I am running Jenkins (currently v2.134, always up to date from Jenkins Debian/Ubuntu repo) on a Ubuntu 18.04 server. It is configured to use the pwauth
plugin for authentication against system accounts.
Here is the configuration section for the pwauth
plugin (generated from changing the settings in the GUI):
<securityRealm class="hudson.plugins.pwauth.PWauthSecurityRealm" plugin="[email protected]">
<pwauthPath>/usr/sbin/pwauth</pwauthPath>
<whitelist></whitelist>
<enableParamAuth>false</enableParamAuth>
<idPath>/usr/bin/id</idPath>
<groupsPath>/usr/bin/groups</groupsPath>
<catPath>/bin/cat</catPath>
<grepPath>/bin/grep</grepPath>
</securityRealm>
It is using the Matrix Authorization strategy, with a group named jenkinsadmins
having full permissions (config below is also generated from changing the settings in the GUI). To allow users to log into Jenkins, we just add them to this Unix group:
<authorizationStrategy class="hudson.security.GlobalMatrixAuthorizationStrategy">
<permission>com.cloudbees.plugins.credentials.CredentialsProvider.Create:jenkinsadmins</permission>
<permission>com.cloudbees.plugins.credentials.CredentialsProvider.Delete:jenkinsadmins</permission>
<permission>com.cloudbees.plugins.credentials.CredentialsProvider.ManageDomains:jenkinsadmins</permission>
<permission>com.cloudbees.plugins.credentials.CredentialsProvider.Update:jenkinsadmins</permission>
<permission>com.cloudbees.plugins.credentials.CredentialsProvider.View:jenkinsadmins</permission>
<permission>hudson.model.Computer.Build:jenkinsadmins</permission>
<permission>hudson.model.Computer.Configure:jenkinsadmins</permission>
<permission>hudson.model.Computer.Connect:jenkinsadmins</permission>
<permission>hudson.model.Computer.Create:jenkinsadmins</permission>
<permission>hudson.model.Computer.Delete:jenkinsadmins</permission>
<permission>hudson.model.Computer.Disconnect:jenkinsadmins</permission>
<permission>hudson.model.Hudson.Administer:jenkinsadmins</permission>
<permission>hudson.model.Hudson.Read:jenkinsadmins</permission>
<permission>hudson.model.Item.Build:jenkinsadmins</permission>
<permission>hudson.model.Item.Cancel:jenkinsadmins</permission>
<permission>hudson.model.Item.Configure:jenkinsadmins</permission>
<permission>hudson.model.Item.Create:jenkinsadmins</permission>
<permission>hudson.model.Item.Delete:jenkinsadmins</permission>
<permission>hudson.model.Item.Discover:jenkinsadmins</permission>
<permission>hudson.model.Item.Move:jenkinsadmins</permission>
<permission>hudson.model.Item.Read:jenkinsadmins</permission>
<permission>hudson.model.Item.ViewStatus:anonymous</permission>
<permission>hudson.model.Item.ViewStatus:jenkinsadmins</permission>
<permission>hudson.model.Item.Workspace:jenkinsadmins</permission>
<permission>hudson.model.Run.Delete:jenkinsadmins</permission>
<permission>hudson.model.Run.Update:jenkinsadmins</permission>
<permission>hudson.model.View.Configure:jenkinsadmins</permission>
<permission>hudson.model.View.Create:jenkinsadmins</permission>
<permission>hudson.model.View.Delete:jenkinsadmins</permission>
<permission>hudson.model.View.Read:jenkinsadmins</permission>
<permission>hudson.scm.SCM.Tag:jenkinsadmins</permission>
<permission>org.jenkins.ci.plugins.jobimport.JobImportAction.JobImport:jenkinsadmins</permission>
</authorizationStrategy>
The problem is that every time I restart Jenkins (including automatically after a server reboot, after a Jenkins update, or after changing plugins), I can no longer log it - Jenkins tells me "Invalid username or password."
However, I know that this configuration actually works, because I can go into the config.xml
and change <useSecurity>
to false
to disable all login requirements (and restart), then go back into the settings and reapply these settings, in which case it immediately prompts me to log in and my username and password are accepted!
I have checked the logs, and I see nothing relevant.
I also know that pwauth
itself is working fine, as I can log in to a shell as the Jenkins user and run pwauth
by hand and it works as expected.
How can I figure out why this configuration seems to work only until the server is restarted?
I ran into the same issue with the newer v2.263.4. I was able to resolve it by creating a symlink to pwauth at the default expected location: /usr/local/bin/pwauth. It seems that on restart, Jenkins searches for pwauth in the factory default path instead of the custom user specified path. Seems like a bug.
I tested again and as of Jenkins v2.202, this is working properly. I have not changed any settings that I know of, and I don't see anything in the change logs of the last few versions, but it could be that there was a bug that was accidentally fixed.