3

Goal:

I want do write an application that can trigger Jenkins jobs and itself also authenticates users against the Crowd server. The users must be in a separate crowd group to be authorized to act on Jenkins.

Setup:

I am using the Crowd2 plugin to authenticate Jenkins users against an Atlassian Crowd 2.1 server.

My thoughts:

Now, Jenkins has two types of remote execution:

  • Jenkins REST API (uses a per-user Token for authentication)

    A build can be triggered through this call using a "TOKEN" in a way like this:
    JENKINS_URL/job/JOBNAME/build?token=TOKEN

  • Jenkins CLI (uses an SSH key for authentication)

    A build can be triggered through an command line tool using the SSH private key to authenticate the user.

The token-approach (REST API)...

... requires my application to know the API token.

How could I bypass the API token limitation?

Storing the API token within Crowd?

The Crowd2 Jenkins plugin could store the Jenkins API token as an crowd attribute (user-defined properties which can be stored within the crowd user directory), is one way. Even though I think this could be a security flaw, as the attribute might be retrieved from all other applications registered at Crowd (which would enable them to execute Jenkins jobs on the users behalf).

Q: Good approach and secure enough? In my opinion, this is not secure enough.

Authenticating with my applications crowd token against Jenkins?

I've also tried generating a crowd-token through Crowd's API and then requesting the Jenkins REST API with that token as Cookie in the hope that the Jenkins crowd2 plugin validates the passed Crowd token against Crowd. But it does not work (when using the crowd token from my browser, by examining the page information in Firefox, it works, of course).

I am not sure if this approach (if the crowd2 plugin would check the passed token) has security flaws in it and if the crowd-token mechanism is designed to work in that way. I am sure though, that it might negatively affect Jenkins' performance as every API request has to check if the token is valid.

Q: Good approach and possible?

The CLI-approach...

...requires my application to know a SSH private key registered at Jenkins.

It would be good approach, if Jenkins would support adding SSH Keys. My application could generate a SSH key pair (with random) password and automatically store the public key on the users behalf within Jenkins.

I think this is the right way, even though it requires to extend Jenkins and maybe the authentication plugins.

Q: Is this approach possible and secure enough?

Q: Are there other approaches?

I think Jenkins should implement an OAuth endpoint for authorization (in case of the crowd plugin, it then has to delegate the authorization to Crowd) or completely detach user management from its core. Am I wrong?

Please help me improving this question, if neccessary. I can imagine that I've mixed two problems and didn't described by goal clear enough.

Note: Edited this question ~1 hr after creation (see my 1st comment).

Community
  • 1
  • 1
try-catch-finally
  • 6,720
  • 6
  • 37
  • 64
  • I changed my mind on using the CLI. If Jenkins allows to add SSH keys for authenticated users, it would be possible to generate a SSH key pair with random password in my application, store it in Jenkins on the behalf of the user and use it to run commands via CLI/SSH (using that key). Unfortunately this feature is not yet implemented. Further, it would be neccessary to authenticate directly at Jenkins or implement some delegation as stated in my question "Authenticating with my applications crowd token against Jenkins" (above). Edit: now I figured out to use shift + return for newlines. ;) – try-catch-finally Oct 28 '12 at 14:22

0 Answers0