[FIXED JENKINS-22346]

The original motivation for the fix (to prevent users from logging in once he's removed from the backend identity database) is legitimate, but it affected too many users. So as an escape hatch / non-promoted feature switch, I'm adding this option to bring back the old behaviour.

[FIXED JENKINS-22346]
The original motivation for the fix (to prevent users from logging in once he's removed from the backend identity database) is legitimate, but it affected too many users. So as an escape hatch / non-promoted feature switch, I'm adding this option to bring back the old behaviour.
80e9f3f5 · Kohsuke Kawaguchi · e9bf4b71 · 80e9f3f5 · 80e9f3f5
隐藏空白更改
内联并排

Showing with 15 addition and 1 deletion

changelog.html changelog.html +3 -0

core/src/main/java/hudson/model/User.java core/src/main/java/hudson/model/User.java +12 -1

未找到文件。
--- a/changelog.html
+++ b/changelog.html
@@ -79,6 +79,9 @@ Upcoming changes</a>
  <li class="rfe">
    Show displayName in build remote API.
    (<a href="https://issues.jenkins-ci.org/browse/JENKINS-26723">issue 26723</a>)
+  <li class=rfe>
+    Added a switch (<tt>-Dhudson.model.User.allowNonExistentUserToLogin=true</tt>) to let users login even when the record is not found in the backend security realm.
+    (<a href="https://issues.jenkins-ci.org/browse/JENKINS-22346">issue 22346</a>)
 </ul>
 <h3><a name=v1.601>What's new in 1.601</a> (2015/03/03)</h3>
 <ul class=image>

--- a/core/src/main/java/hudson/model/User.java
+++ b/core/src/main/java/hudson/model/User.java
@@ -304,7 +304,8 @@ public class User extends AbstractModelObject implements AccessControlled, Descr
            // backend can't load information about other users. so use the stored information if available
        } catch (UsernameNotFoundException e) {
            // if the user no longer exists in the backend, we need to refuse impersonating this user
-            throw e;
+            if (!ALLOW_NON_EXISTENT_USER_TO_LOGIN)
+                throw e;
        } catch (DataAccessException e) {
            // seems like it's in the same boat as UserMayOrMayNotExistException
        }
@@ -976,5 +977,15 @@ public class User extends AbstractModelObject implements AccessControlled, Descr
        }
    }

+    /**
+     * Jenkins now refuses to let the user login if he/she doesn't exist in {@link SecurityRealm},
+     * which was necessary to make sure users removed from the backend will get removed from the frontend.
+     * <p>
+     * Unfortunately this infringed some legitimate use cases of creating Jenkins-local users for
+     * automation purposes. This escape hatch switch can be enabled to resurrect that behaviour.
+     *
+     * JENKINS-22346.
+     */
+    public static boolean ALLOW_NON_EXISTENT_USER_TO_LOGIN = Boolean.getBoolean(User.class.getName()+".allowNonExistentUserToLogin");
 }