[FIXED JENKINS-13526] use '@' prefix to force PAM to interpret the us…

…er/group as a group
jenkinsci · Apr 26, 2012 · db1b7ee · db1b7ee
1 parent 2258313
commit db1b7ee
Show file tree

Hide file tree

Showing 3 changed files with 19 additions and 4 deletions.
diff --git a/changelog.html b/changelog.html
@@ -63,6 +63,9 @@
   <li class=bug>
     End up more gracefully if there's some problem when searching for user partipication in the build
     (<a href="https://issues.jenkins-ci.org/browse/JENKINS-13564">issue 13564</a>)
+  <li class=rfe>
+    PAM authentication supports '@group' to force interpretation as a group instead of user.
+    (<a href="https://issues.jenkins-ci.org/browse/JENKINS-13526">issue 13526</a>)
   <li class=rfe>
     Added a DISCOVER permission to allow anonymous users to be presented the login screen
     when accessing job URLs.

diff --git a/core/src/main/java/hudson/security/PAMSecurityRealm.java b/core/src/main/java/hudson/security/PAMSecurityRealm.java
@@ -104,12 +104,18 @@ private static GrantedAuthority[] toAuthorities(UnixUser u) {
 
     @Override
     public GroupDetails loadGroupByGroupname(final String groupname) throws UsernameNotFoundException, DataAccessException {
-        if(CLibrary.libc.getgrnam(groupname)==null)
-            throw new UsernameNotFoundException(groupname);
+        final String group;
+        if(groupname.startsWith("@")) {
+            group = groupname.substring(1);
+        } else {
+            group = groupname;
+        }
+        if(CLibrary.libc.getgrnam(group)==null)
+            throw new UsernameNotFoundException(group);
         return new GroupDetails() {
             @Override
             public String getName() {
-                return groupname;
+                return group;
             }
         };
     }

diff --git a/core/src/main/resources/hudson/security/PAMSecurityRealm/help.html b/core/src/main/resources/hudson/security/PAMSecurityRealm/help.html
@@ -5,7 +5,13 @@
 
   <p>
   This mode will also allow you to use Unix groups for authorization. For example,
-  you can say "everyone in the 'developers' group will have the administrator access". 
+  you can say "everyone in the 'developers' group will have the administrator access".
+
+  <p>
+  Unix allows an user and a group to have the same name. If you need to disambiguate,
+  you can use the '@' prefix to force the name to be interpreted as a group. For example,
+  '@dev' would mean the 'dev' group and not the 'dev' user, while 'dev' would be interpreted
+  as an user if you indeed have the user of that name.
 
   <p>
   This is done through a library called <a href="http://en.wikipedia.org/wiki/Pluggable_Authentication_Modules">PAM</a>,