-
Bug
-
Resolution: Not A Defect
-
Major
-
Jenkins ver. 1.565.2
CloudBees Folders Plugin 4.6.1
Role-based Authorization Strategy 2.2.0
Windows 7
Using the folder structure below, trying to give a user access to ONLY the contents of FolderA. I'd expect
.*FolderA.*
to do that.
To Reproduce:
Create this folder structure:
Folder1/
Folder1/FolderA/
Folder1/FolderA/JobA
Folder1/FolderB/
Folder1/FolderB/JobB
Folder1/Job1
Try these search expressions:
-> ".*Folder1.*" Works -> ".*FolderA.*" Does NOT work -> ".*JobA.*" Does NOT work -> ".*FolderB.*" Does NOT work -> ".*JobB.*" Does NOT work -> ".*Job1.*" Does NOT work
[JENKINS-24767] Role-based Authorization Strategy not working with sub-folders
| Component/s | Original: cloudbees-folder [ 18137 ] | |
| Assignee | Original: Jesse Glick [ jglick ] | New: Oleg Nenashev [ oleg_nenashev ] |
Thank you for the speedy response.
I got what I needed by making 2 roles.
Folder1View with RegEx: "Folder1" and Job/Read ticked
Folder1FolderA with RegEx: "Folder1/FolderA.*" and Job/Read + Job/Build ticked
| Description |
Original:
Using the folder structure below, trying to give a user access to ONLY the contents of FolderA. I'd expect .*FolderA.* to do that. To Reproduce: Create this folder structure: Folder1/ Folder1/FolderA/ Folder1/FolderA/JobA Folder1/FolderB/ Folder1/FolderB/JobB Folder1/Job1 Try these search expressions: -> .*Folder1.* Works -> .*FolderA.* Does NOT work -> .*JobA.* Does NOT work -> .*FolderB.* Does NOT work -> .*JobB.* Does NOT work -> .*Job1.* Does NOT work |
New:
Using the folder structure below, trying to give a user access to ONLY the contents of FolderA. I'd expect {noformat}.*FolderA.*{noformat} to do that. To Reproduce: Create this folder structure: Folder1/ Folder1/FolderA/ Folder1/FolderA/JobA Folder1/FolderB/ Folder1/FolderB/JobB Folder1/Job1 Try these search expressions: {noformat} -> ".*Folder1.*" Works -> ".*FolderA.*" Does NOT work -> ".*JobA.*" Does NOT work -> ".*FolderB.*" Does NOT work -> ".*JobB.*" Does NOT work -> ".*Job1.*" Does NOT work {noformat} |
Some additional help text somewhere would be welcome. Thanks for your help!
| Resolution | New: Not A Defect [ 7 ] | |
| Status | Original: Open [ 1 ] | New: Closed [ 6 ] |
Olivier Renault
added a comment - Hi,
I've got the same need: restrict acces to the nested Folders.
But, if I apply the same, 2 roles : 1 role for the root folder (Folder1), 1 role for the nested Folder (FolderA), I have the following:
- I can access to the Folder1/FolderA/JobA: I can build it
- but I can also access to the Folder1/FolderB/JobB: I can't build it
=> Due to the first role "Folder1View with RegEx: "Folder1" and Job/Read ticked", all nested folders in Folder1 inherits the READ right.
=> so it is possible to read the content of all nested folders (aka FolderB) and all its content (JobB).
=> if we apply a 3rd role like "Folder1FolderB with RegEx: "Folder1/FolderB.*" and nothing ticked", then this not delete the READ rights on this FolderB.
So it appears impossible to restrein the access to nested folders as we have to put at least a READ right to the root folder, then this READ right inherits to all nested folders and jobs, even the ones we don't want to give a READ right.
So, do I have to create an issue on this point ? Or is it possible to really "give a user access to ONLY the contents of FolderA" without giving READ access to other folders ?
Regards
Olivier
Olivier Renault
added a comment - Hi,
I've got the same need: restrict acces to the nested Folders.
But, if I apply the same, 2 roles : 1 role for the root folder (Folder1), 1 role for the nested Folder (FolderA), I have the following:
I can access to the Folder1/FolderA/JobA: I can build it
but I can also access to the Folder1/FolderB/JobB: I can't build it
=> Due to the first role "Folder1View with RegEx: "Folder1" and Job/Read ticked", all nested folders in Folder1 inherits the READ right.
=> so it is possible to read the content of all nested folders (aka FolderB) and all its content (JobB).
=> if we apply a 3rd role like "Folder1FolderB with RegEx: "Folder1/FolderB.*" and nothing ticked", then this not delete the READ rights on this FolderB.
So it appears impossible to restrein the access to nested folders as we have to put at least a READ right to the root folder, then this READ right inherits to all nested folders and jobs, even the ones we don't want to give a READ right.
So, do I have to create an issue on this point ? Or is it possible to really "give a user access to ONLY the contents of FolderA" without giving READ access to other folders ?
Regards
Olivier
| Resolution | Original: Not A Defect [ 7 ] | |
| Status | Original: Closed [ 6 ] | New: Reopened [ 4 ] |
Reopened the issue in order to troubleshoot the report from orenault
Similar to a file system, you need to provide access to every item in the hierarchy. So Item/Read on Folder1 and any relevant permissions on Folder1/FolderA should do it.