Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-42707

ReverseBuildTrigger can throw AccessDeniedException

    • Icon: Bug Bug
    • Resolution: Fixed
    • Icon: Major Major
    • core
    • Jenkins 2.32.3

      Noticed in a console logs of an upstream job:

      Notifying upstream projects of job completion 
      FATAL: Please login to access job upstream 
      org.acegisecurity.AccessDeniedException: Please login to access job upstream 
      at jenkins.model.Jenkins.getItem(Jenkins.java:2724) 
      at jenkins.model.Jenkins.getItem(Jenkins.java:324) 
      at jenkins.model.Jenkins.getItemByFullName(Jenkins.java:2830) 
      at jenkins.model.Jenkins.getItemByFullName(Jenkins.java:2849) 
      at jenkins.triggers.ReverseBuildTrigger.shouldTrigger(ReverseBuildTrigger.java:116) 
      at jenkins.triggers.ReverseBuildTrigger.access$000(ReverseBuildTrigger.java:89) 
      at jenkins.triggers.ReverseBuildTrigger$1.shouldTriggerBuild(ReverseBuildTrigger.java:146) 
      at hudson.tasks.BuildTrigger.execute(BuildTrigger.java:247) 
      at hudson.model.AbstractBuild$AbstractBuildExecution.cleanUp(AbstractBuild.java:681) 
      at hudson.model.Build$BuildExecution.cleanUp(Build.java:200) 
      at hudson.model.Run.execute(Run.java:1775) 
      at hudson.model.FreeStyleBuild.run(FreeStyleBuild.java:43) 
      at hudson.model.ResourceController.execute(