Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-2324

Feature - Set read permission by project for project-based security

    • Icon: Patch Patch
    • Resolution: Fixed
    • Icon: Critical Critical
    • _unsorted
    • None
    • Platform: All, OS: All

      We'd like to use hudson for different projects with different team members,
      which only should see the projects in which they work, not all projects.

      We use the user directory from hudson itself and the "Project-based Matrix
      Authorization Strategy"...

          [JENKINS-2324] Feature - Set read permission by project for project-based security

          adphillips added a comment -

          I am implementing READ permission at the job level.
          When this is done, a user that lacks the READ permission for a particular job
          will not:

          • see that job in any view
          • be able to access the job page directly
          • see any reference to the job (for instance in upstream or downstream dependencies)

          There is a related forum post where I am looking for feedback on what ACLs to
          use: http://www.nabble.com/Read-permission-on-Jobs-td20650539.html

          adphillips added a comment - I am implementing READ permission at the job level. When this is done, a user that lacks the READ permission for a particular job will not: see that job in any view be able to access the job page directly see any reference to the job (for instance in upstream or downstream dependencies) There is a related forum post where I am looking for feedback on what ACLs to use: http://www.nabble.com/Read-permission-on-Jobs-td20650539.html

          adphillips added a comment -

          Reassigned issue to myself

          adphillips added a comment - Reassigned issue to myself

          adphillips added a comment -

          fix in progress, waiting on feedback on what to do about SYSTEM authentication.
          See this thread: http://www.nabble.com/SYSTEM-authentication-td20988049.html

          adphillips added a comment - fix in progress, waiting on feedback on what to do about SYSTEM authentication. See this thread: http://www.nabble.com/SYSTEM-authentication-td20988049.html

          adphillips added a comment -

          Created an attachment (id=477)
          READ permissions patch

          adphillips added a comment - Created an attachment (id=477) READ permissions patch

          adphillips added a comment -

          See attached patch file...

          This patch provides the ability to hide jobs from the view of certain users
          (including anonymous). The Co
          nfigure System page in Manage Hudson now will display a READ permission under
          the Job heading. If not che
          cked, the user will be denied access to the job in the following ways:

          • the job will not be visible in any views
          • upstream and downstream dependencies referencing this job will be hidden
          • the job will not be accessable by a direct URL reference (404 will occur)
          • if the job is scheduled to be built, it will show up as "Unknown Task" in the
            build queue
          • the job will also show as "Unkown Task" in the Build Executor when the job is
            building

          Files Changed:

          Set authentication to SYSTEM in the following processes:

          • WebAppMain "hudson initialization thread"
          • Hudson constructor
          • Trigger.Cron threads

          AbstractProject.java:

          • Updated deprecated permissions checks

          Hudson.java:

          • retrieval of Items is now access controlled. Only readable items are returned.

          Item.java:

          • added READ permission oject

          GlobalMatrixAuthorizationStrategy.java:

          • removed unused private method readResolve. It appears this is a left-over
            from an old ACL implementatio
            n

          adphillips added a comment - See attached patch file... This patch provides the ability to hide jobs from the view of certain users (including anonymous). The Co nfigure System page in Manage Hudson now will display a READ permission under the Job heading. If not che cked, the user will be denied access to the job in the following ways: the job will not be visible in any views upstream and downstream dependencies referencing this job will be hidden the job will not be accessable by a direct URL reference (404 will occur) if the job is scheduled to be built, it will show up as "Unknown Task" in the build queue the job will also show as "Unkown Task" in the Build Executor when the job is building Files Changed: Set authentication to SYSTEM in the following processes: WebAppMain "hudson initialization thread" Hudson constructor Trigger.Cron threads AbstractProject.java: Updated deprecated permissions checks Hudson.java: retrieval of Items is now access controlled. Only readable items are returned. Item.java: added READ permission oject GlobalMatrixAuthorizationStrategy.java: removed unused private method readResolve. It appears this is a left-over from an old ACL implementatio n

          adphillips added a comment -

          changing issue type to PATCH

          adphillips added a comment - changing issue type to PATCH

          Peter Hayes added a comment -

          Any progress lately? I'd really like to see this enhancement,

          Peter Hayes added a comment - Any progress lately? I'd really like to see this enhancement,

          Alan Harder added a comment -
              • Issue 2993 has been marked as a duplicate of this issue. ***

          Alan Harder added a comment - Issue 2993 has been marked as a duplicate of this issue. ***

          kunzstefan added a comment -

          Are there any plans to integrate this patch in the hudson deployment?

          kunzstefan added a comment - Are there any plans to integrate this patch in the hudson deployment?

          huybrechts added a comment -
              • Issue 3108 has been marked as a duplicate of this issue. ***

          huybrechts added a comment - Issue 3108 has been marked as a duplicate of this issue. ***

          Alan Harder added a comment -
              • Issue 3243 has been marked as a duplicate of this issue. ***

          Alan Harder added a comment - Issue 3243 has been marked as a duplicate of this issue. ***

          adphillips added a comment -

          It's great to see so much interest in this. I will generate a new patch and see
          if we can get this introduced into hudson core.

          adphillips added a comment - It's great to see so much interest in this. I will generate a new patch and see if we can get this introduced into hudson core.

          hdenk added a comment -

          my favourite issue nice to see it STARTED

          this is another usecase for it:

          we have a release-process with the roles
          'developer' and 'buildmanager' and we do builds for
          integration and release in different jobs. developers should
          not see the release-build-jobs and the buildmanager wants
          not see integration-build-jobs.

          hdenk added a comment - my favourite issue nice to see it STARTED this is another usecase for it: we have a release-process with the roles 'developer' and 'buildmanager' and we do builds for integration and release in different jobs. developers should not see the release-build-jobs and the buildmanager wants not see integration-build-jobs.

          mdonohue added a comment -

          simplify the summary

          mdonohue added a comment - simplify the summary

          adphillips added a comment -

          Created an attachment (id=669)
          updated patch to work with hudson 1.300-SNAPSOT

          adphillips added a comment - Created an attachment (id=669) updated patch to work with hudson 1.300-SNAPSOT

          adphillips added a comment -

          I've addressed the concerns raised in
          http://www.nabble.com/Job-READ-permissions-patch-submitted-to21058873.html#a21058873
          as well as updated the patch to work in a trunk (1.300) codebase.

          adphillips added a comment - I've addressed the concerns raised in http://www.nabble.com/Job-READ-permissions-patch-submitted-to21058873.html#a21058873 as well as updated the patch to work in a trunk (1.300) codebase.

          adphillips added a comment -

          I should add that getItems(type) change made in the new patch provides the
          additional security feature:

          • names of jobs for which the user has no read permissions will be shown as
            non-existent in places such as setting up dependent builds.

          adphillips added a comment - I should add that getItems(type) change made in the new patch provides the additional security feature: names of jobs for which the user has no read permissions will be shown as non-existent in places such as setting up dependent builds.

          Code changed in hudson
          User: : kohsuke
          Path:
          trunk/hudson/main/core/src/main/java/hudson/model/Hudson.java
          trunk/hudson/main/core/src/main/java/hudson/model/Item.java
          trunk/hudson/main/core/src/main/java/hudson/triggers/SafeTimerTask.java
          trunk/hudson/main/core/src/main/resources/lib/hudson/executors.jelly
          trunk/hudson/main/core/src/main/resources/lib/hudson/project/upstream-downstream.jelly
          trunk/hudson/main/core/src/main/resources/lib/hudson/queue.jelly
          trunk/www/changelog.html
          http://fisheye4.cenqua.com/changelog/hudson/?cs=17297
          Log:
          [FIXED JENKINS-2324] applied a patch.
          I tweaked the patch slightly so that all the background activity gets SYSTEM credential automatically. I think this is less error prone for plugin developers.
          This change will be in 1.301.

          SCM/JIRA link daemon added a comment - Code changed in hudson User: : kohsuke Path: trunk/hudson/main/core/src/main/java/hudson/model/Hudson.java trunk/hudson/main/core/src/main/java/hudson/model/Item.java trunk/hudson/main/core/src/main/java/hudson/triggers/SafeTimerTask.java trunk/hudson/main/core/src/main/resources/lib/hudson/executors.jelly trunk/hudson/main/core/src/main/resources/lib/hudson/project/upstream-downstream.jelly trunk/hudson/main/core/src/main/resources/lib/hudson/queue.jelly trunk/www/changelog.html http://fisheye4.cenqua.com/changelog/hudson/?cs=17297 Log: [FIXED JENKINS-2324] applied a patch. I tweaked the patch slightly so that all the background activity gets SYSTEM credential automatically. I think this is less error prone for plugin developers. This change will be in 1.301.

          Code changed in hudson
          User: : kohsuke
          Path:
          trunk/hudson/main/core/src/main/java/hudson/model/Hudson.java
          trunk/hudson/main/core/src/main/java/hudson/security/AuthorizationMatrixProperty.java
          trunk/hudson/main/core/src/main/java/hudson/security/GlobalMatrixAuthorizationStrategy.java
          http://fisheye4.cenqua.com/changelog/hudson/?cs=17390
          Log:
          JENKINS-2324 Added an automatic migration of the data

          SCM/JIRA link daemon added a comment - Code changed in hudson User: : kohsuke Path: trunk/hudson/main/core/src/main/java/hudson/model/Hudson.java trunk/hudson/main/core/src/main/java/hudson/security/AuthorizationMatrixProperty.java trunk/hudson/main/core/src/main/java/hudson/security/GlobalMatrixAuthorizationStrategy.java http://fisheye4.cenqua.com/changelog/hudson/?cs=17390 Log: JENKINS-2324 Added an automatic migration of the data

          Code changed in hudson
          User: : kohsuke
          Path:
          trunk/hudson/main/core/src/main/java/hudson/security/AuthorizationMatrixProperty.java
          trunk/hudson/main/core/src/main/java/hudson/security/GlobalMatrixAuthorizationStrategy.java
          http://fisheye4.cenqua.com/changelog/hudson/?cs=17395
          Log:
          JENKINS-2324 Added an automatic migration of the data

          SCM/JIRA link daemon added a comment - Code changed in hudson User: : kohsuke Path: trunk/hudson/main/core/src/main/java/hudson/security/AuthorizationMatrixProperty.java trunk/hudson/main/core/src/main/java/hudson/security/GlobalMatrixAuthorizationStrategy.java http://fisheye4.cenqua.com/changelog/hudson/?cs=17395 Log: JENKINS-2324 Added an automatic migration of the data

          Code changed in hudson
          User: : kohsuke
          Path:
          branches/rc/core/src/main/java/hudson/security/GlobalMatrixAuthorizationStrategy.java
          branches/rc/core/src/main/java/hudson/util/VersionNumber.java
          branches/rc/core/src/test/java/hudson/util/VersionNumberTest.java
          http://fisheye4.cenqua.com/changelog/hudson/?cs=17436
          Log:
          bug fix for the auto upgrade handling for JENKINS-2324.

          SCM/JIRA link daemon added a comment - Code changed in hudson User: : kohsuke Path: branches/rc/core/src/main/java/hudson/security/GlobalMatrixAuthorizationStrategy.java branches/rc/core/src/main/java/hudson/util/VersionNumber.java branches/rc/core/src/test/java/hudson/util/VersionNumberTest.java http://fisheye4.cenqua.com/changelog/hudson/?cs=17436 Log: bug fix for the auto upgrade handling for JENKINS-2324 .

          Code changed in hudson
          User: : kohsuke
          Path:
          branches/rc/core/src/main/java/hudson/model/Hudson.java
          branches/rc/core/src/main/java/hudson/util/VersionNumber.java
          branches/rc/core/src/test/java/hudson/util/VersionNumberTest.java
          http://fisheye4.cenqua.com/changelog/hudson/?cs=17437
          Log:
          bug fix for the auto upgrade handling for JENKINS-2324.

          SCM/JIRA link daemon added a comment - Code changed in hudson User: : kohsuke Path: branches/rc/core/src/main/java/hudson/model/Hudson.java branches/rc/core/src/main/java/hudson/util/VersionNumber.java branches/rc/core/src/test/java/hudson/util/VersionNumberTest.java http://fisheye4.cenqua.com/changelog/hudson/?cs=17437 Log: bug fix for the auto upgrade handling for JENKINS-2324 .

          mdonohue added a comment -

          See issue 3630 for a different opinion on sending 404 when the user does not
          have read permission

          mdonohue added a comment - See issue 3630 for a different opinion on sending 404 when the user does not have read permission

          nathan nobbe added a comment -

          Hi, is there any reason this wouldn't work in conjunction with LDAP? In global configuration 'Project-based Matrix Authorization Strategy' is selected. With an entry ROLE_PROJECT_ACCESS that maps to an LDAP posix group (projectAccess) authorization works as expected, but the users can see all jobs.

          In the job configuration 'Enable project-based security' is checked and going with ROLE_PROJECT_ACCESS (trying to map to same LDAP group that worked on global level). Removing the global entry and leaving just the job level configuration users cannot login anymore and get the error '... is missing the read permission'.

          Maybe the job level configuration isn't aware of the LDAP nomenclature? Running Jenkins 1.446 on Ubuntu / Jetty.

          nathan nobbe added a comment - Hi, is there any reason this wouldn't work in conjunction with LDAP? In global configuration 'Project-based Matrix Authorization Strategy' is selected. With an entry ROLE_PROJECT_ACCESS that maps to an LDAP posix group (projectAccess) authorization works as expected, but the users can see all jobs. In the job configuration 'Enable project-based security' is checked and going with ROLE_PROJECT_ACCESS (trying to map to same LDAP group that worked on global level). Removing the global entry and leaving just the job level configuration users cannot login anymore and get the error '... is missing the read permission'. Maybe the job level configuration isn't aware of the LDAP nomenclature? Running Jenkins 1.446 on Ubuntu / Jetty.

          Daniel Beck added a comment -

          Nathan Nobbe: Permissions cannot be removed on a per-project basis. You need to give everyone 'Overall/Read' globally, and then give them project-specific 'Job/Read' on every project they should have access to.

          Daniel Beck added a comment - Nathan Nobbe: Permissions cannot be removed on a per-project basis. You need to give everyone 'Overall/Read' globally, and then give them project-specific 'Job/Read' on every project they should have access to.

          Paul P added a comment -

          Just a trivial question ,where would i be putting this patch. Am not sure where to put this patch.please help

          Paul P added a comment - Just a trivial question ,where would i be putting this patch. Am not sure where to put this patch.please help

            adphillips adphillips
            klattenhoff klattenhoff
            Votes:
            0 Vote for this issue
            Watchers:
            2 Start watching this issue

              Created:
              Updated:
              Resolved: