}} should be notified when {{ApiTokenFilter}} approves or denies a REST authentication attempt. |
New:
{{Original request: SecurityListener}} should be notified when {{ApiTokenFilter}} approves or denies a REST authentication attempt. [~jglick] says that the logic should be reviewed from scratch. Acceptance criteria: * We cover REST, CLI, Web UI... * Data should be forwarded to SecurityListener and logged here: [https://github.com/jenkinsci/jenkins/blob/08def67a18eee51de9f3f99bc2a792fee1c160e0/core/src/main/java/jenkins/security/SecurityListener.java#L91] * Anybody should be able to attach to the Security Listener and get the information (via plugin or so) * Nice2have: Review Javadoc of the engine and ensure it is still correct * What should happen: ** When you login, you get event ** When the authentication is sent, you get event. Includes REST API (password != API token) and Web calls. Example: [https://github.com/jenkinsci/jenkins/blob/729016989e13632bc980957d05060510efddf41f/core/src/main/java/hudson/security/AbstractPasswordBasedSecurityRealm.java#L116] Not in scope: * SecurityListener Audit Trail patch is not in the scope. May be used as reference impl if we need to add new API |
Description |
Original:
{{Original request: SecurityListener}} should be notified when {{ApiTokenFilter}} approves or denies a REST authentication attempt. [~jglick] says that the logic should be reviewed from scratch. Acceptance criteria: * We cover REST, CLI, Web UI... * Data should be forwarded to SecurityListener and logged here: [https://github.com/jenkinsci/jenkins/blob/08def67a18eee51de9f3f99bc2a792fee1c160e0/core/src/main/java/jenkins/security/SecurityListener.java#L91] * Anybody should be able to attach to the Security Listener and get the information (via plugin or so) * Nice2have: Review Javadoc of the engine and ensure it is still correct * What should happen: ** When you login, you get event ** When the authentication is sent, you get event. Includes REST API (password != API token) and Web calls. Example: [https://github.com/jenkinsci/jenkins/blob/729016989e13632bc980957d05060510efddf41f/core/src/main/java/hudson/security/AbstractPasswordBasedSecurityRealm.java#L116] Not in scope: * SecurityListener Audit Trail patch is not in the scope. May be used as reference impl if we need to add new API |
New:
{{Original request: SecurityListener}} should be notified when {{ApiTokenFilter}} approves or denies a REST authentication attempt. [~jglick] says that the logic should be reviewed from scratch. TL;DR: * Investigate how it works * Send events when it does not Acceptance criteria: * We cover REST, CLI, Web UI... * Data should be forwarded to SecurityListener and logged here: [https://github.com/jenkinsci/jenkins/blob/08def67a18eee51de9f3f99bc2a792fee1c160e0/core/src/main/java/jenkins/security/SecurityListener.java#L91] * Anybody should be able to attach to the Security Listener and get the information (via plugin or so) * Nice2have: Review Javadoc of the engine and ensure it is still correct * What should happen: ** When you login, you get event ** When the authentication is sent, you get event. Includes REST API (password != API token) and Web calls. Example: [https://github.com/jenkinsci/jenkins/blob/729016989e13632bc980957d05060510efddf41f/core/src/main/java/hudson/security/AbstractPasswordBasedSecurityRealm.java#L116] Not in scope: * SecurityListener Audit Trail patch is not in the scope. May be used as reference impl if we need to add new API |
Assignee | New: Wadeck Follonier [ wfollonier ] |
Status | Original: Open [ 1 ] | New: In Progress [ 3 ] |
Description |
Original:
{{Original request: SecurityListener}} should be notified when {{ApiTokenFilter}} approves or denies a REST authentication attempt. [~jglick] says that the logic should be reviewed from scratch. TL;DR: * Investigate how it works * Send events when it does not Acceptance criteria: * We cover REST, CLI, Web UI... * Data should be forwarded to SecurityListener and logged here: [https://github.com/jenkinsci/jenkins/blob/08def67a18eee51de9f3f99bc2a792fee1c160e0/core/src/main/java/jenkins/security/SecurityListener.java#L91] * Anybody should be able to attach to the Security Listener and get the information (via plugin or so) * Nice2have: Review Javadoc of the engine and ensure it is still correct * What should happen: ** When you login, you get event ** When the authentication is sent, you get event. Includes REST API (password != API token) and Web calls. Example: [https://github.com/jenkinsci/jenkins/blob/729016989e13632bc980957d05060510efddf41f/core/src/main/java/hudson/security/AbstractPasswordBasedSecurityRealm.java#L116] Not in scope: * SecurityListener Audit Trail patch is not in the scope. May be used as reference impl if we need to add new API |
New:
{{Original request: SecurityListener}} should be notified when {{ApiTokenFilter}} approves or denies a REST authentication attempt. [~jglick] says that the logic should be reviewed from scratch. TL;DR: * Investigate how it works * Send events when it does not Acceptance criteria: * We cover REST, CLI, Web UI... * Data should be forwarded to SecurityListener and logged here: [https://github.com/jenkinsci/jenkins/blob/08def67a18eee51de9f3f99bc2a792fee1c160e0/core/src/main/java/jenkins/security/SecurityListener.java#L91] * Anybody should be able to attach to the Security Listener and get the information (via plugin or so) * Nice2have: Review Javadoc of the engine and ensure it is still correct * Nice2have: Document the login flow in Wiki (or Jenkins.io developer docs) * What should happen: ** When you login, you get event ** When the authentication is sent, you get event. Includes REST API (password != API token) and Web calls. Example: [https://github.com/jenkinsci/jenkins/blob/729016989e13632bc980957d05060510efddf41f/core/src/main/java/hudson/security/AbstractPasswordBasedSecurityRealm.java#L116] Not in scope: * SecurityListener Audit Trail patch is not in the scope. May be used as reference impl if we need to add new API |
Remote Link | New: This issue links to "#3074 (Web Link)" [ 17949 ] |
Remote Link | New: This issue links to "#1192 (jenkins-io) (Web Link)" [ 17950 ] |
Status | Original: In Progress [ 3 ] | New: In Review [ 10005 ] |