Subversion Plugin HTTPS Kerberos authentication

Skip to end of metadata
Go to start of metadata

Enabling Subversion Plugin to connect to a Kerberos authenticated SVN server using HTTPS

When would I need this?

If you have SVN servers that only work with Kerberos authentication. For example VisualSVN installed on Windows operating system authenticating using Kerberos/Windows domain credentials/Active Directory.

Important note

The method described here requires Subversion configuration option "store-passwords = yes". It causes SVN to save the user credentials in a plain text file, which may not be suitable for everyone. Please check your security policies before continuing.

These instructions are loosely based on this forum entry by K. R. Walker on nabble.com. Originally I followed those instructions just to find out a bit later that the ticket cache (ticketCache option in jaas.conf) is never used by Hudson/svnkit. Instead it defaults to credentials stored by Subversion command line client. Please update this page when the proper Kerberos ticket based authentication starts to work.

Requirements

  • Working Hudson instance (tested only on Debian Linux)
  • SVN-plugin and Hudson upgraded to latest versions (Hudson 1.387/Subversion Plugin 1.20 do not seem to work)
  • Kerberos authentication working in the Hudson computer
  • A Kerberos user account (e.g. "hudson") that has access to your SVN repository

Steps to configure

1. Try out with an SVN client that your user can access your SVN repository. Store user credentials.

On Debian you could run:

svn info --username "hudson@YOURDOMAIN.COM" "https://svn------com/svn/-----/trunk"

The command will save your credentials in a file $HOME/.subversion/auth/svn.simple/. The file contains the user's password in plain text.

This verifies that the Kerberos authentication works. You should also check out something to verify that the user has read access.

2. Set some java system properties:

You should add the options to the startup command of your Hudson java process:

-Djava.security.krb5.realm=YOURDOMAIN.COM

-Djava.security.krb5.kdc=kdc.yourdomain.com

-Dsun.security.krb5.debug=false

-Djavax.net.ssl.trustStore=cacerts

On Debian you can add the variable JAVA_ARGS to the hudson settings in /etc/default/hudson :

JAVA_ARGS="-Djava.security.krb5.realm=YOURDOMAIN.COM -Djava.security.krb5.kdc=kdc.yourdomain.com \
 -Dsun.security.krb5.debug=false -Djavax.net.ssl.trustStore=cacerts"
3. Restart Hudson

To take the java properties and the new configuration in use.

4. Configure your Hudson-job

In your Hudson-job configuration just add the SVN URL in Repository URL box. That can be found under Source Code Management -> Subversion.

NOTE: When you move the text pointer out of the text field, you will immediately see red error message, in case your configuration does not work. So if you see no error messages like in the above picture, you have succeeded. Congratulations!

Troubleshooting

  • Upgrade Hudson and SVN plugin to latest and greatest
  • You may try turning on debugging with the java property -Dsun.security.krb5.debug=true
  • You can download svnkit full package and try the tool jsvn to better support debugging

Open questions and fine prints

  • This has NOT been tested on a Hudson server running on Windows
  • This has NOT been tested on a Hudson slave. So it is possible that it will be more complex than this.
  • The internet suggested that some job types may not work with this. (E.g. multi-configuration?)
Enter labels to add to this page:
Please wait 
Looking for a label? Just start typing.

Add Comment