Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-2186

"Project-based Matrix Authorization Strategy" - weird behavior

    • Icon: Patch Patch
    • Resolution: Fixed
    • Icon: Major Major
    • _unsorted
    • None
    • Platform: All, OS: All

      Global authorization (set up in in "Configure System") is ignored when a project
      has defined its own local authorization matrix. That seems to be wrong behavior,
      shouldn't the local authorization extend the global instead of overriding it?

          [JENKINS-2186] "Project-based Matrix Authorization Strategy" - weird behavior

          mast76 created issue -

          clemp6r added a comment -

          Changed subcomponent to "security".

          clemp6r added a comment - Changed subcomponent to "security".

          klattenhoff added a comment -

          Yes, this would be glad, but then the read-permission has to be added to the
          projects (like I suggested in ISSUE# 2324) - otherwise you have no chance to
          deactivate read-permissions for single projects.

          klattenhoff added a comment - Yes, this would be glad, but then the read-permission has to be added to the projects (like I suggested in ISSUE# 2324) - otherwise you have no chance to deactivate read-permissions for single projects.

          Dean Yu added a comment -

          And similarly, global admin privs are not exposed, so an admin is not able to
          view the Maven Process Information pages on a project with security enabled.

          Dean Yu added a comment - And similarly, global admin privs are not exposed, so an admin is not able to view the Maven Process Information pages on a project with security enabled.

          adphillips added a comment -

          I have been working on adding READ permission to jobs (see issue #2324). As I
          was working on this, I did encounter this "wierdness". I'm proceeding with the
          fix mentioned in this forum thread:
          http://www.nabble.com/Read-permission-on-Jobs-td20650539.html. The basic idea
          is permissions are additive, so if you have permission to operate on a job
          defined either globally or at the job level, you will be granted this
          permission. The cost you pay for this approach is there will be no way to
          mask-out a permission at the job level if it is granted globally. If anyone has
          objections, please raise them.

          adphillips added a comment - I have been working on adding READ permission to jobs (see issue #2324). As I was working on this, I did encounter this "wierdness". I'm proceeding with the fix mentioned in this forum thread: http://www.nabble.com/Read-permission-on-Jobs-td20650539.html . The basic idea is permissions are additive, so if you have permission to operate on a job defined either globally or at the job level, you will be granted this permission. The cost you pay for this approach is there will be no way to mask-out a permission at the job level if it is granted globally. If anyone has objections, please raise them.
          adphillips made changes -
          Status Original: Open [ 1 ] New: In Progress [ 3 ]

          adphillips added a comment -

          Reassigning to myself

          adphillips added a comment - Reassigning to myself
          adphillips made changes -
          Status Original: In Progress [ 3 ] New: Open [ 1 ]

          adphillips added a comment -

          fix complete will submit patch soon

          adphillips added a comment - fix complete will submit patch soon
          adphillips made changes -
          Status Original: Open [ 1 ] New: In Progress [ 3 ]

            adphillips adphillips
            mast76 mast76
            Votes:
            0 Vote for this issue
            Watchers:
            2 Start watching this issue

              Created:
              Updated:
              Resolved: