Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-27055

Slave To Master Access Control needs updating for JENKINS_HOME layout change

      If you look on the wiki describing the Slave To Master Access Control, there is a section on File access rules, where it says:

      <BUILDDIR> can be used as a prefix to match your build record directory, such as /var/lib/jenkins/job/foo/builds/2014-10-17_12-34-56

      However, Jenkins versions after 1.597 have a different home directory structure (see JENKINS-24380). The wiki page for Slave To Master Access Control reflects the old layout.

      Can someone confirm (or otherwise) that the <BUILDDIR> token works in Jenkins both before and after 1.597, and update the wiki accordingly?

          [JENKINS-27055] Slave To Master Access Control needs updating for JENKINS_HOME layout change

          The reason I think that there is an issue here, is that ${JENKINS_HOME}/secrets/filepath-filters.d/30-default.conf contains the following:

          # Various plugins read/write files under build directories, so allow them all.
          # - git 1.x writes changelog.xml from the slave (2.x writes from the master so need not be listed)
          # - analysis-core and plugins based on it write reports to workspace-files/
          # - cobertura writes coverage.xml
          # - violations writes violations.xml and other content under violations/
          # - dependency-check writes archive/artifacts.txt
          # But not allowing deletion to prevent data loss and symlink to prevent jailbreaking.
          allow create,mkdirs,read,stat,write <BUILDDIR>/.+
          

          But, it's not working for me in Jenkins 1.597+ (see JENKINS-27053) - I get
          slave may not mkdirs /exports/jenkins_home/jobs/Controls_TopUp_unittests/builds/439/violations

          Is <BUILDDIR>/.+ correct in newer Jenkins?

          I got the violations plugin to work by adding file secrets/filepath-filters.d/50-gui.conf containing this:

          allow create,mkdirs,read,stat,write <JENKINS_HOME>/jobs/.*
          

          Matthew Webber added a comment - The reason I think that there is an issue here, is that ${JENKINS_HOME}/secrets/filepath-filters.d/30-default.conf contains the following: # Various plugins read/write files under build directories, so allow them all. # - git 1.x writes changelog.xml from the slave (2.x writes from the master so need not be listed) # - analysis-core and plugins based on it write reports to workspace-files/ # - cobertura writes coverage.xml # - violations writes violations.xml and other content under violations/ # - dependency-check writes archive/artifacts.txt # But not allowing deletion to prevent data loss and symlink to prevent jailbreaking. allow create,mkdirs,read,stat,write <BUILDDIR>/.+ But, it's not working for me in Jenkins 1.597+ (see JENKINS-27053 ) - I get slave may not mkdirs /exports/jenkins_home/jobs/Controls_TopUp_unittests/builds/439/violations Is <BUILDDIR>/.+ correct in newer Jenkins? I got the violations plugin to work by adding file secrets/filepath-filters.d/50-gui.conf containing this: allow create,mkdirs,read,stat,write <JENKINS_HOME>/jobs/.*

          Askign Jesse to comment, since it's related to his original change.

          Matthew Webber added a comment - Askign Jesse to comment, since it's related to his original change.

          Daniel Beck added a comment -

          jglick This needs fixing, the pattern for build ID is definitely wrong since the layout change:

          https://github.com/jenkinsci/jenkins/blob/master/core/src/main/java/jenkins/security/s2m/FilePathRuleConfig.java#L43

          Daniel Beck added a comment - jglick This needs fixing, the pattern for build ID is definitely wrong since the layout change: https://github.com/jenkinsci/jenkins/blob/master/core/src/main/java/jenkins/security/s2m/FilePathRuleConfig.java#L43

          Code changed in jenkins
          User: Jesse Glick
          Path:
          core/src/main/java/jenkins/security/s2m/FilePathRuleConfig.java
          test/src/test/java/jenkins/security/DefaultFilePathFilterTest.java
          http://jenkins-ci.org/commit/jenkins/20c458d9933b5d25fc472f84ba8dbbf4eae5edee
          Log:
          [FiXED JENKINS-27055] <BUILDID> should now also match numeric build IDs.

          SCM/JIRA link daemon added a comment - Code changed in jenkins User: Jesse Glick Path: core/src/main/java/jenkins/security/s2m/FilePathRuleConfig.java test/src/test/java/jenkins/security/DefaultFilePathFilterTest.java http://jenkins-ci.org/commit/jenkins/20c458d9933b5d25fc472f84ba8dbbf4eae5edee Log: [FiXED JENKINS-27055] <BUILDID> should now also match numeric build IDs.

          Code changed in jenkins
          User: Jesse Glick
          Path:
          changelog.html
          core/src/main/java/jenkins/security/s2m/FilePathRuleConfig.java
          test/src/test/java/jenkins/security/DefaultFilePathFilterTest.java
          http://jenkins-ci.org/commit/jenkins/e54b19d872317e135c46a415df80651d0de8dbfa
          Log:
          JENKINS-27055 Noting merge of #1621.

          Compare: https://github.com/jenkinsci/jenkins/compare/cfa4b100be1b...e54b19d87231

          SCM/JIRA link daemon added a comment - Code changed in jenkins User: Jesse Glick Path: changelog.html core/src/main/java/jenkins/security/s2m/FilePathRuleConfig.java test/src/test/java/jenkins/security/DefaultFilePathFilterTest.java http://jenkins-ci.org/commit/jenkins/e54b19d872317e135c46a415df80651d0de8dbfa Log: JENKINS-27055 Noting merge of #1621. Compare: https://github.com/jenkinsci/jenkins/compare/cfa4b100be1b...e54b19d87231

          dogfood added a comment -

          Integrated in jenkins_main_trunk #4030
          [FiXED JENKINS-27055] <BUILDID> should now also match numeric build IDs. (Revision 20c458d9933b5d25fc472f84ba8dbbf4eae5edee)

          Result = SUCCESS
          jesse glick : 20c458d9933b5d25fc472f84ba8dbbf4eae5edee
          Files :

          • test/src/test/java/jenkins/security/DefaultFilePathFilterTest.java
          • core/src/main/java/jenkins/security/s2m/FilePathRuleConfig.java

          dogfood added a comment - Integrated in jenkins_main_trunk #4030 [FiXED JENKINS-27055] <BUILDID> should now also match numeric build IDs. (Revision 20c458d9933b5d25fc472f84ba8dbbf4eae5edee) Result = SUCCESS jesse glick : 20c458d9933b5d25fc472f84ba8dbbf4eae5edee Files : test/src/test/java/jenkins/security/DefaultFilePathFilterTest.java core/src/main/java/jenkins/security/s2m/FilePathRuleConfig.java

            jglick Jesse Glick
            mwebber Matthew Webber
            Votes:
            0 Vote for this issue
            Watchers:
            2 Start watching this issue

              Created:
              Updated:
              Resolved: