Can Jenkins utilize the user's Kerberos ticket? The 2019 Stack Overflow Developer Survey Results Are InKerberos + Ldap Setup not working with sshKerberos service login only possible for 30 minutes after running ktpass.exeAuthenticate Samba share via Kerberos using Open DirectoryProxy Kerberos Authentication - Kerberos Service Ticket IssuesCan ssh generate a kerberos ticket? (FreeBSD)Ubuntu SSH passwordless login using kerberosApache Kerberos Authentication : KDC has no support for encryption typeRHEL7 NFSv4 client with krb5 : how to make it non-interactiveWindows Server 2016 Kerberized NFSv3 with Centos 7 Client Permission Denied when Share Accessed with non-root userKerberos delegation with Apache, SSSD and FreeIPA
What was the last CPU that did not have the x87 floating-point unit built in?
Why didn't the Event Horizon Telescope team mention Sagittarius A*?
What is the motivation for a law requiring 2 parties to consent for recording a conversation
How to translate "being like"?
Keeping a retro style to sci-fi spaceships?
Output the Arecibo Message
Cooking pasta in a water boiler
Can an undergraduate be advised by a professor who is very far away?
Geography at the pixel level
Is it safe to harvest rainwater that fell on solar panels?
Kerning for subscripts of sigma?
Why don't hard Brexiteers insist on a hard border to prevent illegal immigration after Brexit?
Is there a way to generate a uniformly distributed point on a sphere from a fixed amount of random real numbers?
How to add class in ko template in magento2
What information about me do stores get via my credit card?
Deal with toxic manager when you can't quit
Can there be female White Walkers?
What is the meaning of Triage in Cybersec world?
Did any laptop computers have a built-in 5 1/4 inch floppy drive?
Did Scotland spend $250,000 for the slogan "Welcome to Scotland"?
How did passengers keep warm on sail ships?
What is preventing me from simply constructing a hash that's lower than the current target?
Falsification in Math vs Science
Is it ethical to upload a automatically generated paper to a non peer-reviewed site as part of a larger research?
Can Jenkins utilize the user's Kerberos ticket?
The 2019 Stack Overflow Developer Survey Results Are InKerberos + Ldap Setup not working with sshKerberos service login only possible for 30 minutes after running ktpass.exeAuthenticate Samba share via Kerberos using Open DirectoryProxy Kerberos Authentication - Kerberos Service Ticket IssuesCan ssh generate a kerberos ticket? (FreeBSD)Ubuntu SSH passwordless login using kerberosApache Kerberos Authentication : KDC has no support for encryption typeRHEL7 NFSv4 client with krb5 : how to make it non-interactiveWindows Server 2016 Kerberized NFSv3 with Centos 7 Client Permission Denied when Share Accessed with non-root userKerberos delegation with Apache, SSSD and FreeIPA
.everyoneloves__top-leaderboard:empty,.everyoneloves__mid-leaderboard:empty,.everyoneloves__bot-mid-leaderboard:empty height:90px;width:728px;box-sizing:border-box;
I'm setting up a new Jenkins server. It will authenticate users against the corporate AD. Most of the tasks we have in mind require logging-in to other hosts (via ssh).
Can Jenkins be configured to, upon a user's login:
- Obtain a Kerberos ticket (
kinit). - Make that ticket available (as file, location set by an environment variable) to any Jenkins job run by that user -- so that access to the other hosts can still be controlled via
.k5users/.k5login.
What add-ons/plugins should I look at?
linux kerberos jenkins
asked Apr 7 at 22:17
Mikhail T.Mikhail T.
1,4561431
add a comment |
I'm setting up a new Jenkins server. It will authenticate users against the corporate AD. Most of the tasks we have in mind require logging-in to other hosts (via ssh).
Can Jenkins be configured to, upon a user's login:
- Obtain a Kerberos ticket (
kinit). - Make that ticket available (as file, location set by an environment variable) to any Jenkins job run by that user -- so that access to the other hosts can still be controlled via
.k5users/.k5login.
What add-ons/plugins should I look at?
linux kerberos jenkins
asked Apr 7 at 22:17
Mikhail T.Mikhail T.
1,4561431
As far as I know the typical Kerberos plugins for Jenkins (and many other web applications as) only provide Single Sign On and authentication in the web front-end and won't provide Kerberos functionality for use in your r pipe-lines and jobs as the Kerberos ticket the Jenkins front-end will see will only be valid for authenticating to the Jenkins host. I think there are three problems you would need to solve:
– HBruijn
Apr 8 at 6:24
the easier one to solve would be to ensure that you get Jenkins to request a ticket that has the forwardable and renewable flags set , then include that ticket in the pipeline, ensure renewal and finally even renewable tickets will still expire and break authentication in your pipe-line... That would at first glance appear a bit fragile.
– HBruijn
Apr 8 at 6:30
add a comment |
I'm setting up a new Jenkins server. It will authenticate users against the corporate AD. Most of the tasks we have in mind require logging-in to other hosts (via ssh).
Can Jenkins be configured to, upon a user's login:
- Obtain a Kerberos ticket (
kinit). - Make that ticket available (as file, location set by an environment variable) to any Jenkins job run by that user -- so that access to the other hosts can still be controlled via
.k5users/.k5login.
What add-ons/plugins should I look at?
linux kerberos jenkins
asked Apr 7 at 22:17
Mikhail T.Mikhail T.
1,4561431
I'm setting up a new Jenkins server. It will authenticate users against the corporate AD. Most of the tasks we have in mind require logging-in to other hosts (via ssh).
Can Jenkins be configured to, upon a user's login:
- Obtain a Kerberos ticket (
kinit). - Make that ticket available (as file, location set by an environment variable) to any Jenkins job run by that user -- so that access to the other hosts can still be controlled via
.k5users/.k5login.
What add-ons/plugins should I look at?
linux kerberos jenkins
linux kerberos jenkins
asked Apr 7 at 22:17
Mikhail T.Mikhail T.
1,4561431
asked Apr 7 at 22:17
Mikhail T.Mikhail T.
1,4561431
asked Apr 7 at 22:17
Mikhail T.Mikhail T.
1,4561431
asked Apr 7 at 22:17
Mikhail T.Mikhail T.
1,4561431
asked Apr 7 at 22:17
Mikhail T.Mikhail T.
1,4561431
1,4561431
As far as I know the typical Kerberos plugins for Jenkins (and many other web applications as) only provide Single Sign On and authentication in the web front-end and won't provide Kerberos functionality for use in your r pipe-lines and jobs as the Kerberos ticket the Jenkins front-end will see will only be valid for authenticating to the Jenkins host. I think there are three problems you would need to solve:
– HBruijn
Apr 8 at 6:24
the easier one to solve would be to ensure that you get Jenkins to request a ticket that has the forwardable and renewable flags set , then include that ticket in the pipeline, ensure renewal and finally even renewable tickets will still expire and break authentication in your pipe-line... That would at first glance appear a bit fragile.
– HBruijn
Apr 8 at 6:30
add a comment |
As far as I know the typical Kerberos plugins for Jenkins (and many other web applications as) only provide Single Sign On and authentication in the web front-end and won't provide Kerberos functionality for use in your r pipe-lines and jobs as the Kerberos ticket the Jenkins front-end will see will only be valid for authenticating to the Jenkins host. I think there are three problems you would need to solve:
– HBruijn
Apr 8 at 6:24
the easier one to solve would be to ensure that you get Jenkins to request a ticket that has the forwardable and renewable flags set , then include that ticket in the pipeline, ensure renewal and finally even renewable tickets will still expire and break authentication in your pipe-line... That would at first glance appear a bit fragile.
– HBruijn
Apr 8 at 6:30
As far as I know the typical Kerberos plugins for Jenkins (and many other web applications as) only provide Single Sign On and authentication in the web front-end and won't provide Kerberos functionality for use in your r pipe-lines and jobs as the Kerberos ticket the Jenkins front-end will see will only be valid for authenticating to the Jenkins host. I think there are three problems you would need to solve:
– HBruijn
Apr 8 at 6:24
As far as I know the typical Kerberos plugins for Jenkins (and many other web applications as) only provide Single Sign On and authentication in the web front-end and won't provide Kerberos functionality for use in your r pipe-lines and jobs as the Kerberos ticket the Jenkins front-end will see will only be valid for authenticating to the Jenkins host. I think there are three problems you would need to solve:
– HBruijn
Apr 8 at 6:24
the easier one to solve would be to ensure that you get Jenkins to request a ticket that has the forwardable and renewable flags set , then include that ticket in the pipeline, ensure renewal and finally even renewable tickets will still expire and break authentication in your pipe-line... That would at first glance appear a bit fragile.
