[JENKINS-41632] workspaces are still visible to anyone with READ access

Type: Improvement
Resolution: Fixed
Priority: Minor
Component/s: github-oauth-plugin
Labels:
- git
- plugin
- scm
- security
Environment:
Github OAuth Plugin: 0.25
Jenkins: 2.7.1

Similar Issues:
Powered by SuggestiMate

Show

Workspaces are essentially public to all users that have READ access (global READ access turned on).

So, for example, when a job uses the git SCM plugin to clone the repository into the job workspace, ALL of the code is still visible to ANYONE that has READ access. Is it possible to only allow people of the org that the repo belongs to view that content? Or does global read access for authenticated users have to be turned off?

duplicates

JENKINS-27844 Improve Use Github repository permissions

Open

Sam Gleske added a comment - 2017-02-01 17:57 - edited

The GitHub Committer Authorization strategy needs a complete overhaul in my opinion. I don't use it at all because of challenges I faced around it. I use a Matrix-based authorization strategy. The authorization options are documented in the wiki.

Regarding your question, how I have configured Jenkins is to set up Jenkins much like GitHub. For instance, if you have an organization named jenkinsci in GitHub and a project named github-oauth, then in Jenkins the project is organized with jenkinsci/github-oauth. Use the project-based matrix authorization strategy and you can restrict the jenkinsci folder only to members of the jenkinsci organization.

From there, I essentially created the following GitHub teams:

jenkins-owners (highest privilege) - permission to delete the entire GitHub organization folder and delete any job in the folder. Inherits perms from jenkins-admins and jenkins-developers
jenkins-admins - Update builds with additional information and add/delete views. Fully manage credentials and delete builds from jobs.
jenkins-developers - Execute/Cancel builds. View job configuration (read only). View credentials (read only).

Here's how I set up the permissions for the GitHub organization folder (assuming your organization is jenkinsci with the above described teams):

jenkinsci permissions - Item.Read
jenkinsci*jenkins-owners permissions - Item.Read, Item.Cancel, Item.Delete, Item.Build, Item.ExtendedRead, CredentialsProvider.View, CredentialsProvider.Create, Run.Update
jenkinsci*jenkins-admins permissions - Item.Read, Item.Cancel, Item.Build, Item.ExtendedRead, CredentialsProvider.View, CredentialsProvider.Create, Run.Update
jenkinsci*jenkins-developers permissions - Item.Read, Item.Cancel, Item.Build, Item.ExtendedRead, CredentialsProvider.View, Run.Update
anonymous - Item.Discover, Item.ViewStatus

I don't give any user the ability to create jobs. That's offloaded to the Job DSL plugin. Folders and permissions are created per organization using Job DSL scripts as well in my install.

Sam Gleske added a comment - 2017-02-01 17:57 - edited The GitHub Committer Authorization strategy needs a complete overhaul in my opinion. I don't use it at all because of challenges I faced around it. I use a Matrix-based authorization strategy. The authorization options are documented in the wiki . Regarding your question, how I have configured Jenkins is to set up Jenkins much like GitHub. For instance, if you have an organization named jenkinsci in GitHub and a project named github-oauth , then in Jenkins the project is organized with jenkinsci/github-oauth . Use the project-based matrix authorization strategy and you can restrict the jenkinsci folder only to members of the jenkinsci organization. From there, I essentially created the following GitHub teams: jenkins-owners (highest privilege) - permission to delete the entire GitHub organization folder and delete any job in the folder. Inherits perms from jenkins-admins and jenkins-developers jenkins-admins - Update builds with additional information and add/delete views. Fully manage credentials and delete builds from jobs. jenkins-developers - Execute/Cancel builds. View job configuration (read only). View credentials (read only). Here's how I set up the permissions for the GitHub organization folder (assuming your organization is jenkinsci with the above described teams): jenkinsci permissions - Item.Read jenkinsci*jenkins-owners permissions - Item.Read, Item.Cancel, Item.Delete, Item.Build, Item.ExtendedRead, CredentialsProvider.View, CredentialsProvider.Create, Run.Update jenkinsci*jenkins-admins permissions - Item.Read, Item.Cancel, Item.Build, Item.ExtendedRead, CredentialsProvider.View, CredentialsProvider.Create, Run.Update jenkinsci*jenkins-developers permissions - Item.Read, Item.Cancel, Item.Build, Item.ExtendedRead, CredentialsProvider.View, Run.Update anonymous - Item.Discover, Item.ViewStatus I don't give any user the ability to create jobs. That's offloaded to the Job DSL plugin. Folders and permissions are created per organization using Job DSL scripts as well in my install.

Kevin R. added a comment - 2017-02-02 21:38

sag47 thanks for the detailed response, I really appreciate it!

Actually I resolved the issue by adding the REPO OAuth permission. I only wanted collaborators of private repos to view the job in its entirety (workspace is ok in this case).

The issue now is that the plugin seems to be caching requests. So when OAuth scopes change, we had to wait a while before jobs were showing up.
Is there any way to disable that cache so that we can see the changes immediately? We're using enterprise so rate limits aren't an issue.
I tried setting cache size to 0MB in the global Github config...but that didn't seem to work.

Kevin R. added a comment - 2017-02-02 21:38 sag47 thanks for the detailed response, I really appreciate it! Actually I resolved the issue by adding the REPO OAuth permission. I only wanted collaborators of private repos to view the job in its entirety (workspace is ok in this case). The issue now is that the plugin seems to be caching requests. So when OAuth scopes change, we had to wait a while before jobs were showing up. Is there any way to disable that cache so that we can see the changes immediately? We're using enterprise so rate limits aren't an issue. I tried setting cache size to 0MB in the global Github config...but that didn't seem to work.

Sam Gleske added a comment - 2017-12-07 05:52

chr0n1x I recommend closing this issue and opening a new issue for disabling caching as an enhancement. Caching in this plugin should probably be only disabled via JVM property and not an option in the web UI.

Sam Gleske added a comment - 2017-12-07 05:52 chr0n1x I recommend closing this issue and opening a new issue for disabling caching as an enhancement. Caching in this plugin should probably be only disabled via JVM property and not an option in the web UI.

Sam Gleske added a comment - 2017-12-07 05:58

Closing this issue in favor of JENKINS-27844 to completely overhaul the GitHub committer authorization strategy. Subscribe and vote there so we can track it all in one place.

Sam Gleske added a comment - 2017-12-07 05:58 Closing this issue in favor of JENKINS-27844 to completely overhaul the GitHub committer authorization strategy. Subscribe and vote there so we can track it all in one place.

Jenkins

Details

Description

Attachments

Issue Links

Activity

Collapse comment: Sam Gleske added a comment - 2017-02-01 17:57, Edited by Sam Gleske - 2017-02-01 18:18

Expand comment: Sam Gleske added a comment - 2017-02-01 17:57, Edited by Sam Gleske - 2017-02-01 18:18

Collapse comment: Kevin R. added a comment - 2017-02-02 21:38

Expand comment: Kevin R. added a comment - 2017-02-02 21:38

Collapse comment: Sam Gleske added a comment - 2017-12-07 05:52

Expand comment: Sam Gleske added a comment - 2017-12-07 05:52

Collapse comment: Sam Gleske added a comment - 2017-12-07 05:58

Expand comment: Sam Gleske added a comment - 2017-12-07 05:58

People

Dates