Various build steps (or other code run during builds) ought to be checking permissions. For example, you should only be able to trigger a downstream build if "you" would otherwise have permission to schedule that job manually. Similarly for accessing artifacts, running on secure slave nodes, and so on.

      Unfortunately in Jenkins currently all builds run in SYSTEM, i.e. effectively having all permissions, and it is up to each build step to do its own checks. Worse, there is no clear authentication to associate with the build. If it was started manually by a particular user, you could use that authentication, but other causes do not lead to a clear user name.

      There should be some (probably extensible) system of associating an Authentication with a given Run, either based on its Cause or something else such as the last User to configure the Job.

          [JENKINS-16956] Require authentication for build triggers

          Jesse Glick added a comment -

          JENKINS-13222 asks for a different hack for identifying a parameterized upstream job on which we need READ, but the real problem is that the permission check is normally done in the @DataBoundConstructor, when it should always be done in perform on behalf of some principal.

          Jesse Glick added a comment - JENKINS-13222 asks for a different hack for identifying a parameterized upstream job on which we need READ , but the real problem is that the permission check is normally done in the @DataBoundConstructor , when it should always be done in perform on behalf of some principal.

          Jesse Glick added a comment -

          CommandDuringBuild should also automatically authenticate you based on the running build.

          Jesse Glick added a comment - CommandDuringBuild should also automatically authenticate you based on the running build.

          Jesse Glick added a comment -

          The CommandDuringBuild issue does not necessarily need this; filed separately as JENKINS-22472.

          Jesse Glick added a comment - The CommandDuringBuild issue does not necessarily need this; filed separately as JENKINS-22472 .

          Jesse Glick added a comment -

          JENKINS-18285 introduced the necessary API, the Authorize Project plugin offers some implementations (if still a work in progress), and some plugins are starting to check authentication (namely Copy Artifact). So narrowing the scope of this issue to cover the major case of BuildTrigger and Item.BUILD.

          Jesse Glick added a comment - JENKINS-18285 introduced the necessary API, the Authorize Project plugin offers some implementations (if still a work in progress), and some plugins are starting to check authentication (namely Copy Artifact). So narrowing the scope of this issue to cover the major case of BuildTrigger and Item.BUILD .

          Code changed in jenkins
          User: Jesse Glick
          Path:
          core/src/main/java/hudson/model/AbstractProject.java
          core/src/main/java/hudson/tasks/BuildTrigger.java
          test/src/test/java/hudson/tasks/BuildTriggerTest.java
          http://jenkins-ci.org/commit/jenkins/48e92efaed7d48d6bd515a7844f9c055a8e27f6b
          Log:
          JENKINS-16956 Make BuildTrigger.execute pay attention to build permissions, rather than checking the configuring user.

          SCM/JIRA link daemon added a comment - Code changed in jenkins User: Jesse Glick Path: core/src/main/java/hudson/model/AbstractProject.java core/src/main/java/hudson/tasks/BuildTrigger.java test/src/test/java/hudson/tasks/BuildTriggerTest.java http://jenkins-ci.org/commit/jenkins/48e92efaed7d48d6bd515a7844f9c055a8e27f6b Log: JENKINS-16956 Make BuildTrigger.execute pay attention to build permissions, rather than checking the configuring user.

          Code changed in jenkins
          User: Jesse Glick
          Path:
          core/src/main/java/hudson/tasks/BuildTrigger.java
          core/src/main/resources/hudson/tasks/Messages.properties
          test/src/test/java/hudson/tasks/BuildTriggerTest.java
          http://jenkins-ci.org/commit/jenkins/d31ff2fed352cc15d808cb8aa91eba6576ed13ae
          Log:
          JENKINS-16956 More compatible behavior: if no QIA’s are configured yet, fall back to running as SYSTEM.
          Also make a best effort to issue a warning in the log if downstream builds might skipped due to lack of authentication;
          or if downstream build permissions might not be checked due to legacy behavior.

          SCM/JIRA link daemon added a comment - Code changed in jenkins User: Jesse Glick Path: core/src/main/java/hudson/tasks/BuildTrigger.java core/src/main/resources/hudson/tasks/Messages.properties test/src/test/java/hudson/tasks/BuildTriggerTest.java http://jenkins-ci.org/commit/jenkins/d31ff2fed352cc15d808cb8aa91eba6576ed13ae Log: JENKINS-16956 More compatible behavior: if no QIA’s are configured yet, fall back to running as SYSTEM. Also make a best effort to issue a warning in the log if downstream builds might skipped due to lack of authentication; or if downstream build permissions might not be checked due to legacy behavior.

          Code changed in jenkins
          User: Jesse Glick
          Path:
          changelog.html
          core/src/main/java/hudson/model/queue/Tasks.java
          core/src/main/java/jenkins/security/QueueItemAuthenticator.java
          core/src/main/java/jenkins/triggers/ReverseBuildTrigger.java
          http://jenkins-ci.org/commit/jenkins/7f76a93dd947cb0180a36d2ce54b1e3c2ddaf3bc
          Log:
          [FIXED JENKINS-16956] Noting merge of #1172.

