On 18 November 2017 at 14:57, <[email protected]> wrote: > Jenkins currently does not support multiple security realm. > However, it should be a reasonable use case that allow both AD / LDAP > logins for individuals (e.g. developers) and logins local Jenkins' own user > database for administrative roles (e.g. user maintenance team) and > emergency situations (e.g. AD server out of work) in a sizable organization. > > I have searched the issue list and found the following related / similar > issues, and no : > JENKINS-3404 mix LDAP and local Hudson users > <https://issues.jenkins-ci.org/browse/JENKINS-3404> > JENKINS-15063 support for multiple security realms with failover > <https://issues.jenkins-ci.org/browse/JENKINS-15063> > JENKINS-29162 Jenkins internal user in order to be able to log-in under an > authentication failure with LDAP AD, ... > <https://issues.jenkins-ci.org/browse/JENKINS-29162> > > Since I have not seen any existing solution such as Jenkins API > enhancement or new plugin to support multiple security realms, I want to > kick start the discussion by proposing my workaround idea. > > The idea is simple: create a new security realm (composite) which > delegates methods calls to some chosen security realms (components). > Here is the prototype: Composite security realm plugin > <https://github.com/tycrelic/composite-security-realm-plugin> > > For the prototype, the following assumptions are made: > 1. It only supports password-based component security realms. > 2. The user name collision among different security realms is avoided by > using the order in the configuration as the precedence. >
In evaluating the chain, if one delegate realm is off-line, no subsequent delegate realms can be considered on-line. In group membership is going to be tricky (not impossible) as you will need to know which delegate realm the group came from and only match against users from that same realm. In general the group support is going to be where you have the worst time > 3. To avoid account locking because of same user name with different > passwords in different component security realms, the method > SecurityRealm.loadUserByUsername(String > username) should work properly instead of throwing exception. > > Please share your points of view regarding to the workaround, whether it > is feasible or has fatal issues. > If you have implemented a more mature private plugin for support of > multiple security realm and are willing to make it open source, you may > also post the link of the source code here for discussion. > > -- > You received this message because you are subscribed to the Google Groups > "Jenkins Developers" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > To view this discussion on the web visit https://groups.google.com/d/ > msgid/jenkinsci-dev/7c1b5996-d1af-439a-890d-341514a1ebab% > 40googlegroups.com > <https://groups.google.com/d/msgid/jenkinsci-dev/7c1b5996-d1af-439a-890d-341514a1ebab%40googlegroups.com?utm_medium=email&utm_source=footer> > . > For more options, visit https://groups.google.com/d/optout. > -- You received this message because you are subscribed to the Google Groups "Jenkins Developers" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-dev/CA%2BnPnMxsjw%2BegdcFpa859-_Z0h7DpxOwqWe2zeuAm6MNGT4p3g%40mail.gmail.com. For more options, visit https://groups.google.com/d/optout.
