|
Re: Matrix-based security not working with Active Directory [message #897122 is a reply to message #897119] |
Sun, 22 July 2012 05:49 |
|
Yes, AD should work with the matrix based security. The ROLE_ was added for LDAP groups. Could you paste the config.xml security portion here? If not you can PM me the config.xml security items.
Thanks,
Steve.
P.S. A simple way to test if your AD is working, create a special group called "authenticated" and give him full permission to everything. This authenticated means anyone that has logged in can do anything. This is not different than running "Logged-in users can do anything" but it will test to make sure your matrix-based security part works.
/**
* @author Steven Christou
* @dev Hudson-ci
*/
|
|
|
Re: Matrix-based security not working with Active Directory [message #897159 is a reply to message #897122] |
Sun, 22 July 2012 18:19 |
Poon Fung Messages: 3 Registered: July 2012 |
Junior Member |
|
|
I had configured Hudson to use AD authentication and added an engineering group which had only Overall: Administrator + Read privilege. Anonymous user had no privilege on anything. I was in engineering AD group which I confirmed using Outlook Address Book. Based on this configuration, I should not have privilege to any of the Slave, Job, Run, View or SCM functions. When I login, I was able to access all functions on Hudson. Is this because admin privilege implies one also have all other privileges?
Here is the config for this experiment:
<hudson>
<version>2.2.1</version>
<numExecutors>1</numExecutors>
<mode>NORMAL</mode>
<useSecurity>true</useSecurity>
<authorizationStrategy class="hudson.security.GlobalMatrixAuthorizationStrategy">
<permission>hudson.model.Hudson.Administer:engineering</permission>
<permission>hudson.model.Hudson.Read:engineering</permission>
</authorizationStrategy>
<securityRealm class="hudson.plugins.active_directory.ActiveDirectorySecurityRealm">
<bindPassword>{this is removed by me}</bindPassword>
</securityRealm>
I tried another privilege setting. In this experiment, I had no admin, slave and job/workspace privileges but was given all other privileges. When I logged in, I got an error message "Access Denied, pfung is missing the Read permission".
Here is the config for this experiment:
<hudson>
<version>2.2.1</version>
<numExecutors>1</numExecutors>
<mode>NORMAL</mode>
<useSecurity>true</useSecurity>
<authorizationStrategy class="hudson.security.GlobalMatrixAuthorizationStrategy">
<permission>hudson.model.Item.Build:engineering</permission>
<permission>hudson.model.Item.Configure:engineering</permission>
<permission>hudson.model.Item.Create:engineering</permission>
<permission>hudson.model.Item.Delete:engineering</permission>
<permission>hudson.model.Item.Read:engineering</permission>
<permission>hudson.model.Run.Delete:engineering</permission>
<permission>hudson.model.Run.Update:engineering</permission>
<permission>hudson.model.View.Configure:engineering</permission>
<permission>hudson.model.View.Create:engineering</permission>
<permission>hudson.model.View.Delete:engineering</permission>
<permission>hudson.scm.SCM.Tag:engineering</permission>
</authorizationStrategy>
<securityRealm class="hudson.plugins.active_directory.ActiveDirectorySecurityRealm">
<bindPassword>{this is taken out by me}</bindPassword>
</securityRealm>
It looked like Hudson was getting my group info (i.e., engineering) when I logged in. But maxtrix security was not working the way I expected.
|
|
|
Re: Matrix-based security not working with Active Directory [message #897316 is a reply to message #897159] |
Mon, 23 July 2012 14:59 |
|
Poon Fung wrote on Sun, 22 July 2012 13:19I had configured Hudson to use AD authentication and added an engineering group which had only Overall: Administrator + Read privilege. Anonymous user had no privilege on anything. I was in engineering AD group which I confirmed using Outlook Address Book. Based on this configuration, I should not have privilege to any of the Slave, Job, Run, View or SCM functions. When I login, I was able to access all functions on Hudson. Is this because admin privilege implies one also have all other privileges?
Yes, Administrator means you have control over everything.
Poon Fung wrote on Sun, 22 July 2012 13:19I tried another privilege setting. In this experiment, I had no admin, slave and job/workspace privileges but was given all other privileges. When I logged in, I got an error message "Access Denied, pfung is missing the Read permission".
Here is the config for this experiment:
<hudson>
<version>2.2.1</version>
<numExecutors>1</numExecutors>
<mode>NORMAL</mode>
<useSecurity>true</useSecurity>
<authorizationStrategy class="hudson.security.GlobalMatrixAuthorizationStrategy">
<permission>hudson.model.Item.Build:engineering</permission>
<permission>hudson.model.Item.Configure:engineering</permission>
<permission>hudson.model.Item.Create:engineering</permission>
<permission>hudson.model.Item.Delete:engineering</permission>
<permission>hudson.model.Item.Read:engineering</permission>
<permission>hudson.model.Run.Delete:engineering</permission>
<permission>hudson.model.Run.Update:engineering</permission>
<permission>hudson.model.View.Configure:engineering</permission>
<permission>hudson.model.View.Create:engineering</permission>
<permission>hudson.model.View.Delete:engineering</permission>
<permission>hudson.scm.SCM.Tag:engineering</permission>
</authorizationStrategy>
<securityRealm class="hudson.plugins.active_directory.ActiveDirectorySecurityRealm">
<bindPassword>{this is taken out by me}</bindPassword>
</securityRealm>
It looked like Hudson was getting my group info (i.e., engineering) when I logged in. But maxtrix security was not working the way I expected.
I believe you need to set the overall to read. As described by the description:
Quote:The read permission is necessary for viewing almost all pages of Hudson. This permission is useful when you don't want unauthenticated users to see Hudson pages — revoke this permission from the anonymous user, then add "authenticated" pseudo-user and grant the read access.
The read permission is necessary for viewing almost all pages of hudson is the important part.
/**
* @author Steven Christou
* @dev Hudson-ci
*/
|
|
|
|
Powered by
FUDForum. Page generated in 0.03240 seconds