[JENKINS-24403] Cannot create jobs for branches under ldap authentication - Jenkins Jira

XML

Word

Printable

Details

Type: Bug
Status: Closed (View Workflow)
Priority: Blocker
Resolution: Fixed
Component/s: gitlab-hook-plugin
Labels:
None

Similar Issues:

Show

Description

When the authentication realm is set to ldap plus 'authenticated users can do anything', the plugin is not able to create jobs for branches, giving the error below.

SEVERE: anonymous is missing the Job/Create permission
hudson.security.AccessDeniedException2: anonymous is missing the Job/Create permission

I've tried to mimic the elevated_privilege block on job creation, but I've never get a different message (in particular, no reference to SYSTEM user).

In fact, I guess that elevated_privilege does not work at all with that authentication configuration, because we have full read permisisons, and commenting out the privilege elevation code does not change the plugin behaviour.

Attachments

Activity

Ascending order - Click to sort in descending order

Hide

Permalink

Vanja Radovanović added a comment - 2014-10-25 01:25

Hi Javier,
At my dev shop, we use LDAP as well, but we use it with Matrix permission scheme.

I see that https://wiki.jenkins-ci.org/display/JENKINS/Git+Plugin has changed the way it has been doing this (I copied their idea).
Now they use ACL.impersonate. See hudson.plugins.git.GitStatus#onNotifyCommit method.

Is this still an issue?
If so, can you try with in GetJenkinsProjects class:

 
    def elevate_priviledges
      ACL.impersonate(ACL.SYSTEM)
    end

    def revert_priviledges(old_authentication_level)
      SecurityContextHolder.setContext(old_authentication_level) if old_authentication_level
    end

I don't have an appropriate LDAP setup I could test on, so if you don't mind testing yourself?
If it works, I'll accept a pull request easily.

Show

Vanja Radovanović added a comment - 2014-10-25 01:25 Hi Javier, At my dev shop, we use LDAP as well, but we use it with Matrix permission scheme. I see that https://wiki.jenkins-ci.org/display/JENKINS/Git+Plugin has changed the way it has been doing this (I copied their idea). Now they use ACL.impersonate. See hudson.plugins.git.GitStatus#onNotifyCommit method. Is this still an issue? If so, can you try with in GetJenkinsProjects class: def elevate_priviledges ACL.impersonate(ACL.SYSTEM) end def revert_priviledges(old_authentication_level) SecurityContextHolder.setContext(old_authentication_level) if old_authentication_level end I don't have an appropriate LDAP setup I could test on, so if you don't mind testing yourself? If it works, I'll accept a pull request easily.

Hide

Permalink

Javier Palacios added a comment - 2015-01-19 20:04

I have actually solved the issue, by adding the impersonate method from knuttinatoll. Now our anonymous user has only project read permission, and projects can be created with no problem.

Show

Javier Palacios added a comment - 2015-01-19 20:04 I have actually solved the issue, by adding the impersonate method from knuttinatoll . Now our anonymous user has only project read permission, and projects can be created with no problem.

People

Assignee:: Vanja Radovanović

Reporter:: Javier Palacios

Votes:: 0 Vote for this issue

Watchers:: 2 Start watching this issue

Dates

Created:: 2014-08-25 09:34

Updated:: 2015-02-21 11:19

Resolved:: 2015-01-19 20:04