Hi, The approach looks good to me while it is kept in a plugin. It may cause some security implications (e.g. credentials will be sent to multiple servers), but I see no problem with it while it is documented explicitly.
I didn't dig into the code much, it can be reviewed later by code reviewers. Once the implementation is ready, IMHO it could be hosted within the Jenkins org: https://wiki.jenkins.io/display/JENKINS/Hosting+Plugins Best regards, Oleg Nenashev суббота, 18 ноября 2017 г., 16:18:01 UTC+1 пользователь [email protected] написал: > > Jenkins currently does not support multiple security realm. > However, it should be a reasonable use case that allow both AD / LDAP > logins for individuals (e.g. developers) and logins local Jenkins' own user > database for administrative roles (e.g. user maintenance team) and > emergency situations (e.g. AD server out of work) in a sizable organization. > > I have searched the issue list and found the following related / similar > issues, and no : > JENKINS-3404 mix LDAP and local Hudson users > <https://issues.jenkins-ci.org/browse/JENKINS-3404> > JENKINS-15063 support for multiple security realms with failover > <https://issues.jenkins-ci.org/browse/JENKINS-15063> > JENKINS-29162 Jenkins internal user in order to be able to log-in under an > authentication failure with LDAP AD, ... > <https://issues.jenkins-ci.org/browse/JENKINS-29162> > > Since I have not seen any existing solution such as Jenkins API > enhancement or new plugin to support multiple security realms, I want to > kick start the discussion by proposing my workaround idea. > > The idea is simple: create a new security realm (composite) which > delegates methods calls to some chosen security realms (components). > Here is the prototype: Composite security realm plugin > <https://github.com/tycrelic/composite-security-realm-plugin> > > For the prototype, the following assumptions are made: > 1. It only supports password-based component security realms. > 2. The user name collision among different security realms is avoided by > using the order in the configuration as the precedence. > 3. To avoid account locking because of same user name with different > passwords in different component security realms, the method > SecurityRealm.loadUserByUsername(String username) should work properly > instead of throwing exception. > > Please share your points of view regarding to the workaround, whether it > is feasible or has fatal issues. > If you have implemented a more mature private plugin for support of > multiple security realm and are willing to make it open source, you may > also post the link of the source code here for discussion. > > -- You received this message because you are subscribed to the Google Groups "Jenkins Developers" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-dev/84914c7a-6168-4cf7-90a2-7cc06ee798d8%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
