Original request: SecurityListener should be notified when ApiTokenFilter approves or denies a REST authentication attempt. jglick says that the logic should be reviewed from scratch.

      TL;DR:

      • Investigate how it works
      • Send events when it does not

      Acceptance criteria:

      Not in scope:

      • SecurityListener Audit Trail patch is not in the scope. May be used as reference impl if we need to add new API

          [JENKINS-27027] Log/notify REST authentication via API token

          Jesse Glick created issue -
          Jesse Glick made changes -
          Link New: This issue depends on JENKINS-20999 [ JENKINS-20999 ]
          R. Tyler Croy made changes -
          Workflow Original: JNJira [ 161218 ] New: JNJira + In-Review [ 180611 ]
          Oleg Nenashev made changes -
          Description Original: {{SecurityListener}} should be notified when {{ApiTokenFilter}} approves or denies a REST authentication attempt. New: {{Original request: SecurityListener}} should be notified when {{ApiTokenFilter}} approves or denies a REST authentication attempt. [~jglick] says that the logic should be reviewed from scratch.

          Acceptance criteria:
           * We cover REST, CLI, Web UI...
           * Data should be forwarded to SecurityListener and logged here: [https://github.com/jenkinsci/jenkins/blob/08def67a18eee51de9f3f99bc2a792fee1c160e0/core/src/main/java/jenkins/security/SecurityListener.java#L91
           * Anybody should be able to attach to the Security Listener and get the information (via plugin or so)
           * Nice2have: Review Javadoc of the engine and ensure it is still correct
           * What should happen:
           ** When you login, you get event
           ** When the authentication is sent, you get event. Includes REST API (password != API token) and Web calls. Example: [https://github.com/jenkinsci/jenkins/blob/729016989e13632bc980957d05060510efddf41f/core/src/main/java/hudson/security/AbstractPasswordBasedSecurityRealm.java#L116]  

          Not in scope:
           * SecurityListener Audit Trail patch is not in the scope. May be used as reference impl if we need to add new API
          Oleg Nenashev made changes -
          Description Original: {{Original request: SecurityListener}} should be notified when {{ApiTokenFilter}} approves or denies a REST authentication attempt. [~jglick] says that the logic should be reviewed from scratch.

          Acceptance criteria:
           * We cover REST, CLI, Web UI...
           * Data should be forwarded to SecurityListener and logged here: [https://github.com/jenkinsci/jenkins/blob/08def67a18eee51de9f3f99bc2a792fee1c160e0/core/src/main/java/jenkins/security/SecurityListener.java#L91
           * Anybody should be able to attach to the Security Listener and get the information (via plugin or so)
           * Nice2have: Review Javadoc of the engine and ensure it is still correct
           * What should happen:
           ** When you login, you get event
           ** When the authentication is sent, you get event. Includes REST API (password != API token) and Web calls. Example: [https://github.com/jenkinsci/jenkins/blob/729016989e13632bc980957d05060510efddf41f/core/src/main/java/hudson/security/AbstractPasswordBasedSecurityRealm.java#L116]  

          Not in scope:
           * SecurityListener Audit Trail patch is not in the scope. May be used as reference impl if we need to add new API
          New: {{Original request: SecurityListener}} should be notified when {{ApiTokenFilter}} approves or denies a REST authentication attempt. [~jglick] says that the logic should be reviewed from scratch.

          TL;DR:
           * Investigate how it works
           * Send events when it does not

          Acceptance criteria:
           * We cover REST, CLI, Web UI...
           * Data should be forwarded to SecurityListener and logged here: [https://github.com/jenkinsci/jenkins/blob/08def67a18eee51de9f3f99bc2a792fee1c160e0/core/src/main/java/jenkins/security/SecurityListener.java#L91
           * Anybody should be able to attach to the Security Listener and get the information (via plugin or so)
           * Nice2have: Review Javadoc of the engine and ensure it is still correct
           * What should happen:
           ** When you login, you get event
           ** When the authentication is sent, you get event. Includes REST API (password != API token) and Web calls. Example: [https://github.com/jenkinsci/jenkins/blob/729016989e13632bc980957d05060510efddf41f/core/src/main/java/hudson/security/AbstractPasswordBasedSecurityRealm.java#L116]  

          Not in scope:
           * SecurityListener Audit Trail patch is not in the scope. May be used as reference impl if we need to add new API
          Wadeck Follonier made changes -
          Assignee New: Wadeck Follonier [ wfollonier ]
          Wadeck Follonier made changes -
          Status Original: Open [ 1 ] New: In Progress [ 3 ]
          Oleg Nenashev made changes -
          Description Original: {{Original request: SecurityListener}} should be notified when {{ApiTokenFilter}} approves or denies a REST authentication attempt. [~jglick] says that the logic should be reviewed from scratch.

          TL;DR:
           * Investigate how it works
           * Send events when it does not

          Acceptance criteria:
           * We cover REST, CLI, Web UI...
           * Data should be forwarded to SecurityListener and logged here: [https://github.com/jenkinsci/jenkins/blob/08def67a18eee51de9f3f99bc2a792fee1c160e0/core/src/main/java/jenkins/security/SecurityListener.java#L91
           * Anybody should be able to attach to the Security Listener and get the information (via plugin or so)
           * Nice2have: Review Javadoc of the engine and ensure it is still correct
           * What should happen:
           ** When you login, you get event
           ** When the authentication is sent, you get event. Includes REST API (password != API token) and Web calls. Example: [https://github.com/jenkinsci/jenkins/blob/729016989e13632bc980957d05060510efddf41f/core/src/main/java/hudson/security/AbstractPasswordBasedSecurityRealm.java#L116]  

          Not in scope:
           * SecurityListener Audit Trail patch is not in the scope. May be used as reference impl if we need to add new API
          New: {{Original request: SecurityListener}} should be notified when {{ApiTokenFilter}} approves or denies a REST authentication attempt. [~jglick] says that the logic should be reviewed from scratch.

          TL;DR:
           * Investigate how it works
           * Send events when it does not

          Acceptance criteria:
           * We cover REST, CLI, Web UI...
           * Data should be forwarded to SecurityListener and logged here: [https://github.com/jenkinsci/jenkins/blob/08def67a18eee51de9f3f99bc2a792fee1c160e0/core/src/main/java/jenkins/security/SecurityListener.java#L91
           * Anybody should be able to attach to the Security Listener and get the information (via plugin or so)
           * Nice2have: Review Javadoc of the engine and ensure it is still correct
           * Nice2have: Document the login flow in Wiki (or Jenkins.io developer docs)
           * What should happen:
           ** When you login, you get event
           ** When the authentication is sent, you get event. Includes REST API (password != API token) and Web calls. Example: [https://github.com/jenkinsci/jenkins/blob/729016989e13632bc980957d05060510efddf41f/core/src/main/java/hudson/security/AbstractPasswordBasedSecurityRealm.java#L116]  

          Not in scope:
           * SecurityListener Audit Trail patch is not in the scope. May be used as reference impl if we need to add new API
          Wadeck Follonier made changes -
          Remote Link New: This issue links to "#3074 (Web Link)" [ 17949 ]
          Wadeck Follonier made changes -
          Remote Link New: This issue links to "#1192 (jenkins-io) (Web Link)" [ 17950 ]
          Wadeck Follonier made changes -
          Status Original: In Progress [ 3 ] New: In Review [ 10005 ]

            wfollonier Wadeck Follonier
            jglick Jesse Glick
            Votes:
            0 Vote for this issue
            Watchers:
            5 Start watching this issue

              Created:
              Updated:
              Resolved: