Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-2324

Feature - Set read permission by project for project-based security

    • Icon: Patch Patch
    • Resolution: Fixed
    • Icon: Critical Critical
    • _unsorted
    • None
    • Platform: All, OS: All

      We'd like to use hudson for different projects with different team members,
      which only should see the projects in which they work, not all projects.

      We use the user directory from hudson itself and the "Project-based Matrix
      Authorization Strategy"...

          [JENKINS-2324] Feature - Set read permission by project for project-based security

          klattenhoff created issue -

          adphillips added a comment -

          I am implementing READ permission at the job level.
          When this is done, a user that lacks the READ permission for a particular job
          will not:

          • see that job in any view
          • be able to access the job page directly
          • see any reference to the job (for instance in upstream or downstream dependencies)

          There is a related forum post where I am looking for feedback on what ACLs to
          use: http://www.nabble.com/Read-permission-on-Jobs-td20650539.html

          adphillips added a comment - I am implementing READ permission at the job level. When this is done, a user that lacks the READ permission for a particular job will not: see that job in any view be able to access the job page directly see any reference to the job (for instance in upstream or downstream dependencies) There is a related forum post where I am looking for feedback on what ACLs to use: http://www.nabble.com/Read-permission-on-Jobs-td20650539.html
          adphillips made changes -
          Status Original: Open [ 1 ] New: In Progress [ 3 ]

          adphillips added a comment -

          Reassigned issue to myself

          adphillips added a comment - Reassigned issue to myself
          adphillips made changes -
          Status Original: In Progress [ 3 ] New: Open [ 1 ]

          adphillips added a comment -

          fix in progress, waiting on feedback on what to do about SYSTEM authentication.
          See this thread: http://www.nabble.com/SYSTEM-authentication-td20988049.html

          adphillips added a comment - fix in progress, waiting on feedback on what to do about SYSTEM authentication. See this thread: http://www.nabble.com/SYSTEM-authentication-td20988049.html
          adphillips made changes -
          Status Original: Open [ 1 ] New: In Progress [ 3 ]

          adphillips added a comment -

          Created an attachment (id=477)
          READ permissions patch

          adphillips added a comment - Created an attachment (id=477) READ permissions patch

          adphillips added a comment -

          See attached patch file...

          This patch provides the ability to hide jobs from the view of certain users
          (including anonymous). The Co
          nfigure System page in Manage Hudson now will display a READ permission under
          the Job heading. If not che
          cked, the user will be denied access to the job in the following ways:

          • the job will not be visible in any views
          • upstream and downstream dependencies referencing this job will be hidden
          • the job will not be accessable by a direct URL reference (404 will occur)
          • if the job is scheduled to be built, it will show up as "Unknown Task" in the
            build queue
          • the job will also show as "Unkown Task" in the Build Executor when the job is
            building

          Files Changed:

          Set authentication to SYSTEM in the following processes:

          • WebAppMain "hudson initialization thread"
          • Hudson constructor
          • Trigger.Cron threads

          AbstractProject.java:

          • Updated deprecated permissions checks

          Hudson.java:

          • retrieval of Items is now access controlled. Only readable items are returned.

          Item.java:

          • added READ permission oject

          GlobalMatrixAuthorizationStrategy.java:

          • removed unused private method readResolve. It appears this is a left-over
            from an old ACL implementatio
            n

          adphillips added a comment - See attached patch file... This patch provides the ability to hide jobs from the view of certain users (including anonymous). The Co nfigure System page in Manage Hudson now will display a READ permission under the Job heading. If not che cked, the user will be denied access to the job in the following ways: the job will not be visible in any views upstream and downstream dependencies referencing this job will be hidden the job will not be accessable by a direct URL reference (404 will occur) if the job is scheduled to be built, it will show up as "Unknown Task" in the build queue the job will also show as "Unkown Task" in the Build Executor when the job is building Files Changed: Set authentication to SYSTEM in the following processes: WebAppMain "hudson initialization thread" Hudson constructor Trigger.Cron threads AbstractProject.java: Updated deprecated permissions checks Hudson.java: retrieval of Items is now access controlled. Only readable items are returned. Item.java: added READ permission oject GlobalMatrixAuthorizationStrategy.java: removed unused private method readResolve. It appears this is a left-over from an old ACL implementatio n

          adphillips added a comment -

          changing issue type to PATCH

          adphillips added a comment - changing issue type to PATCH

            adphillips adphillips
            klattenhoff klattenhoff
            Votes:
            0 Vote for this issue
            Watchers:
            2 Start watching this issue

              Created:
              Updated:
              Resolved: