New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[FIXED JENKINS-34881] - handle non-default security settings for new installs #2364
[FIXED JENKINS-34881] - handle non-default security settings for new installs #2364
Conversation
@@ -193,7 +188,7 @@ private static InstallState getDefaultInstallState() { | |||
// Edge case: used Jenkins 1 but did not save the system config page, | |||
// the version is not persisted and returns 1.0, so try to check if | |||
// they actually did anything | |||
if (!j.getItemMap().isEmpty() || !mayBeJenkins2SecurityDefaults(j) || !j.getNodes().isEmpty()) { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
We cannot rely on security settings for determining if this is an upgrade or new install; scripts may set up security.
Any better suggestions to handle this case are welcome! :)
🐝 AIUI (but if the security settings are present do we force a login to admin role before starting the wizard? (Remember the security realm could be something like Google apps authentication so presenting a username/password form would be a spectacular fail) |
@stephenc we use the default behavior of the security realm / auth strategy, e.g. if you set |
before you start the wizard you need to either:
So basically the page that starts the flow needs to require admin permissions if not using the new admin lockdown mode. I think it is ok to block at that login screen before continuing if the wizard is going to be displayed. |
@stephenc thanks for the feedback, it was already redirecting to the admin page, but it seemed unreliable; adding the extra |
@kzantow the behavior is strange. At least my SSO engine does not work well
🐜 , seems redirect to an errorLogin by permission check is a wrong approach. Maybe page refresh? It should require login for the current permission check from what I see |
@kzantow gentle bump |
…pWizard-handle-custom-security-realm
@oleg-nenashev I tracked down the issue that the token-based login page was not forwarding the 'from' parameter; please have a look at this again |
The change looks good. Testing it |
@kzantow |
Retested the change again with jenkins-2.7. Everything works fine. Maybe it was a glitch caused by other fixes OR maybe I've just built the stuff improperly. Works like a charm for me 🐝 |
@reviewbybees done |
I am about merging this PR on the evening if there is no extra feedback |
…ew installs (#2364) * [FIXED JENKINS-34881] - handle non-default security settings for new installs * Ensure permissions * Initial security authentication token should still follow redirects (cherry picked from commit 723dfca)
…ew installs (jenkinsci#2364) * [FIXED JENKINS-34881] - handle non-default security settings for new installs * Ensure permissions * Initial security authentication token should still follow redirects
Some applications may provide an init script or otherwise configure security before the setup wizard runs. This correctly handles these situations by avoiding presenting the unlock screen and avoiding the 'create user' step in the setup wizard.
This addresses: https://issues.jenkins-ci.org/browse/JENKINS-34881
@reviewbybees esp. @oleg-nenashev