• 548.vb_60076577ec7

      Currently, the "role strategy" plugin allows you to restrict access to jobs, based on a job-name pattern, using "Project roles". The following permissions are available:

      Delete Configure Read Discover Build Workspace Cancel

      However, I can't give a user permissions to create only jobs that match a certain job-name pattern. "Job Create" privilege is a "Global Role", not a "Project Role".
      Can this be fixed?

          [JENKINS-19934] Add "Job Create" permission to project roles

          Oleg Nenashev added a comment -

          It's in my backlog, but I have to confirm that I have not found time to seriously revisit this task yet - too many other activities. No ETA right now. BTW I can perform all required reviews if somebody decides to work on this feature/issue

          Oleg Nenashev added a comment - It's in my backlog, but I have to confirm that I have not found time to seriously revisit this task yet - too many other activities. No ETA right now. BTW I can perform all required reviews if somebody decides to work on this feature/issue

          Harpreet Nain added a comment -

          I do see the Create permission in the project roles. Even though the project role has the create permission checked, the user assigned the project role is still not able to create jobs. The only way a use can create jobs is if it is included in the global role. Hence we are unable to restrict the project names due to this limitation. Please advise.

          Harpreet Nain added a comment - I do see the Create permission in the project roles. Even though the project role has the create permission checked, the user assigned the project role is still not able to create jobs. The only way a use can create jobs is if it is included in the global role. Hence we are unable to restrict the project names due to this limitation. Please advise.

          Oleg Nenashev added a comment -

          The permission does not work in such way as you may expect. You still have to enable the global permission and then to enable the Role Strategy project name verifyer in order to get the functionality working. Without the Global permission the plugin thinks that the user cannot create any job (which is a valid behavior)

          Oleg Nenashev added a comment - The permission does not work in such way as you may expect. You still have to enable the global permission and then to enable the Role Strategy project name verifyer in order to get the functionality working. Without the Global permission the plugin thinks that the user cannot create any job (which is a valid behavior)

          Harpreet Nain added a comment -

          ok thanks! Got it. The help text on the project name verifier config was a bit misleading. Noticed that even though it disables the user to configure or run that job that does to follow the pattern, the job still gets created. Would have been neat if it would give an error and not generate unnecessary jobs.

          Harpreet Nain added a comment - ok thanks! Got it. The help text on the project name verifier config was a bit misleading. Noticed that even though it disables the user to configure or run that job that does to follow the pattern, the job still gets created. Would have been neat if it would give an error and not generate unnecessary jobs.

          Oleg Nenashev added a comment -

          hnain agreed

          Oleg Nenashev added a comment - hnain agreed

          Daniel Beck added a comment -

          ItemListener has checkBeforeCopy but of course no checkBeforeCreate, I hate these narrow API additions that make things a mess.

          Daniel Beck added a comment - ItemListener has checkBeforeCopy but of course no checkBeforeCreate , I hate these narrow API additions that make things a mess.

          Oleg Nenashev added a comment -

          I added it to the GSoC 2019 project idea as an UX improvement (better validation of what is being created). As danielbeck says, new APIs may be needed to make it possible. Also, "Allow creating a job to which the user has no permission in Role Strategy" is actually a valid use-case for some configurations of Ownership-based security when ownership is being automatically set upon creation. https://github.com/jenkinsci/ownership-plugin/blob/master/doc/OwnershipBasedSecurity.md

          Oleg Nenashev added a comment - I added it to the GSoC 2019 project idea as an UX improvement (better validation of what is being created). As danielbeck says, new APIs may be needed to make it possible. Also, "Allow creating a job to which the user has no permission in Role Strategy" is actually a valid use-case for some configurations of Ownership-based security when ownership is being automatically set upon creation. https://github.com/jenkinsci/ownership-plugin/blob/master/doc/OwnershipBasedSecurity.md

          Hi Team,

          We are also facing the same. 

          We have created testRole in Global Roles which have overall READ permission.

          We have created testProjectRole in projectRoles which have below permissions.

          JOB: BUILD,CANCEL,CREATE,CONFIGURE,READ with pattern "test.*"

           

          Observations:

           1) Initially we did not give JOB create option in GLOBAL roles so testUser not able to see the "NEW ITEM"

          2) Later we have given JOB create option in GLOBAL roles so testUser able to see the "NEW ITEM" and he will create the job using the pattern "testDev" successfully.

          3) So here is the issue the user can able to create job apart from pattern which is displaying 404 error, but in backend the job is creating when we logged with admin user. So i want the JOB will not create apart from Pattern in project Roles.

           

          Could you please advice on this request.

           

          Thanks

          Yaswanth

          yaswanth badam added a comment - Hi Team, We are also facing the same.  We have created testRole in Global Roles which have overall READ permission. We have created testProjectRole in projectRoles which have below permissions. JOB: BUILD,CANCEL,CREATE,CONFIGURE,READ with pattern "test.*"   Observations:  1) Initially we did not give JOB create option in GLOBAL roles so testUser not able to see the "NEW ITEM" 2) Later we have given JOB create option in GLOBAL roles so testUser able to see the "NEW ITEM" and he will create the job using the pattern "testDev" successfully. 3) So here is the issue the user can able to create job apart from pattern which is displaying 404 error, but in backend the job is creating when we logged with admin user. So i want the JOB will not create apart from Pattern in project Roles.   Could you please advice on this request.   Thanks Yaswanth

          Markus Winter added a comment -

          With this release and using the role based naming strategy, job create permissions are properly respected.

          Markus Winter added a comment - With this release and using the role based naming strategy, job create permissions are properly respected.

          jarett added a comment -

          If anyone is still experiencing this issue, It is resolved by following these steps:

          In manage and assign roles: Give the corresponding item role: Job/create, Job/read, and Job/configure permissions.
          In configure system: enable the checkbox for "restrict project naming" with the dropdown checkbox "Role-Based Strategy".

          Users who are a member of the item role now have the "new item" box available on the side panel and permissions to only create jobs following the specified pattern 

          jarett added a comment - If anyone is still experiencing this issue, It is resolved by following these steps: In manage and assign roles: Give the corresponding item role: Job/create, Job/read, and Job/configure permissions. In configure system: enable the checkbox for "restrict project naming" with the dropdown checkbox "Role-Based Strategy". Users who are a member of the item role now have the "new item" box available on the side panel and permissions to only create jobs following the specified pattern 

            oleg_nenashev Oleg Nenashev
            mwebber Matthew Webber
            Votes:
            15 Vote for this issue
            Watchers:
            23 Start watching this issue

              Created:
              Updated:
              Resolved: