[FIXED JENKINS-22346]

The original motivation for the fix (to prevent users from logging in once he's removed from the backend identity database) is legitimate, but it affected too many users. So as an escape hatch / non-promoted feature switch, I'm adding this option to bring back the old behaviour.
jenkinsci · Mar 12, 2015 · 80e9f3f · 80e9f3f
1 parent e9bf4b7
commit 80e9f3f
Show file tree

Hide file tree

Showing 2 changed files with 15 additions and 1 deletion.
diff --git a/changelog.html b/changelog.html
@@ -79,6 +79,9 @@ <h3><a name=v1.602>What's new in 1.602</a> (2015/03/08)</h3>
   <li class="rfe">
     Show displayName in build remote API.
     (<a href="https://issues.jenkins-ci.org/browse/JENKINS-26723">issue 26723</a>)
+  <li class=rfe>
+    Added a switch (<tt>-Dhudson.model.User.allowNonExistentUserToLogin=true</tt>) to let users login even when the record is not found in the backend security realm.
+    (<a href="https://issues.jenkins-ci.org/browse/JENKINS-22346">issue 22346</a>)
 </ul>
 <h3><a name=v1.601>What's new in 1.601</a> (2015/03/03)</h3>
 <ul class=image>

diff --git a/core/src/main/java/hudson/model/User.java b/core/src/main/java/hudson/model/User.java
@@ -304,7 +304,8 @@ public <T extends UserProperty> T getProperty(Class<T> clazz) {
             // backend can't load information about other users. so use the stored information if available
         } catch (UsernameNotFoundException e) {
             // if the user no longer exists in the backend, we need to refuse impersonating this user
-            throw e;
+            if (!ALLOW_NON_EXISTENT_USER_TO_LOGIN)
+                throw e;
         } catch (DataAccessException e) {
             // seems like it's in the same boat as UserMayOrMayNotExistException
         }
@@ -976,5 +977,15 @@ public int getPriority() {
         }
     }
 
+    /**
+     * Jenkins now refuses to let the user login if he/she doesn't exist in {@link SecurityRealm},
+     * which was necessary to make sure users removed from the backend will get removed from the frontend.
+     * <p>
+     * Unfortunately this infringed some legitimate use cases of creating Jenkins-local users for
+     * automation purposes. This escape hatch switch can be enabled to resurrect that behaviour.
+     *
+     * JENKINS-22346.
+     */
+    public static boolean ALLOW_NON_EXISTENT_USER_TO_LOGIN = Boolean.getBoolean(User.class.getName()+".allowNonExistentUserToLogin");
 }