Permalink
Browse files

[FIXED JENKINS-13526] use '@' prefix to force PAM to interpret the us…

…er/group as a group
  • Loading branch information...
1 parent 2258313 commit db1b7eef1a9a67b5f08e73d349230e0cec5a485d Rob Petti committed with kohsuke Apr 19, 2012
View
@@ -64,6 +64,9 @@
End up more gracefully if there's some problem when searching for user partipication in the build
(<a href="https://issues.jenkins-ci.org/browse/JENKINS-13564">issue 13564</a>)
<li class=rfe>
+ PAM authentication supports '@group' to force interpretation as a group instead of user.
+ (<a href="https://issues.jenkins-ci.org/browse/JENKINS-13526">issue 13526</a>)
+ <li class=rfe>
Added a DISCOVER permission to allow anonymous users to be presented the login screen
when accessing job URLs.
(<a href="https://issues.jenkins-ci.org/browse/JENKINS-8214">issue 8214</a>)
@@ -104,12 +104,18 @@ public UserDetails loadUserByUsername(String username) throws UsernameNotFoundEx
@Override
public GroupDetails loadGroupByGroupname(final String groupname) throws UsernameNotFoundException, DataAccessException {
- if(CLibrary.libc.getgrnam(groupname)==null)
- throw new UsernameNotFoundException(groupname);
+ final String group;
+ if(groupname.startsWith("@")) {
+ group = groupname.substring(1);
+ } else {
+ group = groupname;
+ }
+ if(CLibrary.libc.getgrnam(group)==null)
+ throw new UsernameNotFoundException(group);
return new GroupDetails() {
@Override
public String getName() {
- return groupname;
+ return group;
}
};
}
@@ -5,7 +5,13 @@
<p>
This mode will also allow you to use Unix groups for authorization. For example,
- you can say "everyone in the 'developers' group will have the administrator access".
+ you can say "everyone in the 'developers' group will have the administrator access".
+
+ <p>
+ Unix allows an user and a group to have the same name. If you need to disambiguate,
+ you can use the '@' prefix to force the name to be interpreted as a group. For example,
+ '@dev' would mean the 'dev' group and not the 'dev' user, while 'dev' would be interpreted
+ as an user if you indeed have the user of that name.
<p>
This is done through a library called <a href="http://en.wikipedia.org/wiki/Pluggable_Authentication_Modules">PAM</a>,

0 comments on commit db1b7ee

Please sign in to comment.