Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-36229

API for UI to honour permissions

XMLWordPrintable

    • 1.0-m11, 1.0-m12, 1.0-pre-beta-1

      We need a way for the frontend to conditionally show UI depending on what permissions the user has.

      For example, the run buttons on https://ci.blueocean.io/blue/organizations/jenkins/blueocean/branches are shown if you are logged out.

      We need a way in the API for the UI to know what actions are available for their permissions.

          [JENKINS-36229] API for UI to honour permissions

          James Dumay added a comment -

          Updated to blocking.

          James Dumay added a comment - Updated to blocking.

          James Dumay added a comment - - edited

          Can the user:

          • Start runs
          • Stop runs
          • Can create items
          • Is an administrator

          Don't know if handled elsewhere but can we tell if auth is on or off? Logged In vs Logged Out vs Anonymous (no auth)

          James Dumay added a comment - - edited Can the user: Start runs Stop runs Can create items Is an administrator Don't know if handled elsewhere but can we tell if auth is on or off? Logged In vs Logged Out vs Anonymous (no auth)

          Vivek Pandey added a comment -

          jamesdumay

          > Start runs
          > Stop runs

          These two can appear on pipeline object as such permissions could be specific to a job/pipeline based on authorization strategy.

          > Can create items

          Can we be more specific? Did you mean "can create a job/pipeline"?

          > Is an administrator

          > Don't know if handled elsewhere but can we tell if auth is on or off?

          if GET /jwt-auth/token return 401 auth is turned on.

          > Logged In vs Logged Out vs Anonymous (no auth)

          GET /jwt-auth/token

          Logged In: 200 OK with token in the header
          Logged Out: 401 Unauthorized
          Anonymous: JWT claim 'sub' == 'anonymous' is true

          Vivek Pandey added a comment - jamesdumay > Start runs > Stop runs These two can appear on pipeline object as such permissions could be specific to a job/pipeline based on authorization strategy. > Can create items Can we be more specific? Did you mean "can create a job/pipeline"? > Is an administrator > Don't know if handled elsewhere but can we tell if auth is on or off? if GET /jwt-auth/token return 401 auth is turned on. > Logged In vs Logged Out vs Anonymous (no auth) GET /jwt-auth/token Logged In: 200 OK with token in the header Logged Out: 401 Unauthorized Anonymous: JWT claim 'sub' == 'anonymous' is true

          James Dumay added a comment -

          > Can we be more specific? Did you mean "can create a job/pipeline"?

          Yes, has the ability to create jobs.

          > if GET /jwt-auth/token return 401 auth is turned on.

          if auth is off, does a JWT get issued? I asked because I do not think the UI should need to hit the server to ask that (it will on every page load).

          James Dumay added a comment - > Can we be more specific? Did you mean "can create a job/pipeline"? Yes, has the ability to create jobs. > if GET /jwt-auth/token return 401 auth is turned on. if auth is off, does a JWT get issued? I asked because I do not think the UI should need to hit the server to ask that (it will on every page load).

          Vivek Pandey added a comment -

          jamesdumay yes JWT gets issues for anonymous user. I see your point, I think UI needs to display Login button if security is turned on. Putting such information in JWT token is bit odd though, its jenkins config information and there could be more going forward. Perhaps, right place could be in /organizations/:id API, where it provides organization level config information. Why does UI needs to load on every page, could it not cache it?

          Vivek Pandey added a comment - jamesdumay yes JWT gets issues for anonymous user. I see your point, I think UI needs to display Login button if security is turned on. Putting such information in JWT token is bit odd though, its jenkins config information and there could be more going forward. Perhaps, right place could be in /organizations/:id API, where it provides organization level config information. Why does UI needs to load on every page, could it not cache it?

          James Dumay added a comment -

          vivek what about a app config JSON object that gets embedded on window.blueoceanConfig when the index.jelly gets rendered? No round trip required.

          James Dumay added a comment - vivek what about a app config JSON object that gets embedded on window.blueoceanConfig when the index.jelly gets rendered? No round trip required.

          Vivek Pandey added a comment -

          jamesdumay Good idea, we can do that using BluePageDecorator, it will inject config objet on window element. I think we are doing things like this from some of the plugins anyways.

          Vivek Pandey added a comment - jamesdumay Good idea, we can do that using BluePageDecorator, it will inject config objet on window element. I think we are doing things like this from some of the plugins anyways.

          James Dumay added a comment -

          Brilliant idea Vivek - now we have a good home for the config of other things too!

          James Dumay added a comment - Brilliant idea Vivek - now we have a good home for the config of other things too!

          James Dumay added a comment -

          That is, Making it extensible

          James Dumay added a comment - That is, Making it extensible

          Vivek Pandey added a comment -

          jamesdumay I am going to make first cut of jenkins config object in this ticket.

          Vivek Pandey added a comment - jamesdumay I am going to make first cut of jenkins config object in this ticket.

            vivek Vivek Pandey
            jamesdumay James Dumay
            Votes:
            0 Vote for this issue
            Watchers:
            2 Start watching this issue

              Created:
              Updated:
              Resolved: