Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-21313

Anonymous users can configure and delete PrioritySorter JobGroups

XMLWordPrintable

      I am running:
      Jenkins 1.545
      CAS plugin 1.1.1 for authentication
      Role Strategy Plugin 2.1.0 for authorization
      Priority Sorter plugin 2.5
      (these are the latest available at the time of writing)

      The only security granted to anonymous users is "overall - read" and "job - read". However, if an anonymous user views Jenkins, the link to the management function "Job Priorities" remains visible in the top left hand corner of the Jenkins main page, and can be clicked. You can then create / edit / delete job priority groups.

      The function should only be available to administrations. I suspect that the Priority Sorter plugin simply does not check for authorisation.

          [JENKINS-21313] Anonymous users can configure and delete PrioritySorter JobGroups

          Matthew Webber added a comment -

          I only just noticed an option on the main Jenkins configuration page "Only Admins can edit Job Priorities", which has associated help text "Check if only Administrators should be allowed to view and edit the Job Priorities".

          Checking this option fixes the problem. However, the option description does not make it clear that leaving this unchecked (the default value!) means that anonymous users can change priority groups, as well as the priority on individual jobs.

          It seems to me the default value is wrong for Jenkins installations where securtity is otherwise enabled.

          Matthew Webber added a comment - I only just noticed an option on the main Jenkins configuration page "Only Admins can edit Job Priorities", which has associated help text "Check if only Administrators should be allowed to view and edit the Job Priorities". Checking this option fixes the problem. However, the option description does not make it clear that leaving this unchecked (the default value!) means that anonymous users can change priority groups, as well as the priority on individual jobs. It seems to me the default value is wrong for Jenkins installations where securtity is otherwise enabled.

          Magnus Sandberg added a comment -

          This feature was added for JENKINS-21173 before that the function was completely open.

          Do you think it would be enough to remove access from anonymous in case of a secured Jenkins or should there be even more specific options?

          Magnus Sandberg added a comment - This feature was added for JENKINS-21173 before that the function was completely open. Do you think it would be enough to remove access from anonymous in case of a secured Jenkins or should there be even more specific options?

          Matthew Webber added a comment -

          Hi Magnus,

          There are two different accesses to think about - the PrioritySorter global settings (JobGroups), and then the setting for an individual job.

          If Jenkins is secured (there are quite a lot of different ways this can be done), then clearly anonymous should not be allowed to change any PrioritySorter settings.

          Is your idea that any logged in (authenticated) user can change any PrioritySorter settings?

          I would prefer that only an admin user can change the global PrioritySorter settings. Any user who has job-level configure rights can set the priority in an individual job (I think that comes automatically and you donlt need to code anything).

          Job-level configure rights apply with https://wiki.jenkins-ci.org/display/JENKINS/Matrix-based+security or any of the schemes that inherit from it.

          I hope that makes sense.
          Thanks
          Matthew

          Matthew Webber added a comment - Hi Magnus, There are two different accesses to think about - the PrioritySorter global settings (JobGroups), and then the setting for an individual job. If Jenkins is secured (there are quite a lot of different ways this can be done), then clearly anonymous should not be allowed to change any PrioritySorter settings. Is your idea that any logged in (authenticated) user can change any PrioritySorter settings? I would prefer that only an admin user can change the global PrioritySorter settings. Any user who has job-level configure rights can set the priority in an individual job (I think that comes automatically and you donlt need to code anything). Job-level configure rights apply with https://wiki.jenkins-ci.org/display/JENKINS/Matrix-based+security or any of the schemes that inherit from it. I hope that makes sense. Thanks Matthew

          Magnus Sandberg added a comment -

          Yes it does - I'm also considering defining custom permissions for this do you think that would make sense?

          Magnus Sandberg added a comment - Yes it does - I'm also considering defining custom permissions for this do you think that would make sense?

          Daniel Beck added a comment -

          Is there a reason global configuration doesn't require Administer permission?

          Daniel Beck added a comment - Is there a reason global configuration doesn't require Administer permission?

          Matthew Webber added a comment -

          @Magnus:

          I'm also considering defining custom permissions for this do you think that would make sense

          Yes it does. It a user can edit a job configuration, it might be good to have a separate permission for whether ot not they can edit the priority.

          @Daniel:

          Is there a reason global configuration doesn't require Administer permission?

          I think the reason is historic. Magnus is going to fix this, I think.

          Matthew Webber added a comment - @Magnus: I'm also considering defining custom permissions for this do you think that would make sense Yes it does. It a user can edit a job configuration, it might be good to have a separate permission for whether ot not they can edit the priority. @Daniel: Is there a reason global configuration doesn't require Administer permission? I think the reason is historic. Magnus is going to fix this, I think.

          Magnus Sandberg added a comment -

          JENKINS-21352 for adding specific permissions; for now enable "Only Admins can edit Job Priorities" on the main configuration page.

          Magnus Sandberg added a comment - JENKINS-21352 for adding specific permissions; for now enable "Only Admins can edit Job Priorities" on the main configuration page.

            emsa23 Magnus Sandberg
            mwebber Matthew Webber
            Votes:
            0 Vote for this issue
            Watchers:
            1 Start watching this issue

              Created:
              Updated:
              Resolved: