| Matrix-based security not working with Active Directory [message #897119] |
Sat, 21 July 2012 22:54  |
Eclipse User |
|
|
|
I am running Hudson 2.1.2 and 2.2.1 with Active Directory plugin installed. I tested AD authentication and it worked when authorization was set to "Logged-in users can do anything". When I switch to "Matrix-based security", all login users got all rights no matter how the matrix was set up. The same matrix setup worked when Security Realm was set to "Delegate to servlet container".
I read in some postings that previously role name needed to have "ROLE_" prefix. When I tried that, I got no access to any page after I logged in. I had to edit config.xml to make the site functional again.
Does anyone know if Hudson AD plugin work with matrix-based security at all? If it suppose to work, what did I missed? And how to debug this problem?
|
|
|
|
| Re: Matrix-based security not working with Active Directory [message #897159 is a reply to message #897122] |
Sun, 22 July 2012 14:19  |
| Eclipse User |
|
|
|
I had configured Hudson to use AD authentication and added an engineering group which had only Overall: Administrator + Read privilege. Anonymous user had no privilege on anything. I was in engineering AD group which I confirmed using Outlook Address Book. Based on this configuration, I should not have privilege to any of the Slave, Job, Run, View or SCM functions. When I login, I was able to access all functions on Hudson. Is this because admin privilege implies one also have all other privileges?
Here is the config for this experiment:
<hudson>
<version>2.2.1</version>
<numExecutors>1</numExecutors>
<mode>NORMAL</mode>
<useSecurity>true</useSecurity>
<authorizationStrategy class="hudson.security.GlobalMatrixAuthorizationStrategy">
<permission>hudson.model.Hudson.Administer:engineering</permission>
<permission>hudson.model.Hudson.Read:engineering</permission>
</authorizationStrategy>
<securityRealm class="hudson.plugins.active_directory.ActiveDirectorySecurityRealm">
<bindPassword>{this is removed by me}</bindPassword>
</securityRealm>
I tried another privilege setting. In this experiment, I had no admin, slave and job/workspace privileges but was given all other privileges. When I logged in, I got an error message "Access Denied, pfung is missing the Read permission".
Here is the config for this experiment:
<hudson>
<version>2.2.1</version>
<numExecutors>1</numExecutors>
<mode>NORMAL</mode>
<useSecurity>true</useSecurity>
<authorizationStrategy class="hudson.security.GlobalMatrixAuthorizationStrategy">
<permission>hudson.model.Item.Build:engineering</permission>
<permission>hudson.model.Item.Configure:engineering</permission>
<permission>hudson.model.Item.Create:engineering</permission>
<permission>hudson.model.Item.Delete:engineering</permission>
<permission>hudson.model.Item.Read:engineering</permission>
<permission>hudson.model.Run.Delete:engineering</permission>
<permission>hudson.model.Run.Update:engineering</permission>
<permission>hudson.model.View.Configure:engineering</permission>
<permission>hudson.model.View.Create:engineering</permission>
<permission>hudson.model.View.Delete:engineering</permission>
<permission>hudson.scm.SCM.Tag:engineering</permission>
</authorizationStrategy>
<securityRealm class="hudson.plugins.active_directory.ActiveDirectorySecurityRealm">
<bindPassword>{this is taken out by me}</bindPassword>
</securityRealm>
It looked like Hudson was getting my group info (i.e., engineering) when I logged in. But maxtrix security was not working the way I expected.
|
|
|
| Re: Matrix-based security not working with Active Directory [message #897316 is a reply to message #897159] |
Mon, 23 July 2012 10:59 |
| Eclipse User |
|
|
|
Poon Fung wrote on Sun, 22 July 2012 13:19I had configured Hudson to use AD authentication and added an engineering group which had only Overall: Administrator + Read privilege. Anonymous user had no privilege on anything. I was in engineering AD group which I confirmed using Outlook Address Book. Based on this configuration, I should not have privilege to any of the Slave, Job, Run, View or SCM functions. When I login, I was able to access all functions on Hudson. Is this because admin privilege implies one also have all other privileges?
Yes, Administrator means you have control over everything.
Poon Fung wrote on Sun, 22 July 2012 13:19I tried another privilege setting. In this experiment, I had no admin, slave and job/workspace privileges but was given all other privileges. When I logged in, I got an error message "Access Denied, pfung is missing the Read permission".
Here is the config for this experiment:
<hudson>
<version>2.2.1</version>
<numExecutors>1</numExecutors>
<mode>NORMAL</mode>
<useSecurity>true</useSecurity>
<authorizationStrategy class="hudson.security.GlobalMatrixAuthorizationStrategy">
<permission>hudson.model.Item.Build:engineering</permission>
<permission>hudson.model.Item.Configure:engineering</permission>
<permission>hudson.model.Item.Create:engineering</permission>
<permission>hudson.model.Item.Delete:engineering</permission>
<permission>hudson.model.Item.Read:engineering</permission>
<permission>hudson.model.Run.Delete:engineering</permission>
<permission>hudson.model.Run.Update:engineering</permission>
<permission>hudson.model.View.Configure:engineering</permission>
<permission>hudson.model.View.Create:engineering</permission>
<permission>hudson.model.View.Delete:engineering</permission>
<permission>hudson.scm.SCM.Tag:engineering</permission>
</authorizationStrategy>
<securityRealm class="hudson.plugins.active_directory.ActiveDirectorySecurityRealm">
<bindPassword>{this is taken out by me}</bindPassword>
</securityRealm>
It looked like Hudson was getting my group info (i.e., engineering) when I logged in. But maxtrix security was not working the way I expected.
I believe you need to set the overall to read. As described by the description:
Quote:The read permission is necessary for viewing almost all pages of Hudson. This permission is useful when you don't want unauthenticated users to see Hudson pages — revoke this permission from the anonymous user, then add "authenticated" pseudo-user and grant the read access.
The read permission is necessary for viewing almost all pages of hudson is the important part.
|
|
|
|
Powered by
FUDForum. Page generated in 0.04494 seconds
Home