-
Bug
-
Resolution: Duplicate
-
Major
-
None
-
Jenkins v 2.32.3 via jenkins:alpine docker container
Github Authentication Plugin v 0.25
I have github oauth plugin connected to a team at github. I have GitHub Committer Authorization Strategy enabled. Admin users work correctly, but non-admin users receive a "Access Denied foo is missing the Overall/Read permission"
I do not want to enable Read to All Authenticated Users. I want members of the organization to be able to READ and BUILD, exactly like Github Committer Authorization Strategy describes.
- duplicates
-
JENKINS-27844 Improve Use Github repository permissions
-
- Open
-
[JENKINS-42509] authenticated team members should have read/build permissions when using Github Committer Authorization Strategy
Andrew Hammond
created issue -
Andrew Hammond
added a comment - Nope, switching a user between public and private has no effect. 
Sam Gleske
added a comment - Hi Andrew, the GitHub committer authorization strategy is not very good. I personally don't use it at all. I use matrix authentication based strategies instead (I updated the wiki to document them). Other than that, there's a definite need to overhaul the GitHub committer based authorization strategy.
You're welcome to contribute a fix. I'm currently looking to the matrix authorization plugin to possibly support authorization akin to it. I'd prefer a user to define what permissions a Jenkins user would have via a matrix based on their role in the repository and organization.
Sam Gleske
added a comment - Hi Andrew, the GitHub committer authorization strategy is not very good. I personally don't use it at all. I use matrix authentication based strategies instead (I updated the wiki to document them). Other than that, there's a definite need to overhaul the GitHub committer based authorization strategy.
You're welcome to contribute a fix. I'm currently looking to the matrix authorization plugin to possibly support authorization akin to it. I'd prefer a user to define what permissions a Jenkins user would have via a matrix based on their role in the repository and organization. Andrew Hammond
added a comment - Sounds like a reasonable solution. Maybe you want to remove the github committer authorization strategy from the code since it is "not very good" and point people at the matrix, which looks like it might be a better all around solution.
Andrew Hammond
added a comment - Sounds like a reasonable solution. Maybe you want to remove the github committer authorization strategy from the code since it is "not very good" and point people at the matrix, which looks like it might be a better all around solution. Andrew Hammond
added a comment - Ok, I added matrix-auth plugin and now have a working, maybe even elegant solution. Thanks for the pointer!!!
Andrew Hammond
added a comment - Ok, I added matrix-auth plugin and now have a working, maybe even elegant solution. Thanks for the pointer!!! 
Chris Williams
added a comment - I've submitted a PR which I hope addresses this issue - as we run into this ourselves. I'm not 100% certain it covers all the use cases though.
Specifically I think this fixes when a user is a collaborator on a private repository that they don't own and is owned by an org they're not a member of. If the repo doesn't fall into the "my repository listing" (repos owned by the user or the orgs they belong to) then it loads the repo itself and looks at the admin/push/pull access for that user on that repo.
https://github.com/jenkinsci/github-oauth-plugin/pull/91
I think that if the repo is a public repo (regardless of who owns it), then any authenticated user should be able to READ already. This may fix BUILD/CANCEL/other permissions for write/admin collaborators on public repos too.
Chris Williams
added a comment - I've submitted a PR which I hope addresses this issue - as we run into this ourselves. I'm not 100% certain it covers all the use cases though.
Specifically I think this fixes when a user is a collaborator on a private repository that they don't own and is owned by an org they're not a member of. If the repo doesn't fall into the "my repository listing" (repos owned by the user or the orgs they belong to) then it loads the repo itself and looks at the admin/push/pull access for that user on that repo.
https://github.com/jenkinsci/github-oauth-plugin/pull/91
I think that if the repo is a public repo (regardless of who owns it), then any authenticated user should be able to READ already. This may fix BUILD/CANCEL/other permissions for write/admin collaborators on public repos too. Sam Gleske
added a comment - Closing this issue in favor of JENKINS-27844 to completely overhaul this authorization strategy. Subscribe and vote there so we can track it all in one place.
Sam Gleske
added a comment - Closing this issue in favor of JENKINS-27844 to completely overhaul this authorization strategy. Subscribe and vote there so we can track it all in one place. Sam Gleske
made changes -
| Link | New: This issue duplicates JENKINS-27844 [ JENKINS-27844 ] |
Sam Gleske
made changes -
| Resolution | New: Duplicate [ 3 ] | |
| Status | Original: Open [ 1 ] | New: Closed [ 6 ] |
I found the following snippet of docs related to matrix based authentication:
"organization - give permissions to every user that belongs to a specific GitHub organization. You have to be a public member of the organization for the authorization to work correctly."
Does this mean that team members will have to be public members of the organization in order to have access?