Details
-
Type:
Improvement
-
Status: In Progress (View Workflow)
-
Priority:
Major
-
Resolution: Unresolved
-
Component/s: role-strategy-plugin
-
Similar Issues:
Description
Currently, the "role strategy" plugin allows you to restrict access to jobs, based on a job-name pattern, using "Project roles". The following permissions are available:
Delete Configure Read Discover Build Workspace Cancel
However, I can't give a user permissions to create only jobs that match a certain job-name pattern. "Job Create" privilege is a "Global Role", not a "Project Role".
Can this be fixed?
Attachments
Issue Links
- depends on
-
JENKINS-23127 broken ProjectNamingStrategy Extension
-
- Resolved
-
Activity
Harpreet Nain agreed
ItemListener has checkBeforeCopy but of course no checkBeforeCreate, I hate these narrow API additions that make things a mess.
I added it to the GSoC 2019 project idea as an UX improvement (better validation of what is being created). As Daniel Beck says, new APIs may be needed to make it possible. Also, "Allow creating a job to which the user has no permission in Role Strategy" is actually a valid use-case for some configurations of Ownership-based security when ownership is being automatically set upon creation. https://github.com/jenkinsci/ownership-plugin/blob/master/doc/OwnershipBasedSecurity.md
Hi Team,
We are also facing the same.
We have created testRole in Global Roles which have overall READ permission.
We have created testProjectRole in projectRoles which have below permissions.
JOB: BUILD,CANCEL,CREATE,CONFIGURE,READ with pattern "test.*"
Observations:
1) Initially we did not give JOB create option in GLOBAL roles so testUser not able to see the "NEW ITEM"
2) Later we have given JOB create option in GLOBAL roles so testUser able to see the "NEW ITEM" and he will create the job using the pattern "testDev" successfully.
3) So here is the issue the user can able to create job apart from pattern which is displaying 404 error, but in backend the job is creating when we logged with admin user. So i want the JOB will not create apart from Pattern in project Roles.
Could you please advice on this request.
Thanks
Yaswanth
yaswanth badam
added a comment - Hi Team,
We are also facing the same.
We have created testRole in Global Roles which have overall READ permission.
We have created testProjectRole in projectRoles which have below permissions.
JOB: BUILD,CANCEL,CREATE,CONFIGURE,READ with pattern "test.*"
Observations:
1) Initially we did not give JOB create option in GLOBAL roles so testUser not able to see the "NEW ITEM"
2) Later we have given JOB create option in GLOBAL roles so testUser able to see the "NEW ITEM" and he will create the job using the pattern "testDev" successfully.
3) So here is the issue the user can able to create job apart from pattern which is displaying 404 error, but in backend the job is creating when we logged with admin user. So i want the JOB will not create apart from Pattern in project Roles.
Could you please advice on this request.
Thanks
Yaswanth 
ok thanks! Got it. The help text on the project name verifier config was a bit misleading. Noticed that even though it disables the user to configure or run that job that does to follow the pattern, the job still gets created. Would have been neat if it would give an error and not generate unnecessary jobs.