Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-59107

User logged out after successful configuration of "Run as Specific User" (as of Jenkins 2.150.2)

    XMLWordPrintable

Details

    • Jenkins 2.210

    Description

      Actual behaviour

      As user "A" when configuring authorization
      using the "Run as Specific User" strategy to run a job as user "B"
      after successful authentication with the password of user "B"
      user "A" is logged out.

      Expected behaviour

      User "A" is still logged in.

      Root Cause Analysis

      This issue is present starting with Jenkins 2.150.2 which implemented new security measures for user sessions (see changelog https://jenkins.io/changelog-stable/#v2.150.2). It seems that the below call from here invalidates the current user session:

      Jenkins.getActiveInstance().getSecurityRealm().getSecurityComponents().manager.authenticate(
          new UsernamePasswordAuthenticationToken(userId, password)
      );
      

      Attachments

        Activity

          jvz Matt Sicker added a comment -

          I've isolated this problem to the code in UserSeedSecurityListener.authenticated() which will overwrite the current session's user seed with the authorized user's seed instead. This seed is not restored after the build completes (or ever), so essentially, you end up with the authorize user's session which doesn't work.

          jvz Matt Sicker added a comment - I've isolated this problem to the code in UserSeedSecurityListener.authenticated() which will overwrite the current session's user seed with the authorized user's seed instead. This seed is not restored after the build completes (or ever), so essentially, you end up with the authorize user's session which doesn't work.
          jvz Matt Sicker added a comment -

          PR to fix this open for review: https://github.com/jenkinsci/jenkins/pull/4394

          jvz Matt Sicker added a comment - PR to fix this open for review: https://github.com/jenkinsci/jenkins/pull/4394

          Important point to mention in the description, to trigger the "password" field to appear, you need to lack admin permission as the user A. I installed matrix-auth to achieve that easily.

          wfollonier Wadeck Follonier added a comment - Important point to mention in the description, to trigger the "password" field to appear, you need to lack admin permission as the user A. I installed matrix-auth to achieve that easily.
          jvz Matt Sicker added a comment -

          Ah, that explains some test failures I came across at one point when testing out different combinations of versions.

          jvz Matt Sicker added a comment - Ah, that explains some test failures I came across at one point when testing out different combinations of versions.
          oleg_nenashev Oleg Nenashev added a comment -

          Released in Jenkins 2.210, will mark as LTS candidate

          oleg_nenashev Oleg Nenashev added a comment - Released in Jenkins 2.210, will mark as LTS candidate

          People

            jvz Matt Sicker
            renescheibe René Scheibe
            Votes:
            0 Vote for this issue
            Watchers:
            6 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved: