Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-2324

Feature - Set read permission by project for project-based security

    • Icon: Patch Patch
    • Resolution: Fixed
    • Icon: Critical Critical
    • _unsorted
    • None
    • Platform: All, OS: All

      We'd like to use hudson for different projects with different team members,
      which only should see the projects in which they work, not all projects.

      We use the user directory from hudson itself and the "Project-based Matrix
      Authorization Strategy"...

          [JENKINS-2324] Feature - Set read permission by project for project-based security

          adphillips added a comment -

          I should add that getItems(type) change made in the new patch provides the
          additional security feature:

          • names of jobs for which the user has no read permissions will be shown as
            non-existent in places such as setting up dependent builds.

          adphillips added a comment - I should add that getItems(type) change made in the new patch provides the additional security feature: names of jobs for which the user has no read permissions will be shown as non-existent in places such as setting up dependent builds.

          Code changed in hudson
          User: : kohsuke
          Path:
          trunk/hudson/main/core/src/main/java/hudson/model/Hudson.java
          trunk/hudson/main/core/src/main/java/hudson/model/Item.java
          trunk/hudson/main/core/src/main/java/hudson/triggers/SafeTimerTask.java
          trunk/hudson/main/core/src/main/resources/lib/hudson/executors.jelly
          trunk/hudson/main/core/src/main/resources/lib/hudson/project/upstream-downstream.jelly
          trunk/hudson/main/core/src/main/resources/lib/hudson/queue.jelly
          trunk/www/changelog.html
          http://fisheye4.cenqua.com/changelog/hudson/?cs=17297
          Log:
          [FIXED JENKINS-2324] applied a patch.
          I tweaked the patch slightly so that all the background activity gets SYSTEM credential automatically. I think this is less error prone for plugin developers.
          This change will be in 1.301.

          SCM/JIRA link daemon added a comment - Code changed in hudson User: : kohsuke Path: trunk/hudson/main/core/src/main/java/hudson/model/Hudson.java trunk/hudson/main/core/src/main/java/hudson/model/Item.java trunk/hudson/main/core/src/main/java/hudson/triggers/SafeTimerTask.java trunk/hudson/main/core/src/main/resources/lib/hudson/executors.jelly trunk/hudson/main/core/src/main/resources/lib/hudson/project/upstream-downstream.jelly trunk/hudson/main/core/src/main/resources/lib/hudson/queue.jelly trunk/www/changelog.html http://fisheye4.cenqua.com/changelog/hudson/?cs=17297 Log: [FIXED JENKINS-2324] applied a patch. I tweaked the patch slightly so that all the background activity gets SYSTEM credential automatically. I think this is less error prone for plugin developers. This change will be in 1.301.

          Code changed in hudson
          User: : kohsuke
          Path:
          trunk/hudson/main/core/src/main/java/hudson/model/Hudson.java
          trunk/hudson/main/core/src/main/java/hudson/security/AuthorizationMatrixProperty.java
          trunk/hudson/main/core/src/main/java/hudson/security/GlobalMatrixAuthorizationStrategy.java
          http://fisheye4.cenqua.com/changelog/hudson/?cs=17390
          Log:
          JENKINS-2324 Added an automatic migration of the data

          SCM/JIRA link daemon added a comment - Code changed in hudson User: : kohsuke Path: trunk/hudson/main/core/src/main/java/hudson/model/Hudson.java trunk/hudson/main/core/src/main/java/hudson/security/AuthorizationMatrixProperty.java trunk/hudson/main/core/src/main/java/hudson/security/GlobalMatrixAuthorizationStrategy.java http://fisheye4.cenqua.com/changelog/hudson/?cs=17390 Log: JENKINS-2324 Added an automatic migration of the data

          Code changed in hudson
          User: : kohsuke
          Path:
          trunk/hudson/main/core/src/main/java/hudson/security/AuthorizationMatrixProperty.java
          trunk/hudson/main/core/src/main/java/hudson/security/GlobalMatrixAuthorizationStrategy.java
          http://fisheye4.cenqua.com/changelog/hudson/?cs=17395
          Log:
          JENKINS-2324 Added an automatic migration of the data

          SCM/JIRA link daemon added a comment - Code changed in hudson User: : kohsuke Path: trunk/hudson/main/core/src/main/java/hudson/security/AuthorizationMatrixProperty.java trunk/hudson/main/core/src/main/java/hudson/security/GlobalMatrixAuthorizationStrategy.java http://fisheye4.cenqua.com/changelog/hudson/?cs=17395 Log: JENKINS-2324 Added an automatic migration of the data

          Code changed in hudson
          User: : kohsuke
          Path:
          branches/rc/core/src/main/java/hudson/security/GlobalMatrixAuthorizationStrategy.java
          branches/rc/core/src/main/java/hudson/util/VersionNumber.java
          branches/rc/core/src/test/java/hudson/util/VersionNumberTest.java
          http://fisheye4.cenqua.com/changelog/hudson/?cs=17436
          Log:
          bug fix for the auto upgrade handling for JENKINS-2324.

          SCM/JIRA link daemon added a comment - Code changed in hudson User: : kohsuke Path: branches/rc/core/src/main/java/hudson/security/GlobalMatrixAuthorizationStrategy.java branches/rc/core/src/main/java/hudson/util/VersionNumber.java branches/rc/core/src/test/java/hudson/util/VersionNumberTest.java http://fisheye4.cenqua.com/changelog/hudson/?cs=17436 Log: bug fix for the auto upgrade handling for JENKINS-2324 .

          Code changed in hudson
          User: : kohsuke
          Path:
          branches/rc/core/src/main/java/hudson/model/Hudson.java
          branches/rc/core/src/main/java/hudson/util/VersionNumber.java
          branches/rc/core/src/test/java/hudson/util/VersionNumberTest.java
          http://fisheye4.cenqua.com/changelog/hudson/?cs=17437
          Log:
          bug fix for the auto upgrade handling for JENKINS-2324.

          SCM/JIRA link daemon added a comment - Code changed in hudson User: : kohsuke Path: branches/rc/core/src/main/java/hudson/model/Hudson.java branches/rc/core/src/main/java/hudson/util/VersionNumber.java branches/rc/core/src/test/java/hudson/util/VersionNumberTest.java http://fisheye4.cenqua.com/changelog/hudson/?cs=17437 Log: bug fix for the auto upgrade handling for JENKINS-2324 .

          mdonohue added a comment -

          See issue 3630 for a different opinion on sending 404 when the user does not
          have read permission

          mdonohue added a comment - See issue 3630 for a different opinion on sending 404 when the user does not have read permission

          nathan nobbe added a comment -

          Hi, is there any reason this wouldn't work in conjunction with LDAP? In global configuration 'Project-based Matrix Authorization Strategy' is selected. With an entry ROLE_PROJECT_ACCESS that maps to an LDAP posix group (projectAccess) authorization works as expected, but the users can see all jobs.

          In the job configuration 'Enable project-based security' is checked and going with ROLE_PROJECT_ACCESS (trying to map to same LDAP group that worked on global level). Removing the global entry and leaving just the job level configuration users cannot login anymore and get the error '... is missing the read permission'.

          Maybe the job level configuration isn't aware of the LDAP nomenclature? Running Jenkins 1.446 on Ubuntu / Jetty.

          nathan nobbe added a comment - Hi, is there any reason this wouldn't work in conjunction with LDAP? In global configuration 'Project-based Matrix Authorization Strategy' is selected. With an entry ROLE_PROJECT_ACCESS that maps to an LDAP posix group (projectAccess) authorization works as expected, but the users can see all jobs. In the job configuration 'Enable project-based security' is checked and going with ROLE_PROJECT_ACCESS (trying to map to same LDAP group that worked on global level). Removing the global entry and leaving just the job level configuration users cannot login anymore and get the error '... is missing the read permission'. Maybe the job level configuration isn't aware of the LDAP nomenclature? Running Jenkins 1.446 on Ubuntu / Jetty.

          Daniel Beck added a comment -

          Nathan Nobbe: Permissions cannot be removed on a per-project basis. You need to give everyone 'Overall/Read' globally, and then give them project-specific 'Job/Read' on every project they should have access to.

          Daniel Beck added a comment - Nathan Nobbe: Permissions cannot be removed on a per-project basis. You need to give everyone 'Overall/Read' globally, and then give them project-specific 'Job/Read' on every project they should have access to.

          Paul P added a comment -

          Just a trivial question ,where would i be putting this patch. Am not sure where to put this patch.please help

          Paul P added a comment - Just a trivial question ,where would i be putting this patch. Am not sure where to put this patch.please help

            adphillips adphillips
            klattenhoff klattenhoff
            Votes:
            0 Vote for this issue
            Watchers:
            2 Start watching this issue

              Created:
              Updated:
              Resolved: