Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-54508

The <useSecurity>false</useSecurity> changes to <useSecurity>true</useSecurity> in config.xml if the value of the tag has been changed explicitly.

    XMLWordPrintable

    Details

    • Similar Issues:

      Description

      Scenario: As an administrator, you have forgotten the password of the Jenkins First Admin User Account , and need to reset the same.

      Test Data: For uniformity and simplicity, I have used the same Test Data for both the Ubuntu and Windows VM's during testing.

      1. First Admin User Details:
      2. Username: jenkins21900
      3. Password: password
      4. Full Name: jenkins21900
      5. Email Address: kharad.afour@gmail.com
      6. Jenkins URL: http://localhost:8080

      Test Instructions: Perform all steps with Administrator/Root user.

      Pre-requisites
      1. Install Jenkins with all the pre-requisites in place.
      2. Create a Jenkins First Admin User Account valid user-name and password in the Jenkins installation.
      3. Validate that you can successfully login as the Jenkins First Admin User Account.

      Steps to Replicate: - Linux/Ubuntu
      1. Navigate to /var/lib/jenkins/ and edit the config.xml file in an editor of your choice.
      2. Search for the <useSecurity>true</useSecurity> and change it to <useSecurity>false</useSecurity>
      3. Restart Jenkins, by executing the sudo service jenkins restart command.
      4. Access the Jenkins URL, and observe that you are not prompted for the password and that the Dashboard loads directly.
      5. Navigate to /var/lib/jenkins/ and load the config.xml file in an editor of your choice.
      6. Search for the <useSecurity>false</useSecurity> and observe that it has changed to <useSecurity>true</useSecurity>

      Steps to Replicate: - Windows
      1. Stop the Jenkins service.
      2. Navigate to C:\jenkins\config.xml and edit the config.xml file in an editor of your choice.
      3. Search for the <useSecurity>true</useSecurity> and change it to <useSecurity>false</useSecurity>
      4. Start the Jenkins service.
      5. Access the Jenkins URL, and observe that you are not prompted for the password.
      6. Click on sign Out to Sign Out from Jenkins.
      7. Navigate to C:\jenkins\config.xml and load the config.xml file in an editor of your choice.
      8. Search for the <useSecurity>false</useSecurity> and observe that it has changed to <useSecurity>true</useSecurity>

      Expected Result: The <useSecurity>false</useSecurity> should not change to <useSecurity>true</useSecurity>

      Actual Result: The <useSecurity>false</useSecurity> has changed to <useSecurity>true</useSecurity>

        Attachments

        1. Windows2.swf
          5.56 MB
        2. Windows1.swf
          8.39 MB
        3. Ubuntu.swf
          5.62 MB

          Activity

          Hide
          danielbeck Daniel Beck added a comment -

          While we have documentation explaining how to unlock a Jenkins you can no longer access due to invalid security setup in an emergency, this file is not generally expected to be edited manually. You're changing internal data storage.

          Show
          danielbeck Daniel Beck added a comment - While we have documentation explaining how to unlock a Jenkins you can no longer access due to invalid security setup in an emergency, this file is not generally expected to be edited manually. You're changing internal data storage.
          Hide
          kharadzv Kharad Variyava added a comment -

          Daniel Beck - can you please share the link to the documentation explaining how to unlock a Jenkins you can no longer access?? However, the steps mentioned above are widely mentioned across all the major forums as well..so I guess, it needs a re-look, as this might lead to a security breach going forward!!

          Show
          kharadzv Kharad Variyava added a comment - Daniel Beck - can you please share the link to the documentation explaining how to unlock a Jenkins you can no longer access?? However, the steps mentioned above are widely mentioned across all the major forums as well..so I guess, it needs a re-look, as this might lead to a security breach going forward!!
          Hide
          danielbeck Daniel Beck added a comment -

          can you please share the link to the documentation explaining how to unlock a Jenkins you can no longer access

          You describe how to do that in steps 1-4.

          it needs a re-look, as this might lead to a security breach going forward

          Which can be done through the UI after following the steps you describe.

          Show
          danielbeck Daniel Beck added a comment - can you please share the link to the documentation explaining how to unlock a Jenkins you can no longer access You describe how to do that in steps 1-4. it needs a re-look, as this might lead to a security breach going forward Which can be done through the UI after following the steps you describe.
          Hide
          danielbeck Daniel Beck added a comment -

          Please leave this issue closed. This is not a bug.

          Show
          danielbeck Daniel Beck added a comment - Please leave this issue closed. This is not a bug.
          Hide
          kharadzv Kharad Variyava added a comment -

          So Daniel Beck, are you trying to imply that this is an expected behavior???

          Request a bit more clarity please!! 

          Show
          kharadzv Kharad Variyava added a comment - So Daniel Beck , are you trying to imply that this is an expected behavior??? Request a bit more clarity please!! 
          Hide
          danielbeck Daniel Beck added a comment -

          As I explained above,

          this file is not generally expected to be edited manually. You're changing internal data storage.

          There is no defined behavior here. If Jenkins still works after you edit this file, great. If it doesn't, you did something wrong. This file is not considered user API.

          Show
          danielbeck Daniel Beck added a comment - As I explained above, this file is not generally expected to be edited manually. You're changing internal data storage. There is no defined behavior here. If Jenkins still works after you edit this file, great. If it doesn't, you did something wrong. This file is not considered user API.

            People

            Assignee:
            Unassigned Unassigned
            Reporter:
            kharadzv Kharad Variyava
            Votes:
            0 Vote for this issue
            Watchers:
            1 Start watching this issue

              Dates

              Created:
              Updated:
              Resolved: