Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-24902

Jenkins's security is not applied for IM user

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Unresolved
    • Icon: Critical Critical
    • instant-messaging-plugin
    • None
    • Jenkins 1.581
      instant-messaging plugin 1.30

      In Global authorization matrix (https://ci.gfi.fr/jenkins/configureSecurity/), the "Authorization" option is "Project-based Matrix Authorization Strategy" :
      "jenkins-im" user has all authorizations, and is the one I've mapped to "Jenkins Username" parameter of "instant-messaging plugin"

      I have a user will no right at all in Jenkins but allowed to connect to the conference used by "jenkins-im".

      This user can send any bot commands and this is really weird. The same is true for a registered jenkins user having only read/view rights. If he can only see builds using the Web/REST/CLI interfaces, this plugin acts like a "sudo".

      "Jenkins Username" parameter of "instant-messaging plugin" should be removed or merged with the rights of connected IM user. The Jenkins user corresponding to the author of the bot command must be used.

          [JENKINS-24902] Jenkins's security is not applied for IM user

          Fabrice Daugan created issue -
          Fabrice Daugan made changes -
          Description Original: In Global authorization matrix (https://ci.gfi.fr/jenkins/configureSecurity/), the "Authorization" option is "Project-based Matrix Authorization Strategy".

          I have a user will all rights in the security matrix.
          In the tested project, "Enable project-based security" is checked, no authorization is provided and "Block inheritance of global authorization matrix" is unchecked.

          This user can do everything from the UI in Jenkins, CLI, REST,..., but nothing with "instant-messaging plugin" :
          Adding this user to the project's security resolves this issue, but I have many users and groups in this situation.

          Before the workaround :
          (8:41:17 PM) fdaugan: !h
          (8:41:17 PM) Jenkins CI: fdaugan: no job found

          After explicitly adding the user in the project's security scope :
          (8:42:26 PM) fdaugan: !h
          (8:42:26 PM) Jenkins CI: health of all projects:
          Forge: Health [Build stability: 1 out of the last 5 builds failed.(80%), Test Result: 0 tests failing out of a total of 2 tests.(100%): https://xx/jenkins/job/xx/398/
          		 New: In Global authorization matrix (https://ci.gfi.fr/jenkins/configureSecurity/), the "Authorization" option is "Project-based Matrix Authorization Strategy" :
          "jenkins-im" user has all authorizations, and is the one I've mapped to "Jenkins Username" parameter of "instant-messaging plugin"

          I have a user will no right at all in Jenkins but allowed to connect to the conference used by "jenkins-im".

          This user can send any bot commands and this is really weird. The same is true for a registered jenkins user having only read/view rights. If he can only see builds using the Web/REST/CLI interfaces, this plugin acts like a "sudo".

          "Jenkins Username" parameter of "instant-messaging plugin" should be removed or merged with the rights of connected IM user. The Jenkins user corresponding to the author of the bot command must be used.
          Priority Original: Major [ 3 ] New: Critical [ 2 ]
          Summary Original: Global authorization matrix should not be ignored New: Jenkins's security is not applied for IM user
          R. Tyler Croy made changes -
          Workflow Original: JNJira [ 158540 ] New: JNJira + In-Review [ 179749 ]
          Jim Klimov made changes -
          Link New: This issue relates to JENKINS-58925 [ JENKINS-58925 ]

            kutzi kutzi
            fabdouglas Fabrice Daugan
            Votes:
            0 Vote for this issue
            Watchers:
            2 Start watching this issue

              Created:
              Updated: