Details
-
Type:
Bug
-
Status: Resolved (View Workflow)
-
Priority:
Minor
-
Resolution: Fixed
-
Component/s: authorize-project-plugin, core
-
Labels:
-
Environment:Jenkins >=2.150.2, authorize-project-plugin v1.3.0
-
Similar Issues:
-
Released As:Jenkins 2.210
Description
Actual behaviour
As user "A" when configuring authorization
using the "Run as Specific User" strategy to run a job as user "B"
after successful authentication with the password of user "B"
user "A" is logged out.
Expected behaviour
User "A" is still logged in.
Root Cause Analysis
This issue is present starting with Jenkins 2.150.2 which implemented new security measures for user sessions (see changelog https://jenkins.io/changelog-stable/#v2.150.2). It seems that the below call from here invalidates the current user session:
Jenkins.getActiveInstance().getSecurityRealm().getSecurityComponents().manager.authenticate(
new UsernamePasswordAuthenticationToken(userId, password)
);
Attachments
Activity
PR to fix this open for review: https://github.com/jenkinsci/jenkins/pull/4394
Important point to mention in the description, to trigger the "password" field to appear, you need to lack admin permission as the user A. I installed matrix-auth to achieve that easily.
Ah, that explains some test failures I came across at one point when testing out different combinations of versions.
Released in Jenkins 2.210, will mark as LTS candidate
I've isolated this problem to the code in UserSeedSecurityListener.authenticated() which will overwrite the current session's user seed with the authorized user's seed instead. This seed is not restored after the build completes (or ever), so essentially, you end up with the authorize user's session which doesn't work.