Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-1555

Remote triggering of builds requires anonymous user Read permission

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Won't Do
    • Icon: Minor Minor
    • core
    • Platform: All, OS: All

      I stepwise tried to harden my local hudson installation.
      Security realm is set to "Active Directory".

      From the Anonymous user I removed all Authorization rights. This broke
      triggering hudson builds using URL with token.
      To make it work again I had to assign the "Overall -> read" right to the
      Anonymous user.

      Actually, I didn't wanted to have Anonymous users see project details. Could the
      current behavior be changed by checking the "Job -> Build" right prior to
      triggered builds?

        1. hudson-active-dir-build-anonymous.jpg
          hudson-active-dir-build-anonymous.jpg
          60 kB

          [JENKINS-1555] Remote triggering of builds requires anonymous user Read permission

          subbaer created issue -

          subbaer added a comment -

          Defect noticed in combination with active-directory plugin (currently 1.4).

          subbaer added a comment - Defect noticed in combination with active-directory plugin (currently 1.4).

          subbaer added a comment -

          Created an attachment (id=294)
          Sample configuration screen showing issue

          subbaer added a comment - Created an attachment (id=294) Sample configuration screen showing issue

          Alan Harder added a comment - - edited

          This could be implemented by adding a condition like this in Hudson.getTarget():

          || (rest.matches("/job/.*/build") &&
Stapler.getCurrentRequest().getParameter("token") != null)

          in the list of allowed URLs w/o READ permission.

          Alan Harder added a comment - - edited This could be implemented by adding a condition like this in Hudson.getTarget(): || ( rest .matches( "/job/.*/build" ) && Stapler.getCurrentRequest().getParameter( "token" ) != null ) in the list of allowed URLs w/o READ permission.

          Alan Harder added a comment -

          improving defect summary

          Alan Harder added a comment - improving defect summary

          Alan Harder added a comment -
              • Issue 2121 has been marked as a duplicate of this issue. ***

          Alan Harder added a comment - Issue 2121 has been marked as a duplicate of this issue. ***
          Alan Harder made changes -
          Link New: This issue is duplicated by JENKINS-2121 [ JENKINS-2121 ]

          Alan Harder added a comment -
              • Issue 4748 has been marked as a duplicate of this issue. ***

          Alan Harder added a comment - Issue 4748 has been marked as a duplicate of this issue. ***
          Alan Harder made changes -
          Link New: This issue is duplicated by JENKINS-4748 [ JENKINS-4748 ]

          Kohsuke Kawaguchi added a comment -

          I think more general approach to the delegation of authority is necessary (and this is the line of reasoning that deprecated the build token support.)

          For example, Hudson can generate a digital signature from the path, the user, and the expiration date, and if this digital signature is present in the request and the path is the same, we could allow the request to be handled under the credential of the user.

          Kohsuke Kawaguchi added a comment - I think more general approach to the delegation of authority is necessary (and this is the line of reasoning that deprecated the build token support.) For example, Hudson can generate a digital signature from the path, the user, and the expiration date, and if this digital signature is present in the request and the path is the same, we could allow the request to be handled under the credential of the user.

            Unassigned Unassigned
            subbaer subbaer
            Votes:
            11 Vote for this issue
            Watchers:
            11 Start watching this issue

              Created:
              Updated:
              Resolved: