Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-49532

autogenerated keystore should not be kept in temp directory

XMLWordPrintable

    • Icon: Improvement Improvement
    • Resolution: Fixed
    • Icon: Minor Minor
    • saml-plugin
    • None
    • SAML-plugin 1.0.5

      The SAML plugin automatically generates a keystore in /tmp (when it has not been manually configured otherwise). However, /tmp files are subject to garbage collection; if the keystore is subsequently deleted by a cleanup process (e.g. tmpwatch, systemd-tmpfiles-clean, etc), it will break SAML authentication and require a restart of the Jenkins process.

      Being able to specify a path or directory for where to create the autogenerated keystore would solve this problem.

      The existing mechanism for specifying a keystore requires configuring the plugin manually with a key password and keystore password. We deploy and manage a fleet of Jenkins instances via Ansible and are limited to configuration options that can be scripted. The automatically generated keystore would be a satisfactory solution if it were not subject to garbage collection.

          [JENKINS-49532] autogenerated keystore should not be kept in temp directory

          Ivan Fernandez Calvo added a comment -

          as a workaround you can change the temporal folder with `java.io.tmpdir` java property, but probably this file should be created into the JENKINS_HOME folder

          Ivan Fernandez Calvo added a comment - as a workaround you can change the temporal folder with `java.io.tmpdir` java property, but probably this file should be created into the JENKINS_HOME folder

          Tim Pierce added a comment -

          The workaround we are using for the time being is adding an exclusion in /etc/tmpfiles.d/jenkins.conf to keep the keystore from being deleted. I agree that JENKINS_HOME would be a more suitable location for the autogenerated keystore.

          Tim Pierce added a comment - The workaround we are using for the time being is adding an exclusion in /etc/tmpfiles.d/jenkins.conf to keep the keystore from being deleted. I agree that JENKINS_HOME would be a more suitable location for the autogenerated keystore.

          C added a comment -

          If the file does not exist, shouldn't it be re-created?

          C added a comment - If the file does not exist, shouldn't it be re-created?

          SCM/JIRA link daemon added a comment -

          Code changed in jenkins
          User: Ivan Fernandez Calvo
          Path:
          src/main/java/org/jenkinsci/plugins/saml/BundleKeyStore.java
          http://jenkins-ci.org/commit/saml-plugin/f0c2b160b0a862fe1a3f6d79317a092b013b5576
          Log:
          JENKINS-49532 autogenerated keystore should not be kept in temp directory (#42)

          SCM/JIRA link daemon added a comment - Code changed in jenkins User: Ivan Fernandez Calvo Path: src/main/java/org/jenkinsci/plugins/saml/BundleKeyStore.java http://jenkins-ci.org/commit/saml-plugin/f0c2b160b0a862fe1a3f6d79317a092b013b5576 Log: JENKINS-49532 autogenerated keystore should not be kept in temp directory (#42)

          Venkata Siva Naga Tatikonda added a comment -

          I agree with Coltrey, if the file doesn't exist Jenkins should re-create and use it dynamically

          Venkata Siva Naga Tatikonda added a comment - I agree with Coltrey, if the file doesn't exist Jenkins should re-create and use it dynamically

          Tim Pierce added a comment -

          It looks like the PR has been merged. Is there anything else that needs to be done to close the ticket? Is that my responsibility as the ticket owner?

          FWIW, I also agree that it makes sense to automatically re-create the file if it disappears in the middle of a session.

          Tim Pierce added a comment - It looks like the PR has been merged. Is there anything else that needs to be done to close the ticket? Is that my responsibility as the ticket owner? FWIW, I also agree that it makes sense to automatically re-create the file if it disappears in the middle of a session.

          Ivan Fernandez Calvo added a comment - - edited

          qwrrty I am testing some stuff to save the configuration of the keystore ASAP I finished I will release an close this Jira.

          Ivan Fernandez Calvo added a comment - - edited qwrrty I am testing some stuff to save the configuration of the keystore ASAP I finished I will release an close this Jira.

          Ivan Fernandez Calvo added a comment -

          released on SAML Plugin 1.0.6

          Ivan Fernandez Calvo added a comment - released on SAML Plugin 1.0.6

            ifernandezcalvo Ivan Fernandez Calvo
            qwrrty Tim Pierce
            Votes:
            0 Vote for this issue
            Watchers:
            5 Start watching this issue

              Created:
              Updated:
              Resolved: