Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-14750

Unprivileged view permissions for monitoring

    XMLWordPrintable

    Details

    • Similar Issues:

      Description

      I would like my users with universal read permissions to be able to get to /monitoring, perhaps with the GC link removed or inactivated.

      Alternately, it would be great if there were a "view monitoring" checkbox in the permissions grid

      Or... a "configure monitoring" section in the global config to allow me to twiddle access perms

        Attachments

          Issue Links

            Activity

            Hide
            stephan Stephan Austermühle added a comment -

            +1

            Just received the request from one of our dev team members to view monitoring data which surprinsgly isn't possible without admin permissions.

            Show
            stephan Stephan Austermühle added a comment - +1 Just received the request from one of our dev team members to view monitoring data which surprinsgly isn't possible without admin permissions.
            Hide
            oleg_nenashev Oleg Nenashev added a comment -

            -1 for the Unprivileged access as a Jenkins Security team member. It is not only about gc() invocation. Operations like HeapDump collection may actually expose sensitive information. Thread termination by users may also cause cause significant damage. Etc.

            The thing which could be done is a special permission (e.g. "Computer.VIEW_MONITORING" impled By "Jenkins.ADMINISTER") with appropriate disclaimer in the documentation.

            Show
            oleg_nenashev Oleg Nenashev added a comment - -1 for the Unprivileged access as a Jenkins Security team member. It is not only about gc() invocation. Operations like HeapDump collection may actually expose sensitive information. Thread termination by users may also cause cause significant damage. Etc. The thing which could be done is a special permission (e.g. "Computer.VIEW_MONITORING" impled By "Jenkins.ADMINISTER") with appropriate disclaimer in the documentation.
            Hide
            belfast77 Belfast 77 added a comment -

            +1

            Show
            belfast77 Belfast 77 added a comment - +1
            Hide
            evernat evernat added a comment -

            I have written a pull request for this issue: https://github.com/jenkinsci/monitoring-plugin/pull/9
            The Overall/SystemRead permission allows to view the monitoring pages of the monitoring plugin, but the Overall/SystemRead permission does not allow to run state changing actions such as Run GC, Take heap dump or Kill http sessions (the Administer permission is still needed for these actions). To have the Overall/SystemRead permission, you need the extended read permission plugin: https://plugins.jenkins.io/extended-read-permission/
            Any thoughts before merge?

            Show
            evernat evernat added a comment - I have written a pull request for this issue: https://github.com/jenkinsci/monitoring-plugin/pull/9 The Overall/SystemRead permission allows to view the monitoring pages of the monitoring plugin, but the Overall/SystemRead permission does not allow to run state changing actions such as Run GC, Take heap dump or Kill http sessions (the Administer permission is still needed for these actions). To have the Overall/SystemRead permission, you need the extended read permission plugin: https://plugins.jenkins.io/extended-read-permission/ Any thoughts before merge?
            Show
            evernat evernat added a comment - PR merged: https://github.com/jenkinsci/monitoring-plugin/pull/9

              People

              Assignee:
              Unassigned Unassigned
              Reporter:
              ganncamp G. Ann Campbell
              Votes:
              10 Vote for this issue
              Watchers:
              16 Start watching this issue

                Dates

                Created:
                Updated:
                Resolved: