-
Improvement
-
Resolution: Unresolved
-
Major
Currently the input step allows you to specify a submitter, which may be a user ID or an external group ("granted authority"). This does not work well with authorization strategies, especially those that allow you to group together users inside Jenkins, such as (but not limited to) nectar-rbac in Jenkins Enterprise by CloudBees.
Arguably the more natural approach would be for InputStep to define a new permission, "approve flow", which would be checked on the WorkflowRun (can use PermissionScope.RUN). Thus rather than specifying a submitter for a particular step you would just ensure there was an RBAC group defined on the flow job (or its folder, etc.) which granted that permission and included the people you want. Then no reference need be made to any particular AuthorizationStrategy at all; this behavior would just follow from the Jenkins authorization model.
If defined, submitter would still be consulted in case the approving user lacked the new permission. There is a potential compatibility issue in case submitter was not defined; today that means that any user (even anonymous) can approve the flow, whereas we would want the new permission to be enforced. Unfortunately Jenkins offers no way to mark a newly introduced Permission as "granted until explicitly denied", except via system property hacks; see comment in JENKINS-17200. Lacking that, the only option is to break compatibility and say that existing input steps without submitter will now reject random users from approving. The new permission could be implied by, for example, Item.CONFIGURE to minimize the impact—approval by the person who wrote the flow would still be guaranteed to work.
- is related to
-
JENKINS-17200 SCM.TAG permission not eagerly loaded
-
- Open
-
-
-
- Resolved
-
-
-
- Resolved
-
- links to
[JENKINS-27134] Permission for input approval, or choice of Jenkins-specific group as submitter
| Link | New: This issue is related to JENKINS-17200 [ JENKINS-17200 ] |
| Link |
New:
This issue is related to |
| Link |
New:
This issue is duplicated by |
| Link |
New:
This issue is related to |
| Link |
Original:
This issue is duplicated by |
Arguably the more natural approach
The counterargument has been made that you may have a single Pipeline job which needs to ask different groups of people for permission to proceed at different points (multiple input steps), so a per-job permission setting would not suffice. Instead we would need to have an API which an AuthorizationStrategy could use to instruct a given input step on who should be able to submit. TBD what such an API would look like; possibilities include
- an ExtensionPoint for the strategy to specify whether a given user (typically, the current Jenkins.getAuthentication) is a member of a named virtual group (such as a CJE RBAC local group) in a given context (say, the Job); thus you could include a virtual group in the submitters attribute
- an ExtensionPoint for the strategy to specify whether a given Authentication is eligible to approve a given InputStepExecution, allowing it to inspect id, submitters, etc. according to any policy it likes
The first is actually general enough that it might make sense as a core API in AuthorizationStrategy.
| Labels | Original: permissions | New: api permissions |
| Summary | Original: Permission for input approval | New: Permission for input approval, or choice of Jenkins-specific group as submitter |
Would probably subsume
JENKINS-29346.