-
Bug
-
Resolution: Duplicate
-
Major
-
None
-
Jenkins v 2.32.3 via jenkins:alpine docker container
Github Authentication Plugin v 0.25
I have github oauth plugin connected to a team at github. I have GitHub Committer Authorization Strategy enabled. Admin users work correctly, but non-admin users receive a "Access Denied foo is missing the Overall/Read permission"
I do not want to enable Read to All Authenticated Users. I want members of the organization to be able to READ and BUILD, exactly like Github Committer Authorization Strategy describes.
- duplicates
-
JENKINS-27844 Improve Use Github repository permissions
-
- Open
-
[JENKINS-42509] authenticated team members should have read/build permissions when using Github Committer Authorization Strategy
Andrew Hammond
added a comment - Ok, I added matrix-auth plugin and now have a working, maybe even elegant solution. Thanks for the pointer!!!
Andrew Hammond
added a comment - Ok, I added matrix-auth plugin and now have a working, maybe even elegant solution. Thanks for the pointer!!! 
Chris Williams
added a comment - I've submitted a PR which I hope addresses this issue - as we run into this ourselves. I'm not 100% certain it covers all the use cases though.
Specifically I think this fixes when a user is a collaborator on a private repository that they don't own and is owned by an org they're not a member of. If the repo doesn't fall into the "my repository listing" (repos owned by the user or the orgs they belong to) then it loads the repo itself and looks at the admin/push/pull access for that user on that repo.
https://github.com/jenkinsci/github-oauth-plugin/pull/91
I think that if the repo is a public repo (regardless of who owns it), then any authenticated user should be able to READ already. This may fix BUILD/CANCEL/other permissions for write/admin collaborators on public repos too.
Chris Williams
added a comment - I've submitted a PR which I hope addresses this issue - as we run into this ourselves. I'm not 100% certain it covers all the use cases though.
Specifically I think this fixes when a user is a collaborator on a private repository that they don't own and is owned by an org they're not a member of. If the repo doesn't fall into the "my repository listing" (repos owned by the user or the orgs they belong to) then it loads the repo itself and looks at the admin/push/pull access for that user on that repo.
https://github.com/jenkinsci/github-oauth-plugin/pull/91
I think that if the repo is a public repo (regardless of who owns it), then any authenticated user should be able to READ already. This may fix BUILD/CANCEL/other permissions for write/admin collaborators on public repos too. 
Sam Gleske
added a comment - Closing this issue in favor of JENKINS-27844 to completely overhaul this authorization strategy. Subscribe and vote there so we can track it all in one place.
Sam Gleske
added a comment - Closing this issue in favor of JENKINS-27844 to completely overhaul this authorization strategy. Subscribe and vote there so we can track it all in one place. Sam Gleske
added a comment - re-opening since active work is being done in the pull request. Code changed in jenkins
User: Christopher Williams
Path:
src/main/java/org/jenkinsci/plugins/GithubAuthenticationToken.java
src/main/java/org/jenkinsci/plugins/GithubRequireOrganizationMembershipACL.java
src/main/java/org/jenkinsci/plugins/GithubSecurityRealm.java
src/test/java/org/jenkinsci/plugins/GithubRequireOrganizationMembershipACLTest.java
src/test/java/org/jenkinsci/plugins/GithubSecurityRealmTest.java
http://jenkins-ci.org/commit/github-oauth-plugin/7a4539f8c6f245b83c78b61acb3c94bfe43652b5
Log:
JENKINS-42509 authenticated team members should have read/build (#91)
JENKINS-42509authenticated team members should have read/build permissions when using Github Committer Authorization Strategy
On private repositories of which the user is not an owner, not a member of the owning organization - check for admin/push/pull permissions on the repository to determine permissions on the Jenkisn item.
- - Use a cache for loading repositories.- Guard against even trying to load repositories unless we have either the "repo" or "public_repo" oauth scopes.
- Add "repo" to the default set of oauth scopes requested.
- Add a wrapper POJO for storing GHRepository rights per-user in our cache. Make the repo cache an instance cache since it's specific to a user. Remove a coupel unnecessary final designations on method paramters.
Sam Gleske
added a comment - This has been merged and will be available in the next release. 
julien staub
added a comment - Will this issue be fixed in future ?
From description the GitHub Committer Authorization Strategy is easiest to use and could cover needs for many users if working correctly.
julien staub
added a comment - Will this issue be fixed in future ?
From description the GitHub Committer Authorization Strategy is easiest to use and could cover needs for many users if working correctly. Sam Gleske
added a comment - Closing again since this a duplicate. Please contribute in JENKINS-27844 which should track any rewriting of this feature. The GitHub authorization strategy needs to be redesigned completely.
Sam Gleske
added a comment - Closing again since this a duplicate. Please contribute in JENKINS-27844 which should track any rewriting of this feature. The GitHub authorization strategy needs to be redesigned completely. 
Sounds like a reasonable solution. Maybe you want to remove the github committer authorization strategy from the code since it is "not very good" and point people at the matrix, which looks like it might be a better all around solution.