Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-42556

PlaceholderTask.runForDisplay vulnerable to AccessDeniedException

      Resuming build at ... after Jenkins restart
      [Pipeline] End of Pipeline
      java.io.IOException: Failed to load build state
      	at org.jenkinsci.plugins.workflow.cps.CpsFlowExecution$3.onSuccess(CpsFlowExecution.java:610)
      	at org.jenkinsci.plugins.workflow.cps.CpsFlowExecution$3.onSuccess(CpsFlowExecution.java:608)
      	at org.jenkinsci.plugins.workflow.cps.CpsFlowExecution$4$1.run(CpsFlowExecution.java:651)
      	at org.jenkinsci.plugins.workflow.cps.CpsVmExecutorService$1.run(CpsVmExecutorService.java:35)
      	at ...
      Caused by: org.acegisecurity.AccessDeniedException: Please login to access job ...
      	at jenkins.model.Jenkins.getItem(Jenkins.java:2724)
      	at jenkins.model.Jenkins.getItem(Jenkins.java:324)
      	at jenkins.model.Jenkins.getItemByFullName(Jenkins.java:2830)
      	at hudson.model.Run.fromExternalizableId(Run.java:2314)
      	at org.jenkinsci.plugins.workflow.support.steps.ExecutorStepExecution$PlaceholderTask.runForDisplay(ExecutorStepExecution.java:385)
      	at org.jenkinsci.plugins.workflow.support.steps.ExecutorStepExecution$PlaceholderTask.getDisplayName(ExecutorStepExecution.java:398)
      	at org.jenkinsci.plugins.workflow.support.steps.ExecutorStepExecution$PlaceholderTask.getFullDisplayName(ExecutorStepExecution.java:407)
      	at org.jenkinsci.plugins.workflow.support.pickles.ExecutorPickle$1.printWaitingMessage(ExecutorPickle.java:116)
      	at org.jenkinsci.plugins.workflow.support.pickles.TryRepeatedly$1.run(TryRepeatedly.java:95)
      	at ...
      

      Presumably there is no anonymous read access, and the Timer thread used by TryRepeatedly neglected to impersonate SYSTEM.

          [JENKINS-42556] PlaceholderTask.runForDisplay vulnerable to AccessDeniedException

          Jesse Glick created issue -
          Jesse Glick made changes -
          Epic Link New: JENKINS-35399 [ 171192 ]

          Jesse Glick added a comment - - edited

          Or rather anonymous DISCOVER access but not READ, an unusual configuration. Reproducible, though see JENKINS-42577 for why reproducing can be tricky.

          Perhaps core should impersonate SYSTEM in Timer threads automatically, since this is hardly the first time such a bug has occurred.

          Jesse Glick added a comment - - edited Or rather anonymous DISCOVER access but not READ , an unusual configuration. Reproducible, though see JENKINS-42577 for why reproducing can be tricky. Perhaps core should impersonate SYSTEM in Timer threads automatically, since this is hardly the first time such a bug has occurred.
          Jesse Glick made changes -
          Link New: This issue relates to JENKINS-42577 [ JENKINS-42577 ]
          Jesse Glick made changes -
          Link New: This issue relates to JENKINS-42586 [ JENKINS-42586 ]
          Jesse Glick made changes -
          Assignee New: Jesse Glick [ jglick ]
          Jesse Glick made changes -
          Status Original: Open [ 1 ] New: In Progress [ 3 ]

          Jesse Glick added a comment -

          After some back and forth I have decided that while TryRepeatedly shares some blame, a fix there does not necessarily suffice, because Queue.Task.getFullDisplayName can be called from other threads.

          Jesse Glick added a comment - After some back and forth I have decided that while TryRepeatedly shares some blame, a fix there does not necessarily suffice, because Queue.Task.getFullDisplayName can be called from other threads.
          Jesse Glick made changes -
          Component/s New: workflow-durable-task-step-plugin [ 21715 ]
          Component/s Original: workflow-support-plugin [ 21719 ]
          Summary Original: TryRepeatedly fails to run as ACL.SYSTEM New: PlaceholderTask.runForDisplay vulnerable to AccessDeniedException
          Jesse Glick made changes -
          Remote Link New: This issue links to "jenkins-test-harness PR 52 (Web Link)" [ 15649 ]

            jglick Jesse Glick
            jglick Jesse Glick
            Votes:
            0 Vote for this issue
            Watchers:
            2 Start watching this issue

              Created:
              Updated:
              Resolved: