[JENKINS-24767] Role-based Authorization Strategy not working with sub-folders

Type: Bug
Resolution: Not A Defect
Priority: Major
Component/s: role-strategy-plugin
Labels:
- folders
- regex
- role
- security
Environment:
Jenkins ver. 1.565.2
CloudBees Folders Plugin 4.6.1
Role-based Authorization Strategy 2.2.0
Windows 7

Similar Issues:
Powered by SuggestiMate

Show

Using the folder structure below, trying to give a user access to ONLY the contents of FolderA. I'd expect

.*FolderA.*

to do that.

To Reproduce:
Create this folder structure:
Folder1/
Folder1/FolderA/
Folder1/FolderA/JobA
Folder1/FolderB/
Folder1/FolderB/JobB
Folder1/Job1

Try these search expressions:

 -> ".*Folder1.*" Works
 -> ".*FolderA.*" Does NOT work
 -> ".*JobA.*" Does NOT work
 -> ".*FolderB.*" Does NOT work
 -> ".*JobB.*" Does NOT work
 -> ".*Job1.*" Does NOT work

Oleg Nenashev added a comment - 2016-04-22 09:45

Reopened the issue in order to troubleshoot the report from orenault

Oleg Nenashev added a comment - 2016-04-22 09:45 Reopened the issue in order to troubleshoot the report from orenault

Oleg Nenashev added a comment - 2017-06-12 11:57

> So it appears impossible to restrein the access to nested folders as we have to put at least a READ right to the root folder, then this READ right inherits to all nested folders and jobs, even the ones we don't want to give a READ right.

It is possible, but the permission regexp should be properly defined to prevent exposure of the permissions to lower levels

> So, do I have to create an issue on this point ? Or is it possible to really "give a user access to ONLY the contents of FolderA" without giving READ access to other folders ?

It is. Just write a regular expression which checks there is only one slash in the patch after the folder. Not an ideal solution, of course

Oleg Nenashev added a comment - 2017-06-12 11:57 > So it appears impossible to restrein the access to nested folders as we have to put at least a READ right to the root folder, then this READ right inherits to all nested folders and jobs, even the ones we don't want to give a READ right. It is possible, but the permission regexp should be properly defined to prevent exposure of the permissions to lower levels > So, do I have to create an issue on this point ? Or is it possible to really "give a user access to ONLY the contents of FolderA" without giving READ access to other folders ? It is. Just write a regular expression which checks there is only one slash in the patch after the folder. Not an ideal solution, of course

Oleg Nenashev added a comment - 2017-06-12 11:58

I am closing it as "Not a defect" though the plugin documentation would benefit from more examples

Oleg Nenashev added a comment - 2017-06-12 11:58 I am closing it as "Not a defect" though the plugin documentation would benefit from more examples

Alexander Krysko added a comment - 2018-08-02 13:06

I'm using Jenkins 2.134 with Role-based Authorization Strategy ver. 2.8.1 + Folders Plugin of ver. 6.5.1.
Structure of Jenkins projects with sub-folder structure:
Platform1/Project1/Job-1 .. Job-n
Platform2/Project2/Job-1 .. Job-n
Platform3/Project3/Job-1 .. Job-n

I'm struggling with granting Build/Configure access to an Active Directory group only for Platform1/Project1/Job-1 .. Job-n
without exposing read access to
Platform2/Project2/Job-1 .. Job-n and others?

So that when user from AD group logs into Jenkins he see only the project he was given access to.

When I remove Overall read access in Global Role for group 'users' which assigned to AD - users do not see what's matched by regexp under Project Roles.

I'm using the following regular expressions to grant read/edit permissions:
Platform1/Project1/.*
Platform2/Project2/.***
Platform3/Project3/.***

Platform and Project are case sensitive.

Alexander Krysko added a comment - 2018-08-02 13:06 I'm using Jenkins 2.134 with Role-based Authorization Strategy ver. 2.8.1 + Folders Plugin of ver. 6.5.1. Structure of Jenkins projects with sub-folder structure: Platform1/Project1/Job-1 .. Job-n Platform2/Project2/Job-1 .. Job-n Platform3/Project3/Job-1 .. Job-n I'm struggling with granting Build/Configure access to an Active Directory group only for Platform1/Project1/Job-1 .. Job-n without exposing read access to Platform2/Project2/Job-1 .. Job-n and others? So that when user from AD group logs into Jenkins he see only the project he was given access to. When I remove Overall read access in Global Role for group 'users' which assigned to AD - users do not see what's matched by regexp under Project Roles. I'm using the following regular expressions to grant read/edit permissions: Platform1/Project1/. * Platform2/Project2/. *** Platform3/Project3/. *** Platform and Project are case sensitive.

Daniel Beck added a comment - 2018-08-02 13:12

The second comment on this issue explains what you need to do.

Daniel Beck added a comment - 2018-08-02 13:12 The second comment on this issue explains what you need to do.

Alexander Krysko added a comment - 2018-08-02 17:00

danielbeck, after several tries I got what I needed, thank you.

Alexander Krysko added a comment - 2018-08-02 17:00 danielbeck , after several tries I got what I needed, thank you.

Raúl Salinas-Monteagudo added a comment - 2019-09-25 09:10

It also cost me a while to find out how to make job folders work. Documentation should be improved.

It works nicely with: FOLDERNAME(/.*)?

Which means: the folder name alone, and anything starting by the folder name followed a slash.

Raúl Salinas-Monteagudo added a comment - 2019-09-25 09:10 It also cost me a while to find out how to make job folders work. Documentation should be improved. It works nicely with: FOLDERNAME(/.*)? Which means: the folder name alone, and anything starting by the folder name followed a slash.

Ankur added a comment - 2020-01-03 20:35

Is there a way I can give access to child folder directly without specifically giving access to Parent folder ?

I have following structure:

FolderA -> FolderB -> FolderC -> jobs

It works fine if I give specific read permissions to Folder A first, then another role for giving read access to Folder B and then another role giving read access to Folder C, which means four roles to get access to jobs.

Role 1 -> ^FolderA

Role 2 -> ^FolderA/FolderB

Role 3 -> ^FolderA/FolderB/FolderC

Role 4 -> ^FolderA/FolderB/FolderC/.*

Can the number of roles be reduced somehow by defining a pattern which can give direct access to Folder C , which internally would mean access granted to Folder A and B ?

Ankur added a comment - 2020-01-03 20:35 Is there a way I can give access to child folder directly without specifically giving access to Parent folder ? I have following structure: FolderA -> FolderB -> FolderC -> jobs It works fine if I give specific read permissions to Folder A first, then another role for giving read access to Folder B and then another role giving read access to Folder C, which means four roles to get access to jobs. Role 1 -> ^FolderA Role 2 -> ^FolderA/FolderB Role 3 -> ^FolderA/FolderB/FolderC Role 4 -> ^FolderA/FolderB/FolderC/.* Can the number of roles be reduced somehow by defining a pattern which can give direct access to Folder C , which internally would mean access granted to Folder A and B ?

tony kerz added a comment - 2020-12-10 00:55

piecing together the work of several who have grappled with this before me, i arrived at this for allowing access to something like scratch-parent/scratch-child/*

scratch-parent(/scratch-child(/.*)?)?

tony kerz added a comment - 2020-12-10 00:55 piecing together the work of several who have grappled with this before me, i arrived at this for allowing access to something like scratch-parent/scratch-child/* scratch-parent(/scratch-child(/.*)?)?

Denis Shvedchenko added a comment - 2021-09-29 09:20 - edited

ankurja

I'm using such patter in your case

 ^FolderA|^FolderA/FolderB|^FolderA/FolderB|FolderC|^FolderA/FolderB/FolderC/.*

But Tony's approach much better

 ^FolderA(/FolderB(/FolderC(/.*)?)?)?

Denis Shvedchenko added a comment - 2021-09-29 09:20 - edited ankurja I'm using such patter in your case ^FolderA|^FolderA/FolderB|^FolderA/FolderB|FolderC|^FolderA/FolderB/FolderC/.* But Tony's approach much better ^FolderA(/FolderB(/FolderC(/.*)?)?)?

Assignee:: Oleg Nenashev

Reporter:: Eric Anker

Votes:: 0 Vote for this issue

Watchers:: 9 Start watching this issue

Created:: 2014-09-18 18:37

Updated:: 2021-09-29 09:39

Resolved:: 2019-01-02 10:38

Jenkins

Details

Description

Attachments

Activity

Collapse comment: Oleg Nenashev added a comment - 2016-04-22 09:45

Expand comment: Oleg Nenashev added a comment - 2016-04-22 09:45

Collapse comment: Oleg Nenashev added a comment - 2017-06-12 11:57

Expand comment: Oleg Nenashev added a comment - 2017-06-12 11:57

Collapse comment: Oleg Nenashev added a comment - 2017-06-12 11:58

Expand comment: Oleg Nenashev added a comment - 2017-06-12 11:58

Collapse comment: Alexander Krysko added a comment - 2018-08-02 13:06

Expand comment: Alexander Krysko added a comment - 2018-08-02 13:06

Collapse comment: Daniel Beck added a comment - 2018-08-02 13:12

Expand comment: Daniel Beck added a comment - 2018-08-02 13:12

Collapse comment: Alexander Krysko added a comment - 2018-08-02 17:00

Expand comment: Alexander Krysko added a comment - 2018-08-02 17:00

Collapse comment: Raúl Salinas-Monteagudo added a comment - 2019-09-25 09:10

Expand comment: Raúl Salinas-Monteagudo added a comment - 2019-09-25 09:10

Collapse comment: Ankur added a comment - 2020-01-03 20:35

Expand comment: Ankur added a comment - 2020-01-03 20:35

Collapse comment: tony kerz added a comment - 2020-12-10 00:55

Expand comment: tony kerz added a comment - 2020-12-10 00:55

Collapse comment: Denis Shvedchenko added a comment - 2021-09-29 09:20, Edited by Denis Shvedchenko - 2021-09-29 09:39

Expand comment: Denis Shvedchenko added a comment - 2021-09-29 09:20, Edited by Denis Shvedchenko - 2021-09-29 09:39

People

Dates