Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-22949

QueueItemAuthenticator fallback behavior cleanup

    XMLWordPrintable

Details

    Description

      Currently Queue.Item.authenticate and Tasks.getAuthenticationOf check any configured QueueItemAuthenticator instances for a specific answer, then fall back to Queue.Task.getDefaultAuthentication, which for compatibility is normally SYSTEM. This behavior makes sense if there are no configured authenticators (the default case), or if there is an authenticator which returns a non-null authentication for every task.

      The problematic case is when there is a configured authenticator yet it returns null for the given task or item. This could happen if for example ProjectQueueItemAuthenticator were configured yet a user created a new job and did not add a AuthorizeProjectProperty. Now the job runs as SYSTEM, with full privileges, whereas we would really want it to run as ANONYMOUS, with no special privileges.

      BuildTrigger and ReverseBuildTrigger already specially handle this case by substituting ANONYMOUS for SYSTEM while they run (and in the former case printing a warning to the build console). But this does not extend to other plugin or core access control checks.

      In particular, Computer.BUILD is checked in two places (on Item) when deciding whether to build a job on a particular slave. You would expect to be able to control access to sensitive slaves by selectively granting BUILD only to certain people, and then requiring them to associate themselves with jobs they wish to build on those slaves. But this scheme cannot work if they can simply omit any authentication on the job and still have the build be authorized. (Jenkins Enterprise by CloudBees has a feature using a different scheme for the same use case.)

      It would be better if the callers of QueueItemAuthenticator.authenticate fell back to getDefaultAuthentication but replaced SYSTEM with ANONYMOUS in case there were at least one authenticator consulted. Then the replacement of SYSTEM with ANONYMOUS could be removed from both BuildTrigger and ReverseBuildTrigger. BuildTrigger.warning_you_have_no_plugins_providing_ac and BuildTrigger.warning_access_control_for_builds_in_glo could be left as is, or made more generic and moved into Run.execute; BuildTrigger.warning_this_build_has_no_associated_aut should be made more generic and moved into Run.execute (and Run.running_as_ printed with anonymous).

      Attachments

        Issue Links

          causes

          Bug - A problem which impairs or prevents the functions of the product. JENKINS-58784 pipeline-maven-plugin incompatible with JENKINS-22949 QueueItemAuthenticator fallback behavior cleanup

          • Minor - Minor loss of function, or other problem where easy workaround is present.
          • Closed
          is blocking

          Bug - A problem which impairs or prevents the functions of the product. JENKINS-16956 Require authentication for build triggers

          • Major - Major loss of function.
          • Resolved

          Bug - A problem which impairs or prevents the functions of the product. JENKINS-22460 Support artifacts permission

          • Major - Major loss of function.
          • Closed

          New Feature - A new feature of the product, which has yet to be developed. JENKINS-18285 Executor should carry Authentication for better access control

          • Major - Major loss of function.
          • Resolved
          is duplicated by

          New Feature - A new feature of the product, which has yet to be developed. JENKINS-30574 Support global default authorization strategy in Authorize Project

          • Major - Major loss of function.
          • Closed
          is related to

          New Feature - A new feature of the product, which has yet to be developed. JENKINS-30574 Support global default authorization strategy in Authorize Project

          • Major - Major loss of function.
          • Closed

          New Feature - A new feature of the product, which has yet to be developed. JENKINS-32770 Provide a mechanism to run specific projects as ACL.SYSTEM

          • Minor - Minor loss of function, or other problem where easy workaround is present.
          • Closed
          relates to

          Improvement - An improvement or enhancement to an existing feature or task. JENKINS-24513 Zero executors on master not well documented or enforced

          • Major - Major loss of function.
          • Closed
          links to

          Web Link CloudBees Internal OSS-934

          Web Link PR 2881

          Activity

            Ascending order - Click to sort in descending order
            View 15 older comments
            danielbeck Daniel Beck added a comment -

            jglick

            You wrote:

            • Freestyle projects may now list Pipeline jobs as downstream and trigger them, without needing to use the Parameterized Trigger plugin or reverse triggers.

            I used:

            Freestyle projects may now list Pipeline jobs as downstream and trigger them, without needing to use the Parameterized Trigger plugin or reverse triggers ("Build after other projects are built"). (issue 28113)

            No mention of this cleanup AFAICT.

            danielbeck Daniel Beck added a comment - jglick You wrote: Freestyle projects may now list Pipeline jobs as downstream and trigger them, without needing to use the Parameterized Trigger plugin or reverse triggers. I used: Freestyle projects may now list Pipeline jobs as downstream and trigger them, without needing to use the Parameterized Trigger plugin or reverse triggers ("Build after other projects are built"). (issue 28113) No mention of this cleanup AFAICT.
            jglick Jesse Glick added a comment -

            I think you are mixing this up with an unrelated issue.

            jglick Jesse Glick added a comment - I think you are mixing this up with an unrelated issue.
            danielbeck Daniel Beck added a comment -

            jglick The merge commit is for PR 2873. The referenced PR, 2881, is still open. The state of this issue is unclear to me.

            danielbeck Daniel Beck added a comment - jglick The merge commit is for PR 2873. The referenced PR, 2881, is still open. The state of this issue is unclear to me.
            jglick Jesse Glick added a comment -

            Sorry, this is still open.

            jglick Jesse Glick added a comment - Sorry, this is still open.
            scm_issue_link SCM/JIRA link daemon added a comment -

            Code changed in jenkins
            User: Jesse Glick
            Path:
            core/src/main/java/hudson/model/Executor.java
            core/src/main/java/hudson/tasks/BuildTrigger.java
            core/src/main/java/jenkins/triggers/ReverseBuildTrigger.java
            core/src/main/resources/hudson/tasks/Messages.properties
            core/src/main/resources/hudson/tasks/Messages_bg.properties
            core/src/main/resources/hudson/tasks/Messages_de.properties
            core/src/main/resources/hudson/tasks/Messages_pt_BR.properties
            core/src/main/resources/hudson/tasks/Messages_sr.properties
            test/src/test/java/hudson/tasks/BuildTriggerTest.java
            test/src/test/java/jenkins/triggers/ReverseBuildTriggerTest.java
            http://jenkins-ci.org/commit/jenkins/915543dca5399d3ba052219ddfe9c3c061e70726
            Log:
            JENKINS-22949 BuildTrigger & ReverseBuildTrigger should respect QueueItemAuthenticatorConfiguration (#2881)

            • JENKINS-22949 Simplifying behavior of BuildTrigger & ReverseBuildTrigger to honor QueueItemAuthenticator’s as defined, rather than falling back to anonymous.
            • There is no need to impersonate what is already the current thread’s authentication.
            scm_issue_link SCM/JIRA link daemon added a comment - Code changed in jenkins User: Jesse Glick Path: core/src/main/java/hudson/model/Executor.java core/src/main/java/hudson/tasks/BuildTrigger.java core/src/main/java/jenkins/triggers/ReverseBuildTrigger.java core/src/main/resources/hudson/tasks/Messages.properties core/src/main/resources/hudson/tasks/Messages_bg.properties core/src/main/resources/hudson/tasks/Messages_de.properties core/src/main/resources/hudson/tasks/Messages_pt_BR.properties core/src/main/resources/hudson/tasks/Messages_sr.properties test/src/test/java/hudson/tasks/BuildTriggerTest.java test/src/test/java/jenkins/triggers/ReverseBuildTriggerTest.java http://jenkins-ci.org/commit/jenkins/915543dca5399d3ba052219ddfe9c3c061e70726 Log: JENKINS-22949 BuildTrigger & ReverseBuildTrigger should respect QueueItemAuthenticatorConfiguration (#2881) JENKINS-22949 Simplifying behavior of BuildTrigger & ReverseBuildTrigger to honor QueueItemAuthenticator’s as defined, rather than falling back to anonymous. There is no need to impersonate what is already the current thread’s authentication.

            People

              jglick Jesse Glick
              jglick Jesse Glick
              Votes:
              1 Vote for this issue
              Watchers:
              4 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: