Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-29638

Build promotion will allow running of a job a user doesn't have permission to start

    XMLWordPrintable

    Details

    • Type: Bug
    • Status: Open (View Workflow)
    • Priority: Major
    • Resolution: Unresolved
    • Component/s: promoted-builds-plugin
    • Labels:
    • Environment:
      Jenkins 1.609.1, promoted builds 2.21, Matrix Authorization Strategy 1.2, Parameterized Trigger 2.27, CloudBees Folders 4.9
    • Similar Issues:

      Description

      I have two jobs, Folder/job1 and Folder/job2. A promotion process is defined on Folder/job1 which requires manual approval by User; the promotion process specifies 'Trigger/call builds on other projects' to run Folder/job2 with the 'block until finished' option selected.

      User is a global administrator with all permissions granted, but Folder/job2 has project-based security which overrides the global matrix and specifies that User does not have the 'build' permission, i.e. the checkbox is clear. When visiting the job page for Folder/job2, User is not given an option to build. However, if User clicks the promote button on Folder/job1, Folder/job2 builds.

      I think that in this scenario the promotion process should fail.

        Attachments

          Activity

          Hide
          scm_issue_link SCM/JIRA link daemon added a comment -

          Code changed in jenkins
          User: Mark Waite
          Path:
          src/main/java/hudson/plugins/git/GitTool.java
          http://jenkins-ci.org/commit/git-client-plugin/128428c78f9e57e340401c8af2a503f05adf4cc2
          Log:
          [Fix JENKINS-29638] Remove distracting warning about invalid gitTool

          Warning removal simplifies log file, code behavior unchanged

          Show
          scm_issue_link SCM/JIRA link daemon added a comment - Code changed in jenkins User: Mark Waite Path: src/main/java/hudson/plugins/git/GitTool.java http://jenkins-ci.org/commit/git-client-plugin/128428c78f9e57e340401c8af2a503f05adf4cc2 Log: [Fix JENKINS-29638] Remove distracting warning about invalid gitTool Warning removal simplifies log file, code behavior unchanged
          Hide
          danielbeck Daniel Beck added a comment -

          Is this not actually an issue in Parameterized Trigger plugin? The same issue should occur when it's simply a build step in a normal freestyle project, without promoted builds.

          Show
          danielbeck Daniel Beck added a comment - Is this not actually an issue in Parameterized Trigger plugin? The same issue should occur when it's simply a build step in a normal freestyle project, without promoted builds.
          Hide
          oleg_nenashev Oleg Nenashev added a comment -

          Probably promoted-builds plugin needs to be integrated with QueueItemAuthenticator extension in Jenkins core, which has been integrated into parameterized trigger (JENKINS-16956). I have not tested if such integration works now (depends on Authorize project implementation).

          BTW QueueItemAuthenticator does not change the default behavior.

          Show
          oleg_nenashev Oleg Nenashev added a comment - Probably promoted-builds plugin needs to be integrated with QueueItemAuthenticator extension in Jenkins core, which has been integrated into parameterized trigger ( JENKINS-16956 ). I have not tested if such integration works now (depends on Authorize project implementation). BTW QueueItemAuthenticator does not change the default behavior.
          Hide
          tsukenobi olivier olivier added a comment -

          I'v got the same behaviour, permission are by-pass when using biuld("job2" ) in pipeline ( without using promotion builb) an issue is open for my case, it's very annoying because we need a strong isolation between jobs. https://issues.jenkins-ci.org/browse/JENKINS-43026

          Show
          tsukenobi olivier olivier added a comment - I'v got the same behaviour, permission are by-pass when using biuld("job2" ) in pipeline ( without using promotion builb) an issue is open for my case, it's very annoying because we need a strong isolation between jobs. https://issues.jenkins-ci.org/browse/JENKINS-43026

            People

            Assignee:
            Unassigned Unassigned
            Reporter:
            wsaxon Will Saxon
            Votes:
            0 Vote for this issue
            Watchers:
            5 Start watching this issue

              Dates

              Created:
              Updated: