New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[JENKINS-55305] Add user creation listener methods to SecurityListener #3825
Conversation
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM other than the comments I've left.
I'm not clear on the use for these new methods. Are they only relevant for the internal, private security realm? |
@jeffret-b the core use case would be for in HudsonPrivateSecurityRealm, though other authentication plugins can also fire events in this same listener. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
You need to add calls to these listeners in the appropriate places in HudsonPrivateSecurityRealm as well to help demonstrate the use case for this. Plus, we need that implemented anyways in order for this listener to be useful.
That makes sense. This operations aren't necessarily meaningful for the other domains. It would be good to provide the use for these new operations. |
@jeffret-b Hi Jeff, as Matt mentioned the use and calls to these new methods are primarily in |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Updated tasks:
- Add appropriate calls to
fireUserCreated()
andfireFailedToCreateUser()
inHudsonPrivateSecurityRealm
- Add tests to
HudsonPrivateSecurityRealmTest
exercising these two new methods
Based on the discussion earlier, the use and calls to these new methods, which are implemented in |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Looks good to me!
See also JENKINS-55307 (might want to include that in your changelog in the description). |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Looks good.
[JENKINS-55305] Add user creation listener method Four new methods added to the SecurityListener class to enable support for listening to Jenkins user-account creation events. [JENKINS-55305] Update SecurityListener class [JENKINS-55307] Add new private-realm unit tests Added unit tests to exercise the updated methods of the HudsonPrivateSecurityRealm class. [JENKINS-55307] Update realm user-creation methods [JENKINS-55305] Remove usage of listener method Updated the SecurityListener and HudsonPrivateSecurityRealm classes, removing usage of the SecurityListener failedToCreateUser() method, as no valid Jenkins use cases could be identified for the method at this point in time.
Kicking the build. |
the incremental version still doesn't get generated with this updated PR. I'm going to try running it from a |
spoke with @daniel-beck about this earlier and decided to build the Jenkins version of this PR locally (with |
a048821
to
30deb1c
Compare
a snapshot of this working Jenkins build is located here- https://repo.jenkins-ci.org/snapshots/org/jenkins-ci/main/jenkins-core/2.158-SNAPSHOT/ |
@davidolorundare quick note: we would generally use the timestamped version |
@batmat I tried building my code with
any thoughts ? |
What I meant is about explaining where the different authentication plugins should place the event trigger call. Do I need to wait for the user account to be saved to disk, or only created in memory, etc. All those questions that we do not want to let developer too much freedom, otherwise the use of the event could become really tricky. |
Moved it back into work-in-progress as David is still working on adapting to a merge made yesterday. Closing and re-opening to kick off builds and checks. |
Consists of three changes: [JENKINS-55305] Update SecurityListener method JavaDoc [JENKINS-55307] Update HudsonPrivateSecurityRealm method [JENKINS-54965] Add new HudsonPrivateSecurityRealmTest unit-test
30deb1c
to
77ed68f
Compare
Latest updates look good. |
cc @Wadeck updates have just been made to the PR |
Such description is especially useful for the listener implementation, and thinking the user is already saved but actually not really, could be dangerous. Please either change the description or adapt the code. (The first one is safer) |
After looking at it again, I'm not fond of what we changed the JavaDoc to say. I propose changing it to just say, "Fired after a new user account has been created." That seems more universally applicable and sufficiently defined. If you've got different ideas @Wadeck, could you please clarify them? I'm not entirely sure what you're saying or suggesting. If this seems like a reasonable approach, we can ask @davidolorundare to submit a minor PR to remove that phrase. |
Is the problem here the uncertainty around the concept of 'user existence' when an external security realm is involved? I.e. a user may or may not exist at any time with external security realms (see e.g. legacy token auto creation). |
@daniel-beck that's exactly my point. The events must be defined more strictly. Look at the
As a event consumer, I am more than happy to see such things to avoid troubles. Without putting rules there, all the implementations must have multiple condition checks like does the user exist, do I need to create it, do I need to save it, can I use the session from the request, etc. And if one of the plugin is not firing the event at the correct location, the implementation will perhaps not work. So, instead of reducing the JavaDoc, I prefer to have a correction there. In this case, we need to say that the user is created but not yet saved. More generally for events, we need to ensure:
Consequences of the two first points, due to the ecosystem:
It's like a positive feedback cycle. Without plugins listening to the events, nobody will care. |
I'm not sure this would actually be useful. There's a huge difference between built in security realm notifications of user creation, and external ones. |
When LDAP plugin received for the first time a user, it will create an account in the internal User database. From my understanding, this event should triggered in such case, no? Otherwise the audit plugin will be able to follow the user creation only if you are using the embedded security realm, that is a bit restrictive IMHO. |
I'm not sure this is relevant enough. A user might as well already exist in Jenkins from SCM based sources, so it's not even as if this would reliably indicate a 'first ever login'.
Users in external security realms just exist independent of Jenkins. |
External security realms have their own audit logging. |
As we can see with the discussion here, the JavaDoc must be rewritten. If it's specific for the embedded security realm, it must written explicitely. |
Maybe I'm just not understanding what you precisely mean by "saved". In the specific case of (The flow and implementation of user handling has many structural problems. It would be nice to clean many parts of that up and make it sensible but that's difficult.) We shouldn't expect that all providers have a distinct state of "saved" or that "created" is separate from it. With the
Any idea that this should be possible or meaningful is part of the structural flaws in handling users. Access to the operations should be via the service or API. Intimate, private knowledge should be discouraged, especially when it runs behind the interface.
How is that relevant to Jenkins? We should only be concerned about what is exposed through their interface and not how they implement and store things.
I don't think so. Maybe the JavaDoc can be improve to clarify that, but I can't quite figure out what it would say. There is already such a mess with account users, SCM users, and ephemeral users and unclear states and connections between them. (I think you're actually addressing some different points, but I'm not understanding your concerns and intentions. Perhaps if you could propose what the JavaDoc should say or how the implementation should be changed that would help.) |
I put the breakpoint on the So I am fine with that part of the JavaDoc. ===========
As everyone seems to say that an external security realm should not be able to use the IIUC we do not want external security realm to trigger the event because potentially the user was already existing due to SCM, right? As the changelog says: "Jenkins user-account creation", that could be confusing for authentication plugins to comply. If we do not want them to try, we need to restrict the event trigger and explicitely say it's for internal realm only. |
A plugin could easily provide an alternative 'internal' user database with legitimate uses of |
OK let's stop the discussion there, let the JavaDoc as is and we will react in the future only if it's required. |
See JENKINS-55305 and JENKINS-55307.
SecurityListener
class to enable support for listening to Jenkins user-account creation events. The rationale for the additions is discussed in the above ticket.SecurityListener
methods were made in the user-creation methods of theHudsonPrivateSecurityRealm
class.Proposed changelog entries
jenkins.security.SecurityListener
to support notification of Jenkins user-account creation events.hudson.security.HudsonPrivateSecurityRealm
adding notification(s) of user-account creation success events to its methods.Submitter checklist
* Use the
Internal:
prefix if the change has no user-visible impact (API, test frameworks, etc.)Desired reviewers
@jvz
@jeffret-b
@daniel-beck