– HBruijn
Apr 8 at 6:30
the easier one to solve would be to ensure that you get Jenkins to request a ticket that has the forwardable and renewable flags set , then include that ticket in the pipeline, ensure renewal and finally even renewable tickets will still expire and break authentication in your pipe-line... That would at first glance appear a bit fragile.
– HBruijn
Apr 8 at 6:30
add a comment |
1 Answer
1
active
oldest
votes
Obtaining a kerb ticket should be pretty easy since that's essentially what the Kerberos SSO plugin does. However...
...it's unlikely that you will be able to access the kerb ticket or user credentials from within your job in a satisfying manner.
- Firstly, it would be a huge security risk if it were possible, since if you can create a job that authenticates as an arbitrary user to a remote machine, then you can create a job that authenticates as any arbitrary user (who already has a valid kerb ticket) to a remote machine, which would potentially allow users to write custom jobs to authenticate as other users.
- Secondly, even if it is technically possible, it would not be simple. From my experience, the kerb ticket is stored locally, on the client machine used to access the web UI, not on the Jenkins server. Even if that's not the case, Jenkins doesn't really directly expose the profile of the user who triggered the job to the job itself. Ultimately, all Jenkins jobs are run by the Jenkins agent on the master and slave nodes. The person or agent who triggered the job is merely that - the one who triggered the job, not the one running it. You can, of course, fetch the information of the user who triggered the job, if there is one - jobs can also be triggered automatically, via cron jobs for instance. But this requires a convoluted series of API calls from within your Jenkins job definition, and I'm not even sure how to go from getting the name of the user who triggered the job to their kerb ticket. Nothing that seems remotely helpful is published by the Kerberos SSO Plugin API.
It sounds to me like you might want a plain old shell script or similar rather than a Jenkins job. I know a shell script won't have all of the features of a Jenkins job, but if you want to run a job with the credentials of the current user, then a shell script is a much better bet.
answered 2 days ago
jayhendrenjayhendren
46429
I thought of using Jenkins credentials' store -- and limiting access to other people's tickets that way. However, it is not much of a concern anyway in our peculiar case... Lastly Kerberos SSO plugin is not a requirement - we could just use AD directly...
– Mikhail T.
2 days ago
add a comment |
Your Answer
StackExchange.ready(function()
var channelOptions =
tags: "".split(" "),
id: "2"
;
initTagRenderer("".split(" "), "".split(" "), channelOptions);
StackExchange.using("externalEditor", function()
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled)
StackExchange.using("snippets", function()
createEditor();
);
else
createEditor();
);
function createEditor()
StackExchange.prepareEditor(
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: true,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: 10,
bindNavPrevention: true,
postfix: "",
imageUploader:
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
,
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
);
);
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fserverfault.com%2fquestions%2f961947%2fcan-jenkins-utilize-the-users-kerberos-ticket%23new-answer', 'question_page');
);
Post as a guest
Required, but never shown
1 Answer
1
active
oldest
votes
1 Answer
1
active
oldest
votes
active
oldest
votes
active
oldest
votes
Obtaining a kerb ticket should be pretty easy since that's essentially what the Kerberos SSO plugin does. However...
...it's unlikely that you will be able to access the kerb ticket or user credentials from within your job in a satisfying manner.
- Firstly, it would be a huge security risk if it were possible, since if you can create a job that authenticates as an arbitrary user to a remote machine, then you can create a job that authenticates as any arbitrary user (who already has a valid kerb ticket) to a remote machine, which would potentially allow users to write custom jobs to authenticate as other users.
- Secondly, even if it is technically possible, it would not be simple. From my experience, the kerb ticket is stored locally, on the client machine used to access the web UI, not on the Jenkins server. Even if that's not the case, Jenkins doesn't really directly expose the profile of the user who triggered the job to the job itself. Ultimately, all Jenkins jobs are run by the Jenkins agent on the master and slave nodes. The person or agent who triggered the job is merely that - the one who triggered the job, not the one running it. You can, of course, fetch the information of the user who triggered the job, if there is one - jobs can also be triggered automatically, via cron jobs for instance. But this requires a convoluted series of API calls from within your Jenkins job definition, and I'm not even sure how to go from getting the name of the user who triggered the job to their kerb ticket. Nothing that seems remotely helpful is published by the Kerberos SSO Plugin API.
It sounds to me like you might want a plain old shell script or similar rather than a Jenkins job. I know a shell script won't have all of the features of a Jenkins job, but if you want to run a job with the credentials of the current user, then a shell script is a much better bet.
answered 2 days ago
jayhendrenjayhendren
46429
I thought of using Jenkins credentials' store -- and limiting access to other people's tickets that way. However, it is not much of a concern anyway in our peculiar case... Lastly Kerberos SSO plugin is not a requirement - we could just use AD directly...
– Mikhail T.
2 days ago
add a comment |
Obtaining a kerb ticket should be pretty easy since that's essentially what the Kerberos SSO plugin does. However...
...it's unlikely that you will be able to access the kerb ticket or user credentials from within your job in a satisfying manner.
- Firstly, it would be a huge security risk if it were possible, since if you can create a job that authenticates as an arbitrary user to a remote machine, then you can create a job that authenticates as any arbitrary user (who already has a valid kerb ticket) to a remote machine, which would potentially allow users to write custom jobs to authenticate as other users.
- Secondly, even if it is technically possible, it would not be simple. From my experience, the kerb ticket is stored locally, on the client machine used to access the web UI, not on the Jenkins server. Even if that's not the case, Jenkins doesn't really directly expose the profile of the user who triggered the job to the job itself. Ultimately, all Jenkins jobs are run by the Jenkins agent on the master and slave nodes. The person or agent who triggered the job is merely that - the one who triggered the job, not the one running it. You can, of course, fetch the information of the user who triggered the job, if there is one - jobs can also be triggered automatically, via cron jobs for instance. But this requires a convoluted series of API calls from within your Jenkins job definition, and I'm not even sure how to go from getting the name of the user who triggered the job to their kerb ticket. Nothing that seems remotely helpful is published by the Kerberos SSO Plugin API.
It sounds to me like you might want a plain old shell script or similar rather than a Jenkins job. I know a shell script won't have all of the features of a Jenkins job, but if you want to run a job with the credentials of the current user, then a shell script is a much better bet.
answered 2 days ago
jayhendrenjayhendren
46429
I thought of using Jenkins credentials' store -- and limiting access to other people's tickets that way. However, it is not much of a concern anyway in our peculiar case... Lastly Kerberos SSO plugin is not a requirement - we could just use AD directly...
– Mikhail T.
2 days ago
add a comment |
Obtaining a kerb ticket should be pretty easy since that's essentially what the Kerberos SSO plugin does. However...
...it's unlikely that you will be able to access the kerb ticket or user credentials from within your job in a satisfying manner.
- Firstly, it would be a huge security risk if it were possible, since if you can create a job that authenticates as an arbitrary user to a remote machine, then you can create a job that authenticates as any arbitrary user (who already has a valid kerb ticket) to a remote machine, which would potentially allow users to write custom jobs to authenticate as other users.
- Secondly, even if it is technically possible, it would not be simple. From my experience, the kerb ticket is stored locally, on the client machine used to access the web UI, not on the Jenkins server. Even if that's not the case, Jenkins doesn't really directly expose the profile of the user who triggered the job to the job itself. Ultimately, all Jenkins jobs are run by the Jenkins agent on the master and slave nodes. The person or agent who triggered the job is merely that - the one who triggered the job, not the one running it. You can, of course, fetch the information of the user who triggered the job, if there is one - jobs can also be triggered automatically, via cron jobs for instance. But this requires a convoluted series of API calls from within your Jenkins job definition, and I'm not even sure how to go from getting the name of the user who triggered the job to their kerb ticket. Nothing that seems remotely helpful is published by the Kerberos SSO Plugin API.
It sounds to me like you might want a plain old shell script or similar rather than a Jenkins job. I know a shell script won't have all of the features of a Jenkins job, but if you want to run a job with the credentials of the current user, then a shell script is a much better bet.
answered 2 days ago
jayhendrenjayhendren
46429
Obtaining a kerb ticket should be pretty easy since that's essentially what the Kerberos SSO plugin does. However...
...it's unlikely that you will be able to access the kerb ticket or user credentials from within your job in a satisfying manner.
- Firstly, it would be a huge security risk if it were possible, since if you can create a job that authenticates as an arbitrary user to a remote machine, then you can create a job that authenticates as any arbitrary user (who already has a valid kerb ticket) to a remote machine, which would potentially allow users to write custom jobs to authenticate as other users.
- Secondly, even if it is technically possible, it would not be simple. From my experience, the kerb ticket is stored locally, on the client machine used to access the web UI, not on the Jenkins server. Even if that's not the case, Jenkins doesn't really directly expose the profile of the user who triggered the job to the job itself. Ultimately, all Jenkins jobs are run by the Jenkins agent on the master and slave nodes. The person or agent who triggered the job is merely that - the one who triggered the job, not the one running it. You can, of course, fetch the information of the user who triggered the job, if there is one - jobs can also be triggered automatically, via cron jobs for instance. But this requires a convoluted series of API calls from within your Jenkins job definition, and I'm not even sure how to go from getting the name of the user who triggered the job to their kerb ticket. Nothing that seems remotely helpful is published by the Kerberos SSO Plugin API.
It sounds to me like you might want a plain old shell script or similar rather than a Jenkins job. I know a shell script won't have all of the features of a Jenkins job, but if you want to run a job with the credentials of the current user, then a shell script is a much better bet.
answered 2 days ago
jayhendrenjayhendren
46429
answered 2 days ago
jayhendrenjayhendren
46429
answered 2 days ago
jayhendrenjayhendren
46429
answered 2 days ago
jayhendrenjayhendren
46429
46429
I thought of using Jenkins credentials' store -- and limiting access to other people's tickets that way. However, it is not much of a concern anyway in our peculiar case... Lastly Kerberos SSO plugin is not a requirement - we could just use AD directly...
– Mikhail T.
2 days ago
add a comment |
I thought of using Jenkins credentials' store -- and limiting access to other people's tickets that way. However, it is not much of a concern anyway in our peculiar case... Lastly Kerberos SSO plugin is not a requirement - we could just use AD directly...
– Mikhail T.
2 days ago
I thought of using Jenkins credentials' store -- and limiting access to other people's tickets that way. However, it is not much of a concern anyway in our peculiar case... Lastly Kerberos SSO plugin is not a requirement - we could just use AD directly...
– Mikhail T.
2 days ago
I thought of using Jenkins credentials' store -- and limiting access to other people's tickets that way. However, it is not much of a concern anyway in our peculiar case... Lastly Kerberos SSO plugin is not a requirement - we could just use AD directly...
– Mikhail T.
2 days ago
add a comment |
Thanks for contributing an answer to Server Fault!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fserverfault.com%2fquestions%2f961947%2fcan-jenkins-utilize-the-users-kerberos-ticket%23new-answer', 'question_page');
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
As far as I know the typical Kerberos plugins for Jenkins (and many other web applications as) only provide Single Sign On and authentication in the web front-end and won't provide Kerberos functionality for use in your r pipe-lines and jobs as the Kerberos ticket the Jenkins front-end will see will only be valid for authenticating to the Jenkins host. I think there are three problems you would need to solve:
– HBruijn
Apr 8 at 6:24
the easier one to solve would be to ensure that you get Jenkins to request a ticket that has the forwardable and renewable flags set , then include that ticket in the pipeline, ensure renewal and finally even renewable tickets will still expire and break authentication in your pipe-line... That would at first glance appear a bit fragile.
– HBruijn
Apr 8 at 6:30