Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-24403

Cannot create jobs for branches under ldap authentication

    XMLWordPrintable

    Details

    • Similar Issues:

      Description

      When the authentication realm is set to ldap plus 'authenticated users can do anything', the plugin is not able to create jobs for branches, giving the error below.

      SEVERE: anonymous is missing the Job/Create permission
      hudson.security.AccessDeniedException2: anonymous is missing the Job/Create permission
      

      I've tried to mimic the elevated_privilege block on job creation, but I've never get a different message (in particular, no reference to SYSTEM user).

      In fact, I guess that elevated_privilege does not work at all with that authentication configuration, because we have full read permisisons, and commenting out the privilege elevation code does not change the plugin behaviour.

        Attachments

          Activity

          Hide
          elvanja Vanja Radovanović added a comment -

          Hi Javier,
          At my dev shop, we use LDAP as well, but we use it with Matrix permission scheme.

          I see that https://wiki.jenkins-ci.org/display/JENKINS/Git+Plugin has changed the way it has been doing this (I copied their idea).
          Now they use ACL.impersonate. See hudson.plugins.git.GitStatus#onNotifyCommit method.

          Is this still an issue?
          If so, can you try with in GetJenkinsProjects class:

           
              def elevate_priviledges
                ACL.impersonate(ACL.SYSTEM)
              end
          
              def revert_priviledges(old_authentication_level)
                SecurityContextHolder.setContext(old_authentication_level) if old_authentication_level
              end
          

          I don't have an appropriate LDAP setup I could test on, so if you don't mind testing yourself?
          If it works, I'll accept a pull request easily.

          Show
          elvanja Vanja Radovanović added a comment - Hi Javier, At my dev shop, we use LDAP as well, but we use it with Matrix permission scheme. I see that https://wiki.jenkins-ci.org/display/JENKINS/Git+Plugin has changed the way it has been doing this (I copied their idea). Now they use ACL.impersonate. See hudson.plugins.git.GitStatus#onNotifyCommit method. Is this still an issue? If so, can you try with in GetJenkinsProjects class: def elevate_priviledges ACL.impersonate(ACL.SYSTEM) end def revert_priviledges(old_authentication_level) SecurityContextHolder.setContext(old_authentication_level) if old_authentication_level end I don't have an appropriate LDAP setup I could test on, so if you don't mind testing yourself? If it works, I'll accept a pull request easily.
          Hide
          javiplx Javier Palacios added a comment -

          I have actually solved the issue, by adding the impersonate method from knuttinatoll. Now our anonymous user has only project read permission, and projects can be created with no problem.

          Show
          javiplx Javier Palacios added a comment - I have actually solved the issue, by adding the impersonate method from knuttinatoll . Now our anonymous user has only project read permission, and projects can be created with no problem.

            People

            Assignee:
            elvanja Vanja Radovanović
            Reporter:
            javiplx Javier Palacios
            Votes:
            0 Vote for this issue
            Watchers:
            2 Start watching this issue

              Dates

              Created:
              Updated:
              Resolved: