Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-19934

Add "Job Create" permission to project roles

    XMLWordPrintable

Details

    • 548.vb_60076577ec7

    Description

      Currently, the "role strategy" plugin allows you to restrict access to jobs, based on a job-name pattern, using "Project roles". The following permissions are available:

      Delete Configure Read Discover Build Workspace Cancel

      However, I can't give a user permissions to create only jobs that match a certain job-name pattern. "Job Create" privilege is a "Global Role", not a "Project Role".
      Can this be fixed?

      Attachments

        Issue Links

          Activity

            oleg_nenashev Oleg Nenashev added a comment -

            hnain agreed

            oleg_nenashev Oleg Nenashev added a comment - hnain agreed
            danielbeck Daniel Beck added a comment -

            ItemListener has checkBeforeCopy but of course no checkBeforeCreate, I hate these narrow API additions that make things a mess.

            danielbeck Daniel Beck added a comment - ItemListener has checkBeforeCopy but of course no checkBeforeCreate , I hate these narrow API additions that make things a mess.
            oleg_nenashev Oleg Nenashev added a comment -

            I added it to the GSoC 2019 project idea as an UX improvement (better validation of what is being created). As danielbeck says, new APIs may be needed to make it possible. Also, "Allow creating a job to which the user has no permission in Role Strategy" is actually a valid use-case for some configurations of Ownership-based security when ownership is being automatically set upon creation. https://github.com/jenkinsci/ownership-plugin/blob/master/doc/OwnershipBasedSecurity.md

            oleg_nenashev Oleg Nenashev added a comment - I added it to the GSoC 2019 project idea as an UX improvement (better validation of what is being created). As danielbeck says, new APIs may be needed to make it possible. Also, "Allow creating a job to which the user has no permission in Role Strategy" is actually a valid use-case for some configurations of Ownership-based security when ownership is being automatically set upon creation. https://github.com/jenkinsci/ownership-plugin/blob/master/doc/OwnershipBasedSecurity.md

            Hi Team,

            We are also facing the same. 

            We have created testRole in Global Roles which have overall READ permission.

            We have created testProjectRole in projectRoles which have below permissions.

            JOB: BUILD,CANCEL,CREATE,CONFIGURE,READ with pattern "test.*"

             

            Observations:

             1) Initially we did not give JOB create option in GLOBAL roles so testUser not able to see the "NEW ITEM"

            2) Later we have given JOB create option in GLOBAL roles so testUser able to see the "NEW ITEM" and he will create the job using the pattern "testDev" successfully.

            3) So here is the issue the user can able to create job apart from pattern which is displaying 404 error, but in backend the job is creating when we logged with admin user. So i want the JOB will not create apart from Pattern in project Roles.

             

            Could you please advice on this request.

             

            Thanks

            Yaswanth

            yaswanth07 yaswanth badam added a comment - Hi Team, We are also facing the same.  We have created testRole in Global Roles which have overall READ permission. We have created testProjectRole in projectRoles which have below permissions. JOB: BUILD,CANCEL,CREATE,CONFIGURE,READ with pattern "test.*"   Observations:  1) Initially we did not give JOB create option in GLOBAL roles so testUser not able to see the "NEW ITEM" 2) Later we have given JOB create option in GLOBAL roles so testUser able to see the "NEW ITEM" and he will create the job using the pattern "testDev" successfully. 3) So here is the issue the user can able to create job apart from pattern which is displaying 404 error, but in backend the job is creating when we logged with admin user. So i want the JOB will not create apart from Pattern in project Roles.   Could you please advice on this request.   Thanks Yaswanth
            mawinter69 Markus Winter added a comment -

            With this release and using the role based naming strategy, job create permissions are properly respected.

            mawinter69 Markus Winter added a comment - With this release and using the role based naming strategy, job create permissions are properly respected.

            People

              oleg_nenashev Oleg Nenashev
              mwebber Matthew Webber
              Votes:
              15 Vote for this issue
              Watchers:
              22 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: