Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-21390

[Inheritance Plugin] - Not able to build using build button when creating a job by using Inheritance Project together with ownership + project role configuration

    XMLWordPrintable

    Details

    • Similar Issues:

      Description

      I plan to manage and assign roles as below attachments (ManageRole.png, AssignRole.png).
      For Global role, Admin is "siclee" and project role has been assigned based on project owner (using ownership plugin).

      The problem is I can delete, configure, cancel JOB "A" (using Inheritance Project) but not able to run/build it under swbuild user (keep prompt me "Access Denied: swbuild is missing the Job/Build permission").
      Note: Only have this issue when I using Inheritance method to create a job.

      Any ideas for this issue? Is configuration or plugin issue?
      Your advices needed.

        Attachments

        1. AccessDeniedError.png
          AccessDeniedError.png
          16 kB
        2. AssignRoles.png
          AssignRoles.png
          18 kB
        3. JobA.png
          JobA.png
          46 kB
        4. ManageRoles.png
          ManageRoles.png
          31 kB

          Issue Links

            Activity

            siclee Siang Choon Lee created issue -
            Hide
            siclee Siang Choon Lee added a comment -

            Owners no have permission to run the build in Jenkins.

            Show
            siclee Siang Choon Lee added a comment - Owners no have permission to run the build in Jenkins.
            siclee Siang Choon Lee made changes -
            Field Original Value New Value
            Description I plan to manage and assign roles as below attachments (ManageRole.png, AssignRole.png).
            For Global role, Admin is "siclee" and project role has been assigned based on project owner (using ownership plugin).

            The problem is I can delete, configure JOB "A" (using Inheritance Project) but not able to run/build it under swbuild user (keep prompt me "Access Denied: swbuild is missing the Job/Build permission").
            Note: Only have this issue when I using Inheritance method to create a job.

            Any ideas for this issue? Is configuration or plugin issue?
            Your advices needed.
            I plan to manage and assign roles as below attachments (ManageRole.png, AssignRole.png).
            For Global role, Admin is "siclee" and project role has been assigned based on project owner (using ownership plugin).

            The problem is I can delete, configure, cancel JOB "A" (using Inheritance Project) but not able to run/build it under swbuild user (keep prompt me "Access Denied: swbuild is missing the Job/Build permission").
            Note: Only have this issue when I using Inheritance method to create a job.

            Any ideas for this issue? Is configuration or plugin issue?
            Your advices needed.
            Hide
            oleg_nenashev Oleg Nenashev added a comment -

            Sorry for the late response. Seems I've missed the notification.

            I have not much experience with Inheritance plugin, so I'm not sure how it generates jobs, handles inheritance, etc. I'll try to reproduce the issue on the next week. Then I'll be able to provide some ETAs.

            P.S.: I also recommend to use @OwnerNoSid and @CoOwnerNoSid macros (see the example in https://wiki.jenkins-ci.org/display/JENKINS/Ownership-Based+security). In such way you will be able to set ownership to groups (including "authenticated"), etc.

            Show
            oleg_nenashev Oleg Nenashev added a comment - Sorry for the late response. Seems I've missed the notification. I have not much experience with Inheritance plugin, so I'm not sure how it generates jobs, handles inheritance, etc. I'll try to reproduce the issue on the next week. Then I'll be able to provide some ETAs. P.S.: I also recommend to use @OwnerNoSid and @CoOwnerNoSid macros (see the example in https://wiki.jenkins-ci.org/display/JENKINS/Ownership-Based+security ). In such way you will be able to set ownership to groups (including "authenticated"), etc.
            Hide
            oleg_nenashev Oleg Nenashev added a comment -

            I see the stack overflow error after clicking on "Build" inside "Build Specific Version".
            It seems to be an issue inside "Inheritance Plugin". Accessing to project properties from security plugins leads to such recursions, because the plugin calls permission checks.

            I'll re-assign the issue to Inheritance plugin in order to get Martin's feedback

            ...
            at hudson.security.SidACL$1.hasPermission(SidACL.java:141)
            at hudson.security.SidACL._hasPermission(SidACL.java:69)
            at hudson.security.SidACL.hasPermission(SidACL.java:51)
            at hudson.security.ACL.hasPermission(ACL.java:64)
            at hudson.model.AbstractItem.hasPermission(AbstractItem.java:448)
            at jenkins.model.Jenkins.getItem(Jenkins.java:2236)
            at hudson.plugins.project_inheritance.projects.InheritanceProject.getProjectByName(InheritanceProject.java:521)
            at hudson.plugins.project_inheritance.projects.InheritanceProject.getProjectFromRequest(InheritanceProject.java:1826)
            at hudson.plugins.project_inheritance.projects.InheritanceProject.getUserDesiredVersionFromRequest(InheritanceProject.java:1930)
            at hudson.plugins.project_inheritance.projects.InheritanceProject.getUserDesiredVersion(InheritanceProject.java:2015)
            at hudson.plugins.project_inheritance.projects.InheritanceProject.getUserDesiredVersion(InheritanceProject.java:2008)
            at hudson.plugins.project_inheritance.projects.inheritance.InheritanceGovernor.retrieveFullyDerivedField(InheritanceGovernor.java:182)
            at hudson.plugins.project_inheritance.projects.InheritanceProject.getAllProperties(InheritanceProject.java:2818)
            at hudson.plugins.project_inheritance.projects.InheritanceProject.getProperty(InheritanceProject.java:2953)
            at hudson.plugins.project_inheritance.projects.InheritanceProject.getProperty(InheritanceProject.java:2945)
            at com.synopsys.arc.jenkins.plugins.ownership.jobs.JobOwnerHelper.getOwnerProperty(JobOwnerHelper.java:57)
            at com.synopsys.arc.jenkins.plugins.ownership.security.rolestrategy.AbstractOwnershipRoleMacro.getOwnership(AbstractOwnershipRoleMacro.java:68)
            at com.synopsys.arc.jenkins.plugins.ownership.security.rolestrategy.AbstractOwnershipRoleMacro.hasPermission(AbstractOwnershipRoleMacro.java:94)
            at com.synopsys.arc.jenkins.plugins.ownership.security.rolestrategy.OwnerRoleMacro.hasPermission(OwnerRoleMacro.java:56)
            at com.michelin.cio.hudson.plugins.rolestrategy.RoleMap.hasPermission(RoleMap.java:77)
            at com.michelin.cio.hudson.plugins.rolestrategy.RoleMap.access$000(RoleMap.java:51)
            at com.michelin.cio.hudson.plugins.rolestrategy.RoleMap$AclImpl.hasPermission(RoleMap.java:302)
            at hudson.security.SidACL$1.hasPermission(SidACL.java:141)
            at hudson.security.SidACL._hasPermission(SidACL.java:69)
            at hudson.security.SidACL.hasPermission(SidACL.java:51)
            at hudson.security.ACL.hasPermission(ACL.java:64)
            at hudson.model.AbstractItem.hasPermission(AbstractItem.java:448)
            at jenkins.model.Jenkins.getItem(Jenkins.java:2236)
            at hudson.plugins.project_inheritance.projects.InheritanceProject.getProjectByName(InheritanceProject.java:521)
            at hudson.plugins.project_inheritance.projects.InheritanceProject.getProjectFromRequest(InheritanceProject.java:1826)
            at hudson.plugins.project_inheritance.projects.InheritanceProject.getUserDesiredVersionFromRequest(InheritanceProject.java:1930)
            at hudson.plugins.project_inheritance.projects.InheritanceProject.getUserDesiredVersion(InheritanceProject.java:2015)
            at hudson.plugins.project_inheritance.projects.InheritanceProject.getUserDesiredVersion(InheritanceProject.java:2008)
            at hudson.plugins.project_inheritance.projects.inheritance.InheritanceGovernor.retrieveFullyDerivedField(InheritanceGovernor.java:182)
            at hudson.plugins.project_inheritance.projects.InheritanceProject.getAllProperties(InheritanceProject.java:2818)
            at hudson.plugins.project_inheritance.projects.InheritanceProject.getProperty(InheritanceProject.java:2953)
            at hudson.plugins.project_inheritance.projects.InheritanceProject.getProperty(InheritanceProject.java:2945)
            at com.synopsys.arc.jenkins.plugins.ownership.jobs.JobOwnerHelper.getOwnerProperty(JobOwnerHelper.java:57)
            at com.synopsys.arc.jenkins.plugins.ownership.security.rolestrategy.AbstractOwnershipRoleMacro.getOwnership(AbstractOwnershipRoleMacro.java:68)
            at com.synopsys.arc.jenkins.plugins.ownership.security.rolestrategy.AbstractOwnershipRoleMacro.hasPermission(AbstractOwnershipRoleMacro.java:94)
            at com.synopsys.arc.jenkins.plugins.ownership.security.rolestrategy.OwnerRoleMacro.hasPermission(OwnerRoleMacro.java:56)
            at com.michelin.cio.hudson.plugins.rolestrategy.RoleMap.hasPermission(RoleMap.java:77)
            at com.michelin.cio.hudson.plugins.rolestrategy.RoleMap.access$000(RoleMap.java:51)
            at com.michelin.cio.hudson.plugins.rolestrategy.RoleMap$AclImpl.hasPermission(RoleMap.java:302)
            at hudson.security.SidACL$1.hasPermission(SidACL.java:141)
            at hudson.security.SidACL._hasPermission(SidACL.java:69)
            at hudson.security.SidACL.hasPermission(SidACL.java:51)
            at hudson.security.ACL.hasPermission(ACL.java:64)
            at hudson.model.AbstractItem.hasPermission(AbstractItem.java:448)
            at jenkins.model.Jenkins.getItem(Jenkins.java:2236)

            Show
            oleg_nenashev Oleg Nenashev added a comment - I see the stack overflow error after clicking on "Build" inside "Build Specific Version". It seems to be an issue inside "Inheritance Plugin". Accessing to project properties from security plugins leads to such recursions, because the plugin calls permission checks. I'll re-assign the issue to Inheritance plugin in order to get Martin's feedback ... at hudson.security.SidACL$1.hasPermission(SidACL.java:141) at hudson.security.SidACL._hasPermission(SidACL.java:69) at hudson.security.SidACL.hasPermission(SidACL.java:51) at hudson.security.ACL.hasPermission(ACL.java:64) at hudson.model.AbstractItem.hasPermission(AbstractItem.java:448) at jenkins.model.Jenkins.getItem(Jenkins.java:2236) at hudson.plugins.project_inheritance.projects.InheritanceProject.getProjectByName(InheritanceProject.java:521) at hudson.plugins.project_inheritance.projects.InheritanceProject.getProjectFromRequest(InheritanceProject.java:1826) at hudson.plugins.project_inheritance.projects.InheritanceProject.getUserDesiredVersionFromRequest(InheritanceProject.java:1930) at hudson.plugins.project_inheritance.projects.InheritanceProject.getUserDesiredVersion(InheritanceProject.java:2015) at hudson.plugins.project_inheritance.projects.InheritanceProject.getUserDesiredVersion(InheritanceProject.java:2008) at hudson.plugins.project_inheritance.projects.inheritance.InheritanceGovernor.retrieveFullyDerivedField(InheritanceGovernor.java:182) at hudson.plugins.project_inheritance.projects.InheritanceProject.getAllProperties(InheritanceProject.java:2818) at hudson.plugins.project_inheritance.projects.InheritanceProject.getProperty(InheritanceProject.java:2953) at hudson.plugins.project_inheritance.projects.InheritanceProject.getProperty(InheritanceProject.java:2945) at com.synopsys.arc.jenkins.plugins.ownership.jobs.JobOwnerHelper.getOwnerProperty(JobOwnerHelper.java:57) at com.synopsys.arc.jenkins.plugins.ownership.security.rolestrategy.AbstractOwnershipRoleMacro.getOwnership(AbstractOwnershipRoleMacro.java:68) at com.synopsys.arc.jenkins.plugins.ownership.security.rolestrategy.AbstractOwnershipRoleMacro.hasPermission(AbstractOwnershipRoleMacro.java:94) at com.synopsys.arc.jenkins.plugins.ownership.security.rolestrategy.OwnerRoleMacro.hasPermission(OwnerRoleMacro.java:56) at com.michelin.cio.hudson.plugins.rolestrategy.RoleMap.hasPermission(RoleMap.java:77) at com.michelin.cio.hudson.plugins.rolestrategy.RoleMap.access$000(RoleMap.java:51) at com.michelin.cio.hudson.plugins.rolestrategy.RoleMap$AclImpl.hasPermission(RoleMap.java:302) at hudson.security.SidACL$1.hasPermission(SidACL.java:141) at hudson.security.SidACL._hasPermission(SidACL.java:69) at hudson.security.SidACL.hasPermission(SidACL.java:51) at hudson.security.ACL.hasPermission(ACL.java:64) at hudson.model.AbstractItem.hasPermission(AbstractItem.java:448) at jenkins.model.Jenkins.getItem(Jenkins.java:2236) at hudson.plugins.project_inheritance.projects.InheritanceProject.getProjectByName(InheritanceProject.java:521) at hudson.plugins.project_inheritance.projects.InheritanceProject.getProjectFromRequest(InheritanceProject.java:1826) at hudson.plugins.project_inheritance.projects.InheritanceProject.getUserDesiredVersionFromRequest(InheritanceProject.java:1930) at hudson.plugins.project_inheritance.projects.InheritanceProject.getUserDesiredVersion(InheritanceProject.java:2015) at hudson.plugins.project_inheritance.projects.InheritanceProject.getUserDesiredVersion(InheritanceProject.java:2008) at hudson.plugins.project_inheritance.projects.inheritance.InheritanceGovernor.retrieveFullyDerivedField(InheritanceGovernor.java:182) at hudson.plugins.project_inheritance.projects.InheritanceProject.getAllProperties(InheritanceProject.java:2818) at hudson.plugins.project_inheritance.projects.InheritanceProject.getProperty(InheritanceProject.java:2953) at hudson.plugins.project_inheritance.projects.InheritanceProject.getProperty(InheritanceProject.java:2945) at com.synopsys.arc.jenkins.plugins.ownership.jobs.JobOwnerHelper.getOwnerProperty(JobOwnerHelper.java:57) at com.synopsys.arc.jenkins.plugins.ownership.security.rolestrategy.AbstractOwnershipRoleMacro.getOwnership(AbstractOwnershipRoleMacro.java:68) at com.synopsys.arc.jenkins.plugins.ownership.security.rolestrategy.AbstractOwnershipRoleMacro.hasPermission(AbstractOwnershipRoleMacro.java:94) at com.synopsys.arc.jenkins.plugins.ownership.security.rolestrategy.OwnerRoleMacro.hasPermission(OwnerRoleMacro.java:56) at com.michelin.cio.hudson.plugins.rolestrategy.RoleMap.hasPermission(RoleMap.java:77) at com.michelin.cio.hudson.plugins.rolestrategy.RoleMap.access$000(RoleMap.java:51) at com.michelin.cio.hudson.plugins.rolestrategy.RoleMap$AclImpl.hasPermission(RoleMap.java:302) at hudson.security.SidACL$1.hasPermission(SidACL.java:141) at hudson.security.SidACL._hasPermission(SidACL.java:69) at hudson.security.SidACL.hasPermission(SidACL.java:51) at hudson.security.ACL.hasPermission(ACL.java:64) at hudson.model.AbstractItem.hasPermission(AbstractItem.java:448) at jenkins.model.Jenkins.getItem(Jenkins.java:2236)
            oleg_nenashev Oleg Nenashev made changes -
            Assignee Oleg Nenashev [ oleg_nenashev ] Martin Schröder [ mhschroe ]
            Labels build jenkins job plugins security
            oleg_nenashev Oleg Nenashev made changes -
            Labels job plugins security stacktrace
            oleg_nenashev Oleg Nenashev made changes -
            Link This issue is related to JENKINS-21021 [ JENKINS-21021 ]
            Hide
            oleg_nenashev Oleg Nenashev added a comment - - edited

            JENKINS-21021 is a similar issue. I suppose that there is nothing to do inside ownership and role-strategy plugins

            Show
            oleg_nenashev Oleg Nenashev added a comment - - edited JENKINS-21021 is a similar issue. I suppose that there is nothing to do inside ownership and role-strategy plugins
            oleg_nenashev Oleg Nenashev made changes -
            Summary Not able to build using build button when creating a job by using Inheritance Project together with ownership + project role configuration [Inheritance Plugin] - Not able to build using build button when creating a job by using Inheritance Project together with ownership + project role configuration
            Hide
            alex_ouzounis Alex Ouzounis added a comment -

            Hi all,

            Is anyone working on this? I would be interested in having a look as long someone throws me some pointers.

            Many thanks,

            Alex

            Show
            alex_ouzounis Alex Ouzounis added a comment - Hi all, Is anyone working on this? I would be interested in having a look as long someone throws me some pointers. Many thanks, Alex
            Hide
            mhschroe Martin Schröder added a comment -

            Hi Alex, hi everyone else.

            We've seen the issue on this tracker and have added it to our internal bug tracking system, as soon as it appeared.

            Unfortunately, a big product roll-out is binding up all of our resources since the start of the year.
            That means, that we can't fully focus on external bug reports, as long as we can't replicate them in our setup. We had used the "Role-Based Permission Plugin" earlier, but switched to a different in-house permission plugin, making replication problematic.

            Even when we used the other plugin, we did not see an issue like this. As far as security permissions go, the Inheritance Plugin behaves exactly like any other Project, since it leaves permission handling to the "Project" superclass. The obvious caveat to this is of course, that permissions do not "trickle-down" to inherited projects. Job permissions must match a job (or its name) exactly, no inheritance is applied on them.

            The weirdest thing about the issue described in the bug report is, that the screenshot shows the "Build" options in the side-panel. Those check exactly the same permissions that are needed for actually scheduling the build.

            We'll try to replicate this issue and see if we can indeed find a problem.

            Best regards,
            Martin.

            Show
            mhschroe Martin Schröder added a comment - Hi Alex, hi everyone else. We've seen the issue on this tracker and have added it to our internal bug tracking system, as soon as it appeared. Unfortunately, a big product roll-out is binding up all of our resources since the start of the year. That means, that we can't fully focus on external bug reports, as long as we can't replicate them in our setup. We had used the "Role-Based Permission Plugin" earlier, but switched to a different in-house permission plugin, making replication problematic. Even when we used the other plugin, we did not see an issue like this. As far as security permissions go, the Inheritance Plugin behaves exactly like any other Project, since it leaves permission handling to the "Project" superclass. The obvious caveat to this is of course, that permissions do not "trickle-down" to inherited projects. Job permissions must match a job (or its name) exactly, no inheritance is applied on them. The weirdest thing about the issue described in the bug report is, that the screenshot shows the "Build" options in the side-panel. Those check exactly the same permissions that are needed for actually scheduling the build. We'll try to replicate this issue and see if we can indeed find a problem. Best regards, Martin.
            Hide
            alex_ouzounis Alex Ouzounis added a comment - - edited

            Hi Martin,

            Thanks for your reply.

            To reproduce the reported issue, all you need is:

            1. Install the Role Strategy Plugin
            2. Install the Inheritance Plugin
            3. Create Abstract inheritance project, lets call it projA, with parameter paramA, over-writable.
            4. Create Inheritance project, lets call it project_final, that extends projA and overwrite inheritance parameter reference paramA.
            5. Make sure user TEST_USER has no build privileges in Manage Roles, then create a Project Role with pattern project_.* and enable the job build permissions.
            6. assign that role to TEST_USER via the assign roles page.
            7. sign in as TEST_USER and you will see the build with parameters button in p which when you click you get user TEST_USER has no job/build permissions.

            Even when I set the pattern in step 5 to .* ie everything, I still get the same error, as initially I thought that someone building project_final would require build rights for projA (sounded more like a bug rather than anything else but still)

            I will try and have a look in the code to see what is happening.

            Alex

            Show
            alex_ouzounis Alex Ouzounis added a comment - - edited Hi Martin, Thanks for your reply. To reproduce the reported issue, all you need is: 1. Install the Role Strategy Plugin 2. Install the Inheritance Plugin 3. Create Abstract inheritance project, lets call it projA, with parameter paramA, over-writable. 4. Create Inheritance project, lets call it project_final, that extends projA and overwrite inheritance parameter reference paramA. 5. Make sure user TEST_USER has no build privileges in Manage Roles, then create a Project Role with pattern project_.* and enable the job build permissions. 6. assign that role to TEST_USER via the assign roles page. 7. sign in as TEST_USER and you will see the build with parameters button in p which when you click you get user TEST_USER has no job/build permissions. Even when I set the pattern in step 5 to .* ie everything, I still get the same error, as initially I thought that someone building project_final would require build rights for projA (sounded more like a bug rather than anything else but still) I will try and have a look in the code to see what is happening. Alex
            Hide
            alex_ouzounis Alex Ouzounis added a comment -

            I also forgot to mention that I am using afitz/jenkins-inheritance-plugin which contains bugfixes I really need related to scm polling etc.
            The issue reported is also present in the master i-m-c/jenkins-inheritance-plugin so no difference here, I just thought to mention it.

            Show
            alex_ouzounis Alex Ouzounis added a comment - I also forgot to mention that I am using afitz/jenkins-inheritance-plugin which contains bugfixes I really need related to scm polling etc. The issue reported is also present in the master i-m-c/jenkins-inheritance-plugin so no difference here, I just thought to mention it.
            Hide
            mhschroe Martin Schröder added a comment -

            It's very curious, because the reproduction steps outlined by you closely mirror what we did, when we still used the "Role Strategy Plugin".

            But since the issue seems really easy to replicate (thanks for the detailed guide, by the way!), we should be able to track down this issue.

            As for using the afitz/jenkins-inheritance-plugin branch, that's okay. Our own code-base is using a related patch to the one in his branch, so it shouldn't be a problem. When we get a bit more breathing room after the roll-out is done, we'll publish all those changes that have occurred in out internal codebase.

            At the moment, we simply lack the time to properly test the openly published releases. After all, testing for an internal project is always easier than testing for the rest of the world.

            Show
            mhschroe Martin Schröder added a comment - It's very curious, because the reproduction steps outlined by you closely mirror what we did, when we still used the "Role Strategy Plugin". But since the issue seems really easy to replicate (thanks for the detailed guide, by the way!), we should be able to track down this issue. As for using the afitz/jenkins-inheritance-plugin branch, that's okay. Our own code-base is using a related patch to the one in his branch, so it shouldn't be a problem. When we get a bit more breathing room after the roll-out is done, we'll publish all those changes that have occurred in out internal codebase. At the moment, we simply lack the time to properly test the openly published releases. After all, testing for an internal project is always easier than testing for the rest of the world.
            Hide
            oleg_nenashev Oleg Nenashev added a comment -

            @Martin
            See the stacktrace above.
            The issue is caused by getProjectByName(), which invokes the permission check on the job.
            If any SecurityStrategy tries to access job properties, there will be an infinite cycle

            Show
            oleg_nenashev Oleg Nenashev added a comment - @Martin See the stacktrace above. The issue is caused by getProjectByName(), which invokes the permission check on the job. If any SecurityStrategy tries to access job properties, there will be an infinite cycle
            Hide
            alex_ouzounis Alex Ouzounis added a comment -

            Hi Martin,

            I am seeing the exact same issue when using the Jenkins core "Project-based Matrix Authorization Strategy".

            So we can clearly rule out this being an issue of the Role-Based Strategy Plugin.

            Alex

            Show
            alex_ouzounis Alex Ouzounis added a comment - Hi Martin, I am seeing the exact same issue when using the Jenkins core "Project-based Matrix Authorization Strategy". So we can clearly rule out this being an issue of the Role-Based Strategy Plugin. Alex
            Hide
            alex_ouzounis Alex Ouzounis added a comment -

            Hi Oleg,

            So what do you propose in doing ? All the code does is call the Jenkins.getItem method which in turn check for read permissions.
            That looks sensible to me. What do you think ?

            Alex

            Show
            alex_ouzounis Alex Ouzounis added a comment - Hi Oleg, So what do you propose in doing ? All the code does is call the Jenkins.getItem method which in turn check for read permissions. That looks sensible to me. What do you think ? Alex
            Hide
            mhschroe Martin Schröder added a comment - - edited

            @Oleg

            We previously already had a bug, that caused a deadlock on getProperties(), that was also caused by a zealous property check on a seemingly innocuous function call. That was solved by adding a suitable locking mechanism.
            As such, it is possible that the code might not just risk a deadlock or infinite loop, but also might run into the simple permission check issue from this ticket. After all, to determine if a Job can be built, it must look if the settings it inherits from its parent make sense; thus it needs to retrieve the properties of its parents.

            We'll try to trace this bug in a debugging session based on your stacktrace and Alex's replication guide. We'll keep you posted once we've fixed it. Of course, since the code is open source, you can also try to dig into it. We are certainly no strangers to "external" patch submissions.

            Show
            mhschroe Martin Schröder added a comment - - edited @Oleg We previously already had a bug, that caused a deadlock on getProperties(), that was also caused by a zealous property check on a seemingly innocuous function call. That was solved by adding a suitable locking mechanism. As such, it is possible that the code might not just risk a deadlock or infinite loop, but also might run into the simple permission check issue from this ticket. After all, to determine if a Job can be built, it must look if the settings it inherits from its parent make sense; thus it needs to retrieve the properties of its parents. We'll try to trace this bug in a debugging session based on your stacktrace and Alex's replication guide. We'll keep you posted once we've fixed it. Of course, since the code is open source, you can also try to dig into it. We are certainly no strangers to "external" patch submissions.
            Hide
            alex_ouzounis Alex Ouzounis added a comment - - edited

            Hi Martin,

            Some good news.
            I noticed your recent changes and I pulled them to my fork ( https://github.com/alexouzounis/jenkins-inheritance-plugin ) which in turn is a fork of https://github.com/afitz/jenkins-inheritance-plugin because I need the changes for the SCM trigger etc.
            As a quick Sunday project I pulled your changes from https://github.com/i-m-c/jenkins-inheritance-plugin and apart from a few conflicts in the InheritanceGovernor the merge went fine.
            Rebooted Jenkins and it seems that now the Role Strategy plugins works as expected. Creating a role for some inheritance projects to have build rights works now as expected.

            As far as I am concerned the issue is now resolved from your latest changes and the ticket can be closed.

            It would be nice though for you to merge the changes from https://github.com/afitz/jenkins-inheritance-plugin ( I think there is a pull request from him already ) so that we can stop maintaining our own forks.

            Thanks,

            Alex

            ======

            UPATE: see comment below, still it does not work

            Show
            alex_ouzounis Alex Ouzounis added a comment - - edited Hi Martin, Some good news. I noticed your recent changes and I pulled them to my fork ( https://github.com/alexouzounis/jenkins-inheritance-plugin ) which in turn is a fork of https://github.com/afitz/jenkins-inheritance-plugin because I need the changes for the SCM trigger etc. As a quick Sunday project I pulled your changes from https://github.com/i-m-c/jenkins-inheritance-plugin and apart from a few conflicts in the InheritanceGovernor the merge went fine. Rebooted Jenkins and it seems that now the Role Strategy plugins works as expected. Creating a role for some inheritance projects to have build rights works now as expected. As far as I am concerned the issue is now resolved from your latest changes and the ticket can be closed. It would be nice though for you to merge the changes from https://github.com/afitz/jenkins-inheritance-plugin ( I think there is a pull request from him already ) so that we can stop maintaining our own forks. Thanks, Alex ====== UPATE: see comment below, still it does not work
            Hide
            alex_ouzounis Alex Ouzounis added a comment - - edited

            please ignore the above comment..

            unfortunately I spoke too soon.. I just had a misconfiguration in the role strategies.. Well it was worth the try anyway..
            All I get is:

            INFO: While serving http://JENKINS_HOME/job/JOB_TO_BUILD/build: hudson.security.AccessDeniedException2: USER is missing the Job/Build permission

            no exception or anything which is rather confusing

            Show
            alex_ouzounis Alex Ouzounis added a comment - - edited please ignore the above comment.. unfortunately I spoke too soon.. I just had a misconfiguration in the role strategies.. Well it was worth the try anyway.. All I get is: INFO: While serving http://JENKINS_HOME/job/JOB_TO_BUILD/build: hudson.security.AccessDeniedException2: USER is missing the Job/Build permission no exception or anything which is rather confusing
            Hide
            alex_ouzounis Alex Ouzounis added a comment - - edited

            found the bug and fixed it in my fork. The problem was in the doBuild method of the InheritanceProject where you call the ACL to see if the user has permissions to build. Problem was you were not using the super method checkPermission from the AbstractItem but implementing it your self.

            here is my commit: https://github.com/alexouzounis/jenkins-inheritance-plugin/commit/05263af27577387f8c4b014a60a11ec94a0a81ef

            As you can see, what was currently happening is:

            ACL acl = Jenkins.getInstance().getACL();
            acl.checkPermission(BUILD);

            whereas the super.checkPermission does:

            Jenkins.getInstance().getAuthorizationStrategy().getACL(this).checkPermission(BUILD);

            The difference is that before the ROOT ACL was used (i.e. the global config) whereas now it also takes into account permissions available specifically for that project.

            Feel free to merge back.

            Alex

            Show
            alex_ouzounis Alex Ouzounis added a comment - - edited found the bug and fixed it in my fork. The problem was in the doBuild method of the InheritanceProject where you call the ACL to see if the user has permissions to build. Problem was you were not using the super method checkPermission from the AbstractItem but implementing it your self. here is my commit: https://github.com/alexouzounis/jenkins-inheritance-plugin/commit/05263af27577387f8c4b014a60a11ec94a0a81ef As you can see, what was currently happening is: ACL acl = Jenkins.getInstance().getACL(); acl.checkPermission(BUILD); whereas the super.checkPermission does: Jenkins.getInstance().getAuthorizationStrategy().getACL(this).checkPermission(BUILD); The difference is that before the ROOT ACL was used (i.e. the global config) whereas now it also takes into account permissions available specifically for that project. Feel free to merge back. Alex
            Hide
            hschaa Helmut Schaa added a comment -

            I've just ran into the same issue where the inheritance plugin in conjunction with the project based matrix authorization plugin causes a stack overflow due to an infinite recursion.

            The fix mentioned by Alex in the previous commit does however not fix the problem.

            Here's part of the strack trace. I've cut it since it's repeating anyway.

            java.lang.StackOverflowError
                    at hudson.model.ParameterDefinition.<init>(ParameterDefinition.java:111)
                    at hudson.model.SimpleParameterDefinition.<init>(SimpleParameterDefinition.java:19)
                    at hudson.model.ChoiceParameterDefinition.<init>(ChoiceParameterDefinition.java:44)
                    at hudson.model.ChoiceParameterDefinition.copyWithDefaultValue(ChoiceParameterDefinition.java:53)
                    at hudson.plugins.project_inheritance.projects.parameters.InheritanceParametersDefinitionProperty.copyAndSortParametersByName(InheritanceParametersDefinitionProperty.java:212)
                    at hudson.plugins.project_inheritance.projects.parameters.InheritanceParametersDefinitionProperty.<init>(InheritanceParametersDefinitionProperty.java:181)
                    at hudson.plugins.project_inheritance.projects.parameters.InheritanceParametersDefinitionProperty.createMerged(InheritanceParametersDefinitionProperty.java:245)
                    at hudson.plugins.project_inheritance.projects.inheritance.ParameterSelector.merge(ParameterSelector.java:71)
                    at hudson.plugins.project_inheritance.projects.inheritance.ParameterSelector.merge(ParameterSelector.java:29)
                    at hudson.plugins.project_inheritance.projects.inheritance.InheritanceSelector.applyAgainstList(InheritanceSelector.java:264)
                    at hudson.plugins.project_inheritance.projects.inheritance.InheritanceGovernor.reduceByMergeWithDuplicates(InheritanceGovernor.java:324)
                    at hudson.plugins.project_inheritance.projects.inheritance.InheritanceGovernor.reduceByMerge(InheritanceGovernor.java:343)
                    at hudson.plugins.project_inheritance.projects.InheritanceProject$9.reduceFromFullInheritance(InheritanceProject.java:3062)
                    at hudson.plugins.project_inheritance.projects.InheritanceProject$9.reduceFromFullInheritance(InheritanceProject.java:3038)
                    at hudson.plugins.project_inheritance.projects.inheritance.InheritanceGovernor.retrieveFullyDerivedField(InheritanceGovernor.java:204)
                    at hudson.plugins.project_inheritance.projects.InheritanceProject.getAllProperties(InheritanceProject.java:3068)
                    at hudson.plugins.project_inheritance.projects.InheritanceProject.getProperty(InheritanceProject.java:3202)
                    at hudson.plugins.project_inheritance.projects.InheritanceProject.getProperty(InheritanceProject.java:3194)
                    at hudson.security.ProjectMatrixAuthorizationStrategy.getACL(ProjectMatrixAuthorizationStrategy.java:54)
                    at hudson.model.Job.getACL(Job.java:1482)
                    at hudson.model.AbstractItem.hasPermission(AbstractItem.java:505)
                    at jenkins.model.Jenkins.getItem(Jenkins.java:2344)
                    at hudson.plugins.project_inheritance.projects.InheritanceProject.getProjectByName(InheritanceProject.java:521)
                    at hudson.plugins.project_inheritance.projects.references.AbstractProjectReference.reloadProjectObject(AbstractProjectReference.java:90)
                    at hudson.plugins.project_inheritance.projects.references.AbstractProjectReference.<init>(AbstractProjectReference.java:71)
                    at hudson.plugins.project_inheritance.projects.references.SimpleProjectReference.<init>(SimpleProjectReference.java:43)
                    at hudson.plugins.project_inheritance.projects.InheritanceProject.getAllParentReferences(InheritanceProject.java:2599)
                    at hudson.plugins.project_inheritance.projects.parameters.InheritanceParametersDefinitionProperty.getAllScopedParameterDefinitions(InheritanceParametersDefinitionProperty.java:551)
                    at hudson.plugins.project_inheritance.projects.parameters.InheritableStringParameterReferenceDefinition.getParent(InheritableStringParameterReferenceDefinition.java:80)
                    at hudson.plugins.project_inheritance.projects.parameters.InheritableStringParameterReferenceDefinition.getDescription(InheritableStringParameterReferenceDefinition.java:168)
                    at hudson.model.StringParameterDefinition.getDefaultParameterValue(StringParameterDefinition.java:68)
                    at hudson.plugins.project_inheritance.projects.parameters.InheritableStringParameterDefinition.getDefaultParameterValue(InheritableStringParameterDefinition.java:641)
                    at hudson.plugins.project_inheritance.projects.parameters.InheritableStringParameterDefinition.getDefaultParameterValue(InheritableStringParameterDefinition.java:56)
                    at hudson.plugins.project_inheritance.projects.parameters.InheritanceParametersDefinitionProperty.copyAndSortParametersByName(InheritanceParametersDefinitionProperty.java:212)
                    at hudson.plugins.project_inheritance.projects.parameters.InheritanceParametersDefinitionProperty.<init>(InheritanceParametersDefinitionProperty.java:181)
                    at hudson.plugins.project_inheritance.projects.parameters.InheritanceParametersDefinitionProperty.createMerged(InheritanceParametersDefinitionProperty.java:245)
                    at hudson.plugins.project_inheritance.projects.inheritance.ParameterSelector.merge(ParameterSelector.java:71)
                    at hudson.plugins.project_inheritance.projects.inheritance.ParameterSelector.merge(ParameterSelector.java:29)
                    at hudson.plugins.project_inheritance.projects.inheritance.InheritanceSelector.applyAgainstList(InheritanceSelector.java:264)
                    at hudson.plugins.project_inheritance.projects.inheritance.InheritanceGovernor.reduceByMergeWithDuplicates(InheritanceGovernor.java:324)
                    at hudson.plugins.project_inheritance.projects.inheritance.InheritanceGovernor.reduceByMerge(InheritanceGovernor.java:343)
                    at hudson.plugins.project_inheritance.projects.InheritanceProject$9.reduceFromFullInheritance(InheritanceProject.java:3062)
                    at hudson.plugins.project_inheritance.projects.InheritanceProject$9.reduceFromFullInheritance(InheritanceProject.java:3038)
                    at hudson.plugins.project_inheritance.projects.inheritance.InheritanceGovernor.retrieveFullyDerivedField(InheritanceGovernor.java:204)
                    at hudson.plugins.project_inheritance.projects.InheritanceProject.getAllProperties(InheritanceProject.java:3068)
                    at hudson.plugins.project_inheritance.projects.InheritanceProject.getProperty(InheritanceProject.java:3202)
                    at hudson.plugins.project_inheritance.projects.InheritanceProject.getProperty(InheritanceProject.java:3194)
                    at hudson.security.ProjectMatrixAuthorizationStrategy.getACL(ProjectMatrixAuthorizationStrategy.java:54)
                    at hudson.model.Job.getACL(Job.java:1482)
                    at hudson.model.AbstractItem.hasPermission(AbstractItem.java:505)
                    at jenkins.model.Jenkins.getItem(Jenkins.java:2344)
            
            Show
            hschaa Helmut Schaa added a comment - I've just ran into the same issue where the inheritance plugin in conjunction with the project based matrix authorization plugin causes a stack overflow due to an infinite recursion. The fix mentioned by Alex in the previous commit does however not fix the problem. Here's part of the strack trace. I've cut it since it's repeating anyway. java.lang.StackOverflowError at hudson.model.ParameterDefinition.<init>(ParameterDefinition.java:111) at hudson.model.SimpleParameterDefinition.<init>(SimpleParameterDefinition.java:19) at hudson.model.ChoiceParameterDefinition.<init>(ChoiceParameterDefinition.java:44) at hudson.model.ChoiceParameterDefinition.copyWithDefaultValue(ChoiceParameterDefinition.java:53) at hudson.plugins.project_inheritance.projects.parameters.InheritanceParametersDefinitionProperty.copyAndSortParametersByName(InheritanceParametersDefinitionProperty.java:212) at hudson.plugins.project_inheritance.projects.parameters.InheritanceParametersDefinitionProperty.<init>(InheritanceParametersDefinitionProperty.java:181) at hudson.plugins.project_inheritance.projects.parameters.InheritanceParametersDefinitionProperty.createMerged(InheritanceParametersDefinitionProperty.java:245) at hudson.plugins.project_inheritance.projects.inheritance.ParameterSelector.merge(ParameterSelector.java:71) at hudson.plugins.project_inheritance.projects.inheritance.ParameterSelector.merge(ParameterSelector.java:29) at hudson.plugins.project_inheritance.projects.inheritance.InheritanceSelector.applyAgainstList(InheritanceSelector.java:264) at hudson.plugins.project_inheritance.projects.inheritance.InheritanceGovernor.reduceByMergeWithDuplicates(InheritanceGovernor.java:324) at hudson.plugins.project_inheritance.projects.inheritance.InheritanceGovernor.reduceByMerge(InheritanceGovernor.java:343) at hudson.plugins.project_inheritance.projects.InheritanceProject$9.reduceFromFullInheritance(InheritanceProject.java:3062) at hudson.plugins.project_inheritance.projects.InheritanceProject$9.reduceFromFullInheritance(InheritanceProject.java:3038) at hudson.plugins.project_inheritance.projects.inheritance.InheritanceGovernor.retrieveFullyDerivedField(InheritanceGovernor.java:204) at hudson.plugins.project_inheritance.projects.InheritanceProject.getAllProperties(InheritanceProject.java:3068) at hudson.plugins.project_inheritance.projects.InheritanceProject.getProperty(InheritanceProject.java:3202) at hudson.plugins.project_inheritance.projects.InheritanceProject.getProperty(InheritanceProject.java:3194) at hudson.security.ProjectMatrixAuthorizationStrategy.getACL(ProjectMatrixAuthorizationStrategy.java:54) at hudson.model.Job.getACL(Job.java:1482) at hudson.model.AbstractItem.hasPermission(AbstractItem.java:505) at jenkins.model.Jenkins.getItem(Jenkins.java:2344) at hudson.plugins.project_inheritance.projects.InheritanceProject.getProjectByName(InheritanceProject.java:521) at hudson.plugins.project_inheritance.projects.references.AbstractProjectReference.reloadProjectObject(AbstractProjectReference.java:90) at hudson.plugins.project_inheritance.projects.references.AbstractProjectReference.<init>(AbstractProjectReference.java:71) at hudson.plugins.project_inheritance.projects.references.SimpleProjectReference.<init>(SimpleProjectReference.java:43) at hudson.plugins.project_inheritance.projects.InheritanceProject.getAllParentReferences(InheritanceProject.java:2599) at hudson.plugins.project_inheritance.projects.parameters.InheritanceParametersDefinitionProperty.getAllScopedParameterDefinitions(InheritanceParametersDefinitionProperty.java:551) at hudson.plugins.project_inheritance.projects.parameters.InheritableStringParameterReferenceDefinition.getParent(InheritableStringParameterReferenceDefinition.java:80) at hudson.plugins.project_inheritance.projects.parameters.InheritableStringParameterReferenceDefinition.getDescription(InheritableStringParameterReferenceDefinition.java:168) at hudson.model.StringParameterDefinition.getDefaultParameterValue(StringParameterDefinition.java:68) at hudson.plugins.project_inheritance.projects.parameters.InheritableStringParameterDefinition.getDefaultParameterValue(InheritableStringParameterDefinition.java:641) at hudson.plugins.project_inheritance.projects.parameters.InheritableStringParameterDefinition.getDefaultParameterValue(InheritableStringParameterDefinition.java:56) at hudson.plugins.project_inheritance.projects.parameters.InheritanceParametersDefinitionProperty.copyAndSortParametersByName(InheritanceParametersDefinitionProperty.java:212) at hudson.plugins.project_inheritance.projects.parameters.InheritanceParametersDefinitionProperty.<init>(InheritanceParametersDefinitionProperty.java:181) at hudson.plugins.project_inheritance.projects.parameters.InheritanceParametersDefinitionProperty.createMerged(InheritanceParametersDefinitionProperty.java:245) at hudson.plugins.project_inheritance.projects.inheritance.ParameterSelector.merge(ParameterSelector.java:71) at hudson.plugins.project_inheritance.projects.inheritance.ParameterSelector.merge(ParameterSelector.java:29) at hudson.plugins.project_inheritance.projects.inheritance.InheritanceSelector.applyAgainstList(InheritanceSelector.java:264) at hudson.plugins.project_inheritance.projects.inheritance.InheritanceGovernor.reduceByMergeWithDuplicates(InheritanceGovernor.java:324) at hudson.plugins.project_inheritance.projects.inheritance.InheritanceGovernor.reduceByMerge(InheritanceGovernor.java:343) at hudson.plugins.project_inheritance.projects.InheritanceProject$9.reduceFromFullInheritance(InheritanceProject.java:3062) at hudson.plugins.project_inheritance.projects.InheritanceProject$9.reduceFromFullInheritance(InheritanceProject.java:3038) at hudson.plugins.project_inheritance.projects.inheritance.InheritanceGovernor.retrieveFullyDerivedField(InheritanceGovernor.java:204) at hudson.plugins.project_inheritance.projects.InheritanceProject.getAllProperties(InheritanceProject.java:3068) at hudson.plugins.project_inheritance.projects.InheritanceProject.getProperty(InheritanceProject.java:3202) at hudson.plugins.project_inheritance.projects.InheritanceProject.getProperty(InheritanceProject.java:3194) at hudson.security.ProjectMatrixAuthorizationStrategy.getACL(ProjectMatrixAuthorizationStrategy.java:54) at hudson.model.Job.getACL(Job.java:1482) at hudson.model.AbstractItem.hasPermission(AbstractItem.java:505) at jenkins.model.Jenkins.getItem(Jenkins.java:2344)
            akjoshi Abhishek Joshi made changes -
            Attachment AccessDeniedError.png [ 32719 ]
            Hide
            akjoshi Abhishek Joshi added a comment -

            I am also facing the same issue, with Inheritance and Role strategy plug-in; I have project roles for some specific jobs and everything works fine except Build, when you try to build the job( Build with parameters link is displayed correctly) it shows Access Denied error -

            Has anyone tried the fix provided by Alex Ouzounis?

            Show
            akjoshi Abhishek Joshi added a comment - I am also facing the same issue, with Inheritance and Role strategy plug-in; I have project roles for some specific jobs and everything works fine except Build, when you try to build the job( Build with parameters link is displayed correctly) it shows Access Denied error - Has anyone tried the fix provided by Alex Ouzounis?
            rtyler R. Tyler Croy made changes -
            Workflow JNJira [ 153254 ] JNJira + In-Review [ 178468 ]
            oleg_nenashev Oleg Nenashev made changes -
            Component/s ownership-plugin [ 17721 ]
            Component/s role-strategy-plugin [ 15758 ]
            Hide
            suvir_pavin Suvir Pavin added a comment -

            We are also having similar issue. Can this be fixed ASAP? We have to give user's Global Permission as a workaround which is not good. Please fix this ASAP.

            Show
            suvir_pavin Suvir Pavin added a comment - We are also having similar issue. Can this be fixed ASAP? We have to give user's Global Permission as a workaround which is not good. Please fix this ASAP.
            Hide
            oleg_nenashev Oleg Nenashev added a comment -

            Suvir Pavin feel free to contribute.

            Show
            oleg_nenashev Oleg Nenashev added a comment - Suvir Pavin feel free to contribute.
            Hide
            suvir_pavin Suvir Pavin added a comment -

            Oleg Nenashev I tested change done by Alex Ouzounis https://github.com/alexouzounis/jenkins-inheritance-plugin/commit/05263af27577387f8c4b014a60a11ec94a0a81ef 

            This seems to be working, can we include this as part of next release

            Show
            suvir_pavin Suvir Pavin added a comment - Oleg Nenashev I tested change done by Alex Ouzounis   https://github.com/alexouzounis/jenkins-inheritance-plugin/commit/05263af27577387f8c4b014a60a11ec94a0a81ef   This seems to be working, can we include this as part of next release
            Hide
            oleg_nenashev Oleg Nenashev added a comment -

            Suvir Pavin I am not a maintainer of the Inheritance Project plugin, so I cannot help much. Currently the plugin is being hosted outside the jenkinsci organization on GitHub, and I am not sure that Martin Schröder is reachable. I would recommend reaching out to the maintainer somehow.

            Show
            oleg_nenashev Oleg Nenashev added a comment - Suvir Pavin I am not a maintainer of the Inheritance Project plugin, so I cannot help much. Currently the plugin is being hosted outside the jenkinsci organization on GitHub, and I am not sure that Martin Schröder is reachable. I would recommend reaching out to the maintainer somehow.
            Hide
            suvir_pavin Suvir Pavin added a comment -

            Thanks Oleg Nenashev for the info.

            Martin Schröder can you please include the fix as part of next release?

             

             

            Show
            suvir_pavin Suvir Pavin added a comment - Thanks Oleg Nenashev for the info. Martin Schröder can you please include the fix as part of next release?    

              People

              Assignee:
              mhschroe Martin Schröder
              Reporter:
              siclee Siang Choon Lee
              Votes:
              8 Vote for this issue
              Watchers:
              11 Start watching this issue

                Dates

                Created:
                Updated: