-
Bug
-
Resolution: Unresolved
-
Blocker
-
Platforms: Linux-64
Security Realm: LDAP
Authorization: Role-Based Strategy,
Plugin: Project-Inheritance, Ownership, Role Strategy
Browser: firefox
I plan to manage and assign roles as below attachments (ManageRole.png, AssignRole.png).
For Global role, Admin is "siclee" and project role has been assigned based on project owner (using ownership plugin).
The problem is I can delete, configure, cancel JOB "A" (using Inheritance Project) but not able to run/build it under swbuild user (keep prompt me "Access Denied: swbuild is missing the Job/Build permission").
Note: Only have this issue when I using Inheritance method to create a job.
Any ideas for this issue? Is configuration or plugin issue?
Your advices needed.
- is related to
-
-
- Open
-
[JENKINS-21390] [Inheritance Plugin] - Not able to build using build button when creating a job by using Inheritance Project together with ownership + project role configuration
Siang Choon Lee
created issue -
Siang Choon Lee
made changes -
| Description |
Original:
I plan to manage and assign roles as below attachments (ManageRole.png, AssignRole.png). For Global role, Admin is "siclee" and project role has been assigned based on project owner (using ownership plugin). The problem is I can delete, configure JOB "A" (using Inheritance Project) but not able to run/build it under swbuild user (keep prompt me "Access Denied: swbuild is missing the Job/Build permission"). Note: Only have this issue when I using Inheritance method to create a job. Any ideas for this issue? Is configuration or plugin issue? Your advices needed. |
New:
I plan to manage and assign roles as below attachments (ManageRole.png, AssignRole.png). For Global role, Admin is "siclee" and project role has been assigned based on project owner (using ownership plugin). The problem is I can delete, configure, cancel JOB "A" (using Inheritance Project) but not able to run/build it under swbuild user (keep prompt me "Access Denied: swbuild is missing the Job/Build permission"). Note: Only have this issue when I using Inheritance method to create a job. Any ideas for this issue? Is configuration or plugin issue? Your advices needed. |
Sorry for the late response. Seems I've missed the notification.
I have not much experience with Inheritance plugin, so I'm not sure how it generates jobs, handles inheritance, etc. I'll try to reproduce the issue on the next week. Then I'll be able to provide some ETAs.
P.S.: I also recommend to use @OwnerNoSid and @CoOwnerNoSid macros (see the example in https://wiki.jenkins-ci.org/display/JENKINS/Ownership-Based+security). In such way you will be able to set ownership to groups (including "authenticated"), etc.
I see the stack overflow error after clicking on "Build" inside "Build Specific Version".
It seems to be an issue inside "Inheritance Plugin". Accessing to project properties from security plugins leads to such recursions, because the plugin calls permission checks.
I'll re-assign the issue to Inheritance plugin in order to get Martin's feedback
...
at hudson.security.SidACL$1.hasPermission(SidACL.java:141)
at hudson.security.SidACL._hasPermission(SidACL.java:69)
at hudson.security.SidACL.hasPermission(SidACL.java:51)
at hudson.security.ACL.hasPermission(ACL.java:64)
at hudson.model.AbstractItem.hasPermission(AbstractItem.java:448)
at jenkins.model.Jenkins.getItem(Jenkins.java:2236)
at hudson.plugins.project_inheritance.projects.InheritanceProject.getProjectByName(InheritanceProject.java:521)
at hudson.plugins.project_inheritance.projects.InheritanceProject.getProjectFromRequest(InheritanceProject.java:1826)
at hudson.plugins.project_inheritance.projects.InheritanceProject.getUserDesiredVersionFromRequest(InheritanceProject.java:1930)
at hudson.plugins.project_inheritance.projects.InheritanceProject.getUserDesiredVersion(InheritanceProject.java:2015)
at hudson.plugins.project_inheritance.projects.InheritanceProject.getUserDesiredVersion(InheritanceProject.java:2008)
at hudson.plugins.project_inheritance.projects.inheritance.InheritanceGovernor.retrieveFullyDerivedField(InheritanceGovernor.java:182)
at hudson.plugins.project_inheritance.projects.InheritanceProject.getAllProperties(InheritanceProject.java:2818)
at hudson.plugins.project_inheritance.projects.InheritanceProject.getProperty(InheritanceProject.java:2953)
at hudson.plugins.project_inheritance.projects.InheritanceProject.getProperty(InheritanceProject.java:2945)
at com.synopsys.arc.jenkins.plugins.ownership.jobs.JobOwnerHelper.getOwnerProperty(JobOwnerHelper.java:57)
at com.synopsys.arc.jenkins.plugins.ownership.security.rolestrategy.AbstractOwnershipRoleMacro.getOwnership(AbstractOwnershipRoleMacro.java:68)
at com.synopsys.arc.jenkins.plugins.ownership.security.rolestrategy.AbstractOwnershipRoleMacro.hasPermission(AbstractOwnershipRoleMacro.java:94)
at com.synopsys.arc.jenkins.plugins.ownership.security.rolestrategy.OwnerRoleMacro.hasPermission(OwnerRoleMacro.java:56)
at com.michelin.cio.hudson.plugins.rolestrategy.RoleMap.hasPermission(RoleMap.java:77)
at com.michelin.cio.hudson.plugins.rolestrategy.RoleMap.access$000(RoleMap.java:51)
at com.michelin.cio.hudson.plugins.rolestrategy.RoleMap$AclImpl.hasPermission(RoleMap.java:302)
at hudson.security.SidACL$1.hasPermission(SidACL.java:141)
at hudson.security.SidACL._hasPermission(SidACL.java:69)
at hudson.security.SidACL.hasPermission(SidACL.java:51)
at hudson.security.ACL.hasPermission(ACL.java:64)
at hudson.model.AbstractItem.hasPermission(AbstractItem.java:448)
at jenkins.model.Jenkins.getItem(Jenkins.java:2236)
at hudson.plugins.project_inheritance.projects.InheritanceProject.getProjectByName(InheritanceProject.java:521)
at hudson.plugins.project_inheritance.projects.InheritanceProject.getProjectFromRequest(InheritanceProject.java:1826)
at hudson.plugins.project_inheritance.projects.InheritanceProject.getUserDesiredVersionFromRequest(InheritanceProject.java:1930)
at hudson.plugins.project_inheritance.projects.InheritanceProject.getUserDesiredVersion(InheritanceProject.java:2015)
at hudson.plugins.project_inheritance.projects.InheritanceProject.getUserDesiredVersion(InheritanceProject.java:2008)
at hudson.plugins.project_inheritance.projects.inheritance.InheritanceGovernor.retrieveFullyDerivedField(InheritanceGovernor.java:182)
at hudson.plugins.project_inheritance.projects.InheritanceProject.getAllProperties(InheritanceProject.java:2818)
at hudson.plugins.project_inheritance.projects.InheritanceProject.getProperty(InheritanceProject.java:2953)
at hudson.plugins.project_inheritance.projects.InheritanceProject.getProperty(InheritanceProject.java:2945)
at com.synopsys.arc.jenkins.plugins.ownership.jobs.JobOwnerHelper.getOwnerProperty(JobOwnerHelper.java:57)
at com.synopsys.arc.jenkins.plugins.ownership.security.rolestrategy.AbstractOwnershipRoleMacro.getOwnership(AbstractOwnershipRoleMacro.java:68)
at com.synopsys.arc.jenkins.plugins.ownership.security.rolestrategy.AbstractOwnershipRoleMacro.hasPermission(AbstractOwnershipRoleMacro.java:94)
at com.synopsys.arc.jenkins.plugins.ownership.security.rolestrategy.OwnerRoleMacro.hasPermission(OwnerRoleMacro.java:56)
at com.michelin.cio.hudson.plugins.rolestrategy.RoleMap.hasPermission(RoleMap.java:77)
at com.michelin.cio.hudson.plugins.rolestrategy.RoleMap.access$000(RoleMap.java:51)
at com.michelin.cio.hudson.plugins.rolestrategy.RoleMap$AclImpl.hasPermission(RoleMap.java:302)
at hudson.security.SidACL$1.hasPermission(SidACL.java:141)
at hudson.security.SidACL._hasPermission(SidACL.java:69)
at hudson.security.SidACL.hasPermission(SidACL.java:51)
at hudson.security.ACL.hasPermission(ACL.java:64)
at hudson.model.AbstractItem.hasPermission(AbstractItem.java:448)
at jenkins.model.Jenkins.getItem(Jenkins.java:2236)
| Assignee | Original: Oleg Nenashev [ oleg_nenashev ] | New: Martin Schröder [ mhschroe ] |
| Labels | Original: build jenkins job plugins security |
| Labels | New: job plugins security stacktrace |
| Link | New: This issue is related to JENKINS-21021 [ JENKINS-21021 ] |
JENKINS-21021 is a similar issue. I suppose that there is nothing to do inside ownership and role-strategy plugins
| Summary | Original: Not able to build using build button when creating a job by using Inheritance Project together with ownership + project role configuration | New: [Inheritance Plugin] - Not able to build using build button when creating a job by using Inheritance Project together with ownership + project role configuration |
Owners no have permission to run the build in Jenkins.