• Icon: Bug Bug
    • Resolution: Fixed
    • Icon: Critical Critical
    • _unsorted
    • None
    • ASF Hudson installation, Hudson 1.372, Tomcat 6, running against LDAP

      In our Hudson installation, user are authenticated using LDAP. Regular users gets assigned what we call job admin (using a group for this purpose in LDAP), meaning they can administer jobs, but not access the Manage Hudson pieces. However, several users have reported that the intermittently get elevated access, being able to access Manage Hudson. When this happens, the user name in the upper right corner will say "SYSTEM". This happens on refreshing the Hudson web GUI. Users have tried logging out and login using the regular user, which have gotten them back into their expected access rights.

      Marking this as critical as it gives users elevated access.

      Let me know if there is anything further I can assist in, for example involving our LDAP setup.

          [JENKINS-7256] Users intermittently gets SYSTEM user

          protocol7b created issue -

          hibou added a comment -

          I am able to reproduce it on Apache's hudson.

          • I am logged as 'hibou'
          • I go configure my project 'IvyDE'
          • I click on "Sauver" (probably "Save" in the english version)
          • the page hangs for some reasons, the connection will probably go on a timeout, I never waited enough
          • in another tab in my browser, if go on hudson again, I then get logged as 'SYSTEM'

          hibou added a comment - I am able to reproduce it on Apache's hudson. I am logged as 'hibou' I go configure my project 'IvyDE' I click on "Sauver" (probably "Save" in the english version) the page hangs for some reasons, the connection will probably go on a timeout, I never waited enough in another tab in my browser, if go on hudson again, I then get logged as 'SYSTEM'

          protocol7b added a comment -

          Any update on this issue, it is continuously a major problem in the Apache Software Foundation installation? Is there anything we can do this assist in solving this?

          protocol7b added a comment - Any update on this issue, it is continuously a major problem in the Apache Software Foundation installation? Is there anything we can do this assist in solving this?

          tdunning added a comment -

          I have seen this more than once on Apache's hudson as well.

          This is a pretty serious problem.

          tdunning added a comment - I have seen this more than once on Apache's hudson as well. This is a pretty serious problem.

          hibou added a comment -

          Now I have seen this with the hudson at work.
          We have Hudson ver. 1.365, configured to have about 150 jobs. I am the only one logged on hudson, everybody else is anonymous. If I configure just one job, and save, I am still logged as "nicolasl".
          Then I had to configure several projects, so I opened several configuration page in different tab in my browser. One by one I configured and save each config. I noticed that while I was doing this repetitive task, the several tabs in my browser were "waiting for an answer", probably meaning that on the backend side there are several configure request in parallel. And I ended up being logged as SYSTEM.
          On the first run I was configuring 20 jobs, then I discovered I was logged as SYSTEM. I was then being able to reproduce the bug by configuring just 4 projects. And my hudson instance is always busy, eating fro 1 to 4 executors, then consuming cpu and io resources.

          hibou added a comment - Now I have seen this with the hudson at work. We have Hudson ver. 1.365, configured to have about 150 jobs. I am the only one logged on hudson, everybody else is anonymous. If I configure just one job, and save, I am still logged as "nicolasl". Then I had to configure several projects, so I opened several configuration page in different tab in my browser. One by one I configured and save each config. I noticed that while I was doing this repetitive task, the several tabs in my browser were "waiting for an answer", probably meaning that on the backend side there are several configure request in parallel. And I ended up being logged as SYSTEM. On the first run I was configuring 20 jobs, then I discovered I was logged as SYSTEM. I was then being able to reproduce the bug by configuring just 4 projects. And my hudson instance is always busy, eating fro 1 to 4 executors, then consuming cpu and io resources.

          hibou added a comment -

          strange behaviour continuning, still at work, I have been seen logged as SYSTEM after some configure. Just refreshing the page get me logged back as "nicolasl".

          hibou added a comment - strange behaviour continuning, still at work, I have been seen logged as SYSTEM after some configure. Just refreshing the page get me logged back as "nicolasl".

          Same thing here. Hudson's own user database, matrix based security.

          I sometimes get the SYSTEM user. Cannot reproduce it unfortunately, but this is a very serious security issue

          Is there something in the logs which might help?

          Costin Caraivan added a comment - Same thing here. Hudson's own user database, matrix based security. I sometimes get the SYSTEM user. Cannot reproduce it unfortunately, but this is a very serious security issue Is there something in the logs which might help?

          Reproduced it. At least as an user with config rights.

          A simple setup:
          1. Hudson's own user database.
          2. Matrix based security.
          3. Create an user with config rights on several projects (3 should be enough). Open 3 configuration pages, save them fast.
          4. Then open a new config page.
          5. You should SYSTEM (Profit!!!)

          If you tell me what to search for in the logs, I can post the info

          Costin Caraivan added a comment - Reproduced it. At least as an user with config rights. A simple setup: 1. Hudson's own user database. 2. Matrix based security. 3. Create an user with config rights on several projects (3 should be enough). Open 3 configuration pages, save them fast. 4. Then open a new config page. 5. You should SYSTEM (Profit!!!) If you tell me what to search for in the logs, I can post the info

          Alan Harder added a comment -

          pretty sure I know the cause.. DependendencyGraph constructor sets SYSTEM role and restores afterwards. However, if multiple threads are running this concurrently, one of the threads may get SYSTEM as the "current" value to be restored afterwards (as another thread has already set SYSTEM).

          Alan Harder added a comment - pretty sure I know the cause.. DependendencyGraph constructor sets SYSTEM role and restores afterwards. However, if multiple threads are running this concurrently, one of the threads may get SYSTEM as the "current" value to be restored afterwards (as another thread has already set SYSTEM).
          Alan Harder made changes -
          Assignee New: Alan Harder [ mindless ]

            mindless Alan Harder
            protocol7b protocol7b
            Votes:
            4 Vote for this issue
            Watchers:
            8 Start watching this issue

              Created:
              Updated:
              Resolved: