[JENKINS-24767] Role-based Authorization Strategy not working with sub-folders

Type: Bug
Resolution: Not A Defect
Priority: Major
Component/s: role-strategy-plugin
Labels:
- folders
- regex
- role
- security
Environment:
Jenkins ver. 1.565.2
CloudBees Folders Plugin 4.6.1
Role-based Authorization Strategy 2.2.0
Windows 7

Similar Issues:
Powered by SuggestiMate

Show

Using the folder structure below, trying to give a user access to ONLY the contents of FolderA. I'd expect

.*FolderA.*

to do that.

To Reproduce:
Create this folder structure:
Folder1/
Folder1/FolderA/
Folder1/FolderA/JobA
Folder1/FolderB/
Folder1/FolderB/JobB
Folder1/Job1

Try these search expressions:

 -> ".*Folder1.*" Works
 -> ".*FolderA.*" Does NOT work
 -> ".*JobA.*" Does NOT work
 -> ".*FolderB.*" Does NOT work
 -> ".*JobB.*" Does NOT work
 -> ".*Job1.*" Does NOT work

Daniel Beck added a comment - 2014-09-18 19:08

Similar to a file system, you need to provide access to every item in the hierarchy. So Item/Read on Folder1 and any relevant permissions on Folder1/FolderA should do it.

Daniel Beck added a comment - 2014-09-18 19:08 Similar to a file system, you need to provide access to every item in the hierarchy. So Item/Read on Folder1 and any relevant permissions on Folder1/FolderA should do it.

Eric Anker added a comment - 2014-09-22 14:03

Thank you for the speedy response.

I got what I needed by making 2 roles.
Folder1View with RegEx: "Folder1" and Job/Read ticked
Folder1FolderA with RegEx: "Folder1/FolderA.*" and Job/Read + Job/Build ticked

Eric Anker added a comment - 2014-09-22 14:03 Thank you for the speedy response. I got what I needed by making 2 roles. Folder1View with RegEx: "Folder1" and Job/Read ticked Folder1FolderA with RegEx: "Folder1/FolderA.*" and Job/Read + Job/Build ticked

Eric Anker added a comment - 2014-09-22 14:07

Some additional help text somewhere would be welcome. Thanks for your help!

Eric Anker added a comment - 2014-09-22 14:07 Some additional help text somewhere would be welcome. Thanks for your help!

Olivier Renault added a comment - 2016-04-22 09:13

Hi,
I've got the same need: restrict acces to the nested Folders.

But, if I apply the same, 2 roles : 1 role for the root folder (Folder1), 1 role for the nested Folder (FolderA), I have the following:

I can access to the Folder1/FolderA/JobA: I can build it
but I can also access to the Folder1/FolderB/JobB: I can't build it

=> Due to the first role "Folder1View with RegEx: "Folder1" and Job/Read ticked", all nested folders in Folder1 inherits the READ right.

=> so it is possible to read the content of all nested folders (aka FolderB) and all its content (JobB).

=> if we apply a 3rd role like "Folder1FolderB with RegEx: "Folder1/FolderB.*" and nothing ticked", then this not delete the READ rights on this FolderB.

So it appears impossible to restrein the access to nested folders as we have to put at least a READ right to the root folder, then this READ right inherits to all nested folders and jobs, even the ones we don't want to give a READ right.
So, do I have to create an issue on this point ? Or is it possible to really "give a user access to ONLY the contents of FolderA" without giving READ access to other folders ?
Regards
Olivier

Olivier Renault added a comment - 2016-04-22 09:13 Hi, I've got the same need: restrict acces to the nested Folders. But, if I apply the same, 2 roles : 1 role for the root folder (Folder1), 1 role for the nested Folder (FolderA), I have the following: I can access to the Folder1/FolderA/JobA: I can build it but I can also access to the Folder1/FolderB/JobB: I can't build it => Due to the first role "Folder1View with RegEx: "Folder1" and Job/Read ticked", all nested folders in Folder1 inherits the READ right. => so it is possible to read the content of all nested folders (aka FolderB) and all its content (JobB). => if we apply a 3rd role like "Folder1FolderB with RegEx: "Folder1/FolderB.*" and nothing ticked", then this not delete the READ rights on this FolderB. So it appears impossible to restrein the access to nested folders as we have to put at least a READ right to the root folder, then this READ right inherits to all nested folders and jobs, even the ones we don't want to give a READ right. So, do I have to create an issue on this point ? Or is it possible to really "give a user access to ONLY the contents of FolderA" without giving READ access to other folders ? Regards Olivier

Oleg Nenashev added a comment - 2016-04-22 09:45

Reopened the issue in order to troubleshoot the report from orenault

Oleg Nenashev added a comment - 2016-04-22 09:45 Reopened the issue in order to troubleshoot the report from orenault

Oleg Nenashev added a comment - 2017-06-12 11:57

> So it appears impossible to restrein the access to nested folders as we have to put at least a READ right to the root folder, then this READ right inherits to all nested folders and jobs, even the ones we don't want to give a READ right.

It is possible, but the permission regexp should be properly defined to prevent exposure of the permissions to lower levels

> So, do I have to create an issue on this point ? Or is it possible to really "give a user access to ONLY the contents of FolderA" without giving READ access to other folders ?

It is. Just write a regular expression which checks there is only one slash in the patch after the folder. Not an ideal solution, of course

Oleg Nenashev added a comment - 2017-06-12 11:57 > So it appears impossible to restrein the access to nested folders as we have to put at least a READ right to the root folder, then this READ right inherits to all nested folders and jobs, even the ones we don't want to give a READ right. It is possible, but the permission regexp should be properly defined to prevent exposure of the permissions to lower levels > So, do I have to create an issue on this point ? Or is it possible to really "give a user access to ONLY the contents of FolderA" without giving READ access to other folders ? It is. Just write a regular expression which checks there is only one slash in the patch after the folder. Not an ideal solution, of course

Oleg Nenashev added a comment - 2017-06-12 11:58

I am closing it as "Not a defect" though the plugin documentation would benefit from more examples

Oleg Nenashev added a comment - 2017-06-12 11:58 I am closing it as "Not a defect" though the plugin documentation would benefit from more examples

Alexander Krysko added a comment - 2018-08-02 13:06

I'm using Jenkins 2.134 with Role-based Authorization Strategy ver. 2.8.1 + Folders Plugin of ver. 6.5.1.
Structure of Jenkins projects with sub-folder structure:
Platform1/Project1/Job-1 .. Job-n
Platform2/Project2/Job-1 .. Job-n
Platform3/Project3/Job-1 .. Job-n

I'm struggling with granting Build/Configure access to an Active Directory group only for Platform1/Project1/Job-1 .. Job-n
without exposing read access to
Platform2/Project2/Job-1 .. Job-n and others?

So that when user from AD group logs into Jenkins he see only the project he was given access to.

When I remove Overall read access in Global Role for group 'users' which assigned to AD - users do not see what's matched by regexp under Project Roles.

I'm using the following regular expressions to grant read/edit permissions:
Platform1/Project1/.*
Platform2/Project2/.***
Platform3/Project3/.***

Platform and Project are case sensitive.

Alexander Krysko added a comment - 2018-08-02 13:06 I'm using Jenkins 2.134 with Role-based Authorization Strategy ver. 2.8.1 + Folders Plugin of ver. 6.5.1. Structure of Jenkins projects with sub-folder structure: Platform1/Project1/Job-1 .. Job-n Platform2/Project2/Job-1 .. Job-n Platform3/Project3/Job-1 .. Job-n I'm struggling with granting Build/Configure access to an Active Directory group only for Platform1/Project1/Job-1 .. Job-n without exposing read access to Platform2/Project2/Job-1 .. Job-n and others? So that when user from AD group logs into Jenkins he see only the project he was given access to. When I remove Overall read access in Global Role for group 'users' which assigned to AD - users do not see what's matched by regexp under Project Roles. I'm using the following regular expressions to grant read/edit permissions: Platform1/Project1/. * Platform2/Project2/. *** Platform3/Project3/. *** Platform and Project are case sensitive.

Daniel Beck added a comment - 2018-08-02 13:12

The second comment on this issue explains what you need to do.

Daniel Beck added a comment - 2018-08-02 13:12 The second comment on this issue explains what you need to do.

Alexander Krysko added a comment - 2018-08-02 17:00

danielbeck, after several tries I got what I needed, thank you.

Alexander Krysko added a comment - 2018-08-02 17:00 danielbeck , after several tries I got what I needed, thank you.

Raúl Salinas-Monteagudo added a comment - 2019-09-25 09:10

It also cost me a while to find out how to make job folders work. Documentation should be improved.

It works nicely with: FOLDERNAME(/.*)?

Which means: the folder name alone, and anything starting by the folder name followed a slash.

Raúl Salinas-Monteagudo added a comment - 2019-09-25 09:10 It also cost me a while to find out how to make job folders work. Documentation should be improved. It works nicely with: FOLDERNAME(/.*)? Which means: the folder name alone, and anything starting by the folder name followed a slash.

Ankur added a comment - 2020-01-03 20:35

Is there a way I can give access to child folder directly without specifically giving access to Parent folder ?

I have following structure:

FolderA -> FolderB -> FolderC -> jobs

It works fine if I give specific read permissions to Folder A first, then another role for giving read access to Folder B and then another role giving read access to Folder C, which means four roles to get access to jobs.

Role 1 -> ^FolderA

Role 2 -> ^FolderA/FolderB

Role 3 -> ^FolderA/FolderB/FolderC

Role 4 -> ^FolderA/FolderB/FolderC/.*

Can the number of roles be reduced somehow by defining a pattern which can give direct access to Folder C , which internally would mean access granted to Folder A and B ?

Ankur added a comment - 2020-01-03 20:35 Is there a way I can give access to child folder directly without specifically giving access to Parent folder ? I have following structure: FolderA -> FolderB -> FolderC -> jobs It works fine if I give specific read permissions to Folder A first, then another role for giving read access to Folder B and then another role giving read access to Folder C, which means four roles to get access to jobs. Role 1 -> ^FolderA Role 2 -> ^FolderA/FolderB Role 3 -> ^FolderA/FolderB/FolderC Role 4 -> ^FolderA/FolderB/FolderC/.* Can the number of roles be reduced somehow by defining a pattern which can give direct access to Folder C , which internally would mean access granted to Folder A and B ?

tony kerz added a comment - 2020-12-10 00:55

piecing together the work of several who have grappled with this before me, i arrived at this for allowing access to something like scratch-parent/scratch-child/*

scratch-parent(/scratch-child(/.*)?)?

tony kerz added a comment - 2020-12-10 00:55 piecing together the work of several who have grappled with this before me, i arrived at this for allowing access to something like scratch-parent/scratch-child/* scratch-parent(/scratch-child(/.*)?)?

Denis Shvedchenko added a comment - 2021-09-29 09:20 - edited

ankurja

I'm using such patter in your case

 ^FolderA|^FolderA/FolderB|^FolderA/FolderB|FolderC|^FolderA/FolderB/FolderC/.*

But Tony's approach much better

 ^FolderA(/FolderB(/FolderC(/.*)?)?)?

Denis Shvedchenko added a comment - 2021-09-29 09:20 - edited ankurja I'm using such patter in your case ^FolderA|^FolderA/FolderB|^FolderA/FolderB|FolderC|^FolderA/FolderB/FolderC/.* But Tony's approach much better ^FolderA(/FolderB(/FolderC(/.*)?)?)?

Assignee:: Oleg Nenashev

Reporter:: Eric Anker

Votes:: 0 Vote for this issue

Watchers:: 9 Start watching this issue

Created:: 2014-09-18 18:37

Updated:: 2021-09-29 09:39

Resolved:: 2019-01-02 10:38

Jenkins

Details

Description

Attachments

Activity

Collapse comment: Daniel Beck added a comment - 2014-09-18 19:08

Expand comment: Daniel Beck added a comment - 2014-09-18 19:08

Collapse comment: Eric Anker added a comment - 2014-09-22 14:03

Expand comment: Eric Anker added a comment - 2014-09-22 14:03

Collapse comment: Eric Anker added a comment - 2014-09-22 14:07

Expand comment: Eric Anker added a comment - 2014-09-22 14:07

Collapse comment: Olivier Renault added a comment - 2016-04-22 09:13

Expand comment: Olivier Renault added a comment - 2016-04-22 09:13

Collapse comment: Oleg Nenashev added a comment - 2016-04-22 09:45

Expand comment: Oleg Nenashev added a comment - 2016-04-22 09:45

Collapse comment: Oleg Nenashev added a comment - 2017-06-12 11:57

Expand comment: Oleg Nenashev added a comment - 2017-06-12 11:57

Collapse comment: Oleg Nenashev added a comment - 2017-06-12 11:58

Expand comment: Oleg Nenashev added a comment - 2017-06-12 11:58

Collapse comment: Alexander Krysko added a comment - 2018-08-02 13:06

Expand comment: Alexander Krysko added a comment - 2018-08-02 13:06

Collapse comment: Daniel Beck added a comment - 2018-08-02 13:12

Expand comment: Daniel Beck added a comment - 2018-08-02 13:12

Collapse comment: Alexander Krysko added a comment - 2018-08-02 17:00

Expand comment: Alexander Krysko added a comment - 2018-08-02 17:00

Collapse comment: Raúl Salinas-Monteagudo added a comment - 2019-09-25 09:10

Expand comment: Raúl Salinas-Monteagudo added a comment - 2019-09-25 09:10

Collapse comment: Ankur added a comment - 2020-01-03 20:35

Expand comment: Ankur added a comment - 2020-01-03 20:35

Collapse comment: tony kerz added a comment - 2020-12-10 00:55

Expand comment: tony kerz added a comment - 2020-12-10 00:55

Collapse comment: Denis Shvedchenko added a comment - 2021-09-29 09:20, Edited by Denis Shvedchenko - 2021-09-29 09:39

Expand comment: Denis Shvedchenko added a comment - 2021-09-29 09:20, Edited by Denis Shvedchenko - 2021-09-29 09:39

People

Dates