Why I cannot log in directly on the Client controllers when using JOC

2 minute read

Issue

  • I cannot log in directly on the Client controllers when using JOC

Environment

  • CloudBees Jenkins Enterprise

  • CloudBees Jenkins Operations Center

Resolution

One of the key design features of Operations Center is to make it seem to users as "just one big Jenkins". Thus, for example, the individual client controllers get their breadcrumbs modified to show their context within the cluster, and the UX for users is that client controllers feel just like folders. With features that we have added, such as triggering jobs across controllers, there is even more scope for linking jobs across controllers. There are other features on our backlog: copy/move jobs across controllers, copy artifacts across controllers, cluster-wide "my jobs" view for Operations Center, etc.

The net effect of all this is that of forcing users to login to other client controllers as they navigate from one controller to the other. Now at first glance this might seem like just a minor inconvenience for users…​ they just have to type in their username and password and that establishes a login session on the other controller…​ but our usability testing has identified a major security risk from the feature you are asking for.

As users jump from one controller to the other, they leave authenticated sessions on each of the controllers that they visit. When they click the logout link on the last controller they visit, they forget about all the other controllers they have visited. Thus it becomes very easy for well intentioned users to leave an authenticated session for the previous controllers that they visited. The single sign on feature that we implemented for Operations Center perhaps should more correctly be called "Single Sign Out" because when you click the logout button on one of the client controllers, the session logout information is propagated to all of the client controllers within 30 seconds (typically in less than 10s).

The SSO feature does not force users to start navigating from Operations Center, they can start navigation from the client controller and the redirect to the login screen should send them back to the controller they attempted to login from…​ From the user perspective the only difference they should see is that their login screen says "Operations Center" on the top banner, but they should have the same [click login] » [enter username and password] » [see the screen they clicked login from] UX that you get with a standalone Jenkins.

Finally, pushing RBAC configuration to client controllers is predicated on all controllers having the same security realm, which the SSO functionality ensures.