          Compare: https://github.com/jenkinsci/jenkins/compare/a1cd49b948ab...7f76a93dd947

          SCM/JIRA link daemon added a comment - Code changed in jenkins User: Jesse Glick Path: changelog.html core/src/main/java/hudson/model/queue/Tasks.java core/src/main/java/jenkins/security/QueueItemAuthenticator.java core/src/main/java/jenkins/triggers/ReverseBuildTrigger.java http://jenkins-ci.org/commit/jenkins/7f76a93dd947cb0180a36d2ce54b1e3c2ddaf3bc Log: [FIXED JENKINS-16956] Noting merge of #1172. Compare: https://github.com/jenkinsci/jenkins/compare/a1cd49b948ab...7f76a93dd947

          dogfood added a comment -

          Integrated in jenkins_main_trunk #3296
          JENKINS-16956 Make BuildTrigger.execute pay attention to build permissions, rather than checking the configuring user. (Revision 48e92efaed7d48d6bd515a7844f9c055a8e27f6b)
          JENKINS-16956 More compatible behavior: if no QIA’s are configured yet, fall back to running as SYSTEM. (Revision d31ff2fed352cc15d808cb8aa91eba6576ed13ae)
          [FIXED JENKINS-16956] Noting merge of #1172. (Revision 7f76a93dd947cb0180a36d2ce54b1e3c2ddaf3bc)

          Result = SUCCESS
          Jesse Glick : 48e92efaed7d48d6bd515a7844f9c055a8e27f6b
          Files :

          • test/src/test/java/hudson/tasks/BuildTriggerTest.java
          • core/src/main/java/hudson/model/AbstractProject.java
          • core/src/main/java/hudson/tasks/BuildTrigger.java

          Jesse Glick : d31ff2fed352cc15d808cb8aa91eba6576ed13ae
          Files :

          • test/src/test/java/hudson/tasks/BuildTriggerTest.java
          • core/src/main/resources/hudson/tasks/Messages.properties
          • core/src/main/java/hudson/tasks/BuildTrigger.java

          Jesse Glick : 7f76a93dd947cb0180a36d2ce54b1e3c2ddaf3bc
          Files :

          • core/src/main/java/hudson/model/queue/Tasks.java
          • changelog.html
          • core/src/main/java/jenkins/triggers/ReverseBuildTrigger.java
          • core/src/main/java/jenkins/security/QueueItemAuthenticator.java

          dogfood added a comment - Integrated in jenkins_main_trunk #3296 JENKINS-16956 Make BuildTrigger.execute pay attention to build permissions, rather than checking the configuring user. (Revision 48e92efaed7d48d6bd515a7844f9c055a8e27f6b) JENKINS-16956 More compatible behavior: if no QIA’s are configured yet, fall back to running as SYSTEM. (Revision d31ff2fed352cc15d808cb8aa91eba6576ed13ae) [FIXED JENKINS-16956] Noting merge of #1172. (Revision 7f76a93dd947cb0180a36d2ce54b1e3c2ddaf3bc) Result = SUCCESS Jesse Glick : 48e92efaed7d48d6bd515a7844f9c055a8e27f6b Files : test/src/test/java/hudson/tasks/BuildTriggerTest.java core/src/main/java/hudson/model/AbstractProject.java core/src/main/java/hudson/tasks/BuildTrigger.java Jesse Glick : d31ff2fed352cc15d808cb8aa91eba6576ed13ae Files : test/src/test/java/hudson/tasks/BuildTriggerTest.java core/src/main/resources/hudson/tasks/Messages.properties core/src/main/java/hudson/tasks/BuildTrigger.java Jesse Glick : 7f76a93dd947cb0180a36d2ce54b1e3c2ddaf3bc Files : core/src/main/java/hudson/model/queue/Tasks.java changelog.html core/src/main/java/jenkins/triggers/ReverseBuildTrigger.java core/src/main/java/jenkins/security/QueueItemAuthenticator.java

          eguess74 added a comment -

          seems like there might be an issue with the implementation:
          https://issues.jenkins-ci.org/browse/JENKINS-22821

          eguess74 added a comment - seems like there might be an issue with the implementation: https://issues.jenkins-ci.org/browse/JENKINS-22821

          Daniel Beck added a comment -

          Comment in JENKINS-23191 provides steps to reliably reproduce the issue.

          Daniel Beck added a comment - Comment in JENKINS-23191 provides steps to reliably reproduce the issue.

            jglick Jesse Glick
            jglick Jesse Glick
            Votes:
            0 Vote for this issue
            Watchers:
            7 Start watching this issue

              Created:
              Updated:
              Resolved: