Eclipse Community Forums
Forum Search:

Search      Help    Register    Login    Home
Home » Eclipse Projects » Hudson » Matrix-based security not working with Active Directory
Matrix-based security not working with Active Directory [message #897119] Sun, 22 July 2012 02:54 Go to next message
Poon Fung is currently offline Poon Fung
Messages: 3
Registered: July 2012
Junior Member
I am running Hudson 2.1.2 and 2.2.1 with Active Directory plugin installed. I tested AD authentication and it worked when authorization was set to "Logged-in users can do anything". When I switch to "Matrix-based security", all login users got all rights no matter how the matrix was set up. The same matrix setup worked when Security Realm was set to "Delegate to servlet container".

I read in some postings that previously role name needed to have "ROLE_" prefix. When I tried that, I got no access to any page after I logged in. I had to edit config.xml to make the site functional again.

Does anyone know if Hudson AD plugin work with matrix-based security at all? If it suppose to work, what did I missed? And how to debug this problem?
Re: Matrix-based security not working with Active Directory [message #897122 is a reply to message #897119] Sun, 22 July 2012 05:49 Go to previous messageGo to next message
Steve Christou is currently offline Steve Christou
Messages: 125
Registered: June 2012
Location: Milwaukee, Wisconsin
Senior Member

Yes, AD should work with the matrix based security. The ROLE_ was added for LDAP groups. Could you paste the config.xml security portion here? If not you can PM me the config.xml security items.

Thanks,
Steve.

P.S. A simple way to test if your AD is working, create a special group called "authenticated" and give him full permission to everything. This authenticated means anyone that has logged in can do anything. This is not different than running "Logged-in users can do anything" but it will test to make sure your matrix-based security part works.


/**
 * @author Steven Christou
 * @dev    Hudson-ci
 */
Re: Matrix-based security not working with Active Directory [message #897159 is a reply to message #897122] Sun, 22 July 2012 18:19 Go to previous messageGo to next message
Poon Fung is currently offline Poon Fung
Messages: 3
Registered: July 2012
Junior Member
I had configured Hudson to use AD authentication and added an engineering group which had only Overall: Administrator + Read privilege. Anonymous user had no privilege on anything. I was in engineering AD group which I confirmed using Outlook Address Book. Based on this configuration, I should not have privilege to any of the Slave, Job, Run, View or SCM functions. When I login, I was able to access all functions on Hudson. Is this because admin privilege implies one also have all other privileges?

Here is the config for this experiment:

<hudson>
<version>2.2.1</version>
<numExecutors>1</numExecutors>
<mode>NORMAL</mode>
<useSecurity>true</useSecurity>
<authorizationStrategy class="hudson.security.GlobalMatrixAuthorizationStrategy">
<permission>hudson.model.Hudson.Administer:engineering</permission>
<permission>hudson.model.Hudson.Read:engineering</permission>
</authorizationStrategy>
<securityRealm class="hudson.plugins.active_directory.ActiveDirectorySecurityRealm">
<bindPassword>{this is removed by me}</bindPassword>
</securityRealm>

I tried another privilege setting. In this experiment, I had no admin, slave and job/workspace privileges but was given all other privileges. When I logged in, I got an error message "Access Denied, pfung is missing the Read permission".

Here is the config for this experiment:

<hudson>
<version>2.2.1</version>
<numExecutors>1</numExecutors>
<mode>NORMAL</mode>
<useSecurity>true</useSecurity>
<authorizationStrategy class="hudson.security.GlobalMatrixAuthorizationStrategy">
<permission>hudson.model.Item.Build:engineering</permission>
<permission>hudson.model.Item.Configure:engineering</permission>
<permission>hudson.model.Item.Create:engineering</permission>
<permission>hudson.model.Item.Delete:engineering</permission>
<permission>hudson.model.Item.Read:engineering</permission>
<permission>hudson.model.Run.Delete:engineering</permission>
<permission>hudson.model.Run.Update:engineering</permission>
<permission>hudson.model.View.Configure:engineering</permission>
<permission>hudson.model.View.Create:engineering</permission>
<permission>hudson.model.View.Delete:engineering</permission>
<permission>hudson.scm.SCM.Tag:engineering</permission>
</authorizationStrategy>
<securityRealm class="hudson.plugins.active_directory.ActiveDirectorySecurityRealm">
<bindPassword>{this is taken out by me}</bindPassword>
</securityRealm>

It looked like Hudson was getting my group info (i.e., engineering) when I logged in. But maxtrix security was not working the way I expected.
Re: Matrix-based security not working with Active Directory [message #897316 is a reply to message #897159] Mon, 23 July 2012 14:59 Go to previous messageGo to next message
Steve Christou is currently offline Steve Christou
Messages: 125
Registered: June 2012
Location: Milwaukee, Wisconsin
Senior Member

Poon Fung wrote on Sun, 22 July 2012 13:19
I had configured Hudson to use AD authentication and added an engineering group which had only Overall: Administrator + Read privilege. Anonymous user had no privilege on anything. I was in engineering AD group which I confirmed using Outlook Address Book. Based on this configuration, I should not have privilege to any of the Slave, Job, Run, View or SCM functions. When I login, I was able to access all functions on Hudson. Is this because admin privilege implies one also have all other privileges?


Yes, Administrator means you have control over everything.

Poon Fung wrote on Sun, 22 July 2012 13:19
I tried another privilege setting. In this experiment, I had no admin, slave and job/workspace privileges but was given all other privileges. When I logged in, I got an error message "Access Denied, pfung is missing the Read permission".

Here is the config for this experiment:

<hudson>
<version>2.2.1</version>
<numExecutors>1</numExecutors>
<mode>NORMAL</mode>
<useSecurity>true</useSecurity>
<authorizationStrategy class="hudson.security.GlobalMatrixAuthorizationStrategy">
<permission>hudson.model.Item.Build:engineering</permission>
<permission>hudson.model.Item.Configure:engineering</permission>
<permission>hudson.model.Item.Create:engineering</permission>
<permission>hudson.model.Item.Delete:engineering</permission>
<permission>hudson.model.Item.Read:engineering</permission>
<permission>hudson.model.Run.Delete:engineering</permission>
<permission>hudson.model.Run.Update:engineering</permission>
<permission>hudson.model.View.Configure:engineering</permission>
<permission>hudson.model.View.Create:engineering</permission>
<permission>hudson.model.View.Delete:engineering</permission>
<permission>hudson.scm.SCM.Tag:engineering</permission>
</authorizationStrategy>
<securityRealm class="hudson.plugins.active_directory.ActiveDirectorySecurityRealm">
<bindPassword>{this is taken out by me}</bindPassword>
</securityRealm>

It looked like Hudson was getting my group info (i.e., engineering) when I logged in. But maxtrix security was not working the way I expected.


I believe you need to set the overall to read. As described by the description:
Quote:
The read permission is necessary for viewing almost all pages of Hudson. This permission is useful when you don't want unauthenticated users to see Hudson pages &mdash; revoke this permission from the anonymous user, then add "authenticated" pseudo-user and grant the read access.

The read permission is necessary for viewing almost all pages of hudson is the important part.


/**
 * @author Steven Christou
 * @dev    Hudson-ci
 */
Re: Matrix-based security not working with Active Directory [message #897845 is a reply to message #897316] Wed, 25 July 2012 10:09 Go to previous message
Poon Fung is currently offline Poon Fung
Messages: 3
Registered: July 2012
Junior Member
Steve, thanks for the help. Not having Overall/Read privilege was indeed the problem. It looks like the only use of the Overall/Read privilege is to deny access to a particular group.
Previous Topic:polling
Next Topic:hudson-ci.org/debian 404 Not foundError
Goto Forum:
  


Current Time: Tue Oct 21 10:40:53 GMT 2014

Powered by FUDForum. Page generated in 0.01825 seconds
.:: Contact :: Home ::.

Powered by: FUDforum 3.0.2.
Copyright ©2001-2010 FUDforum Bulletin Board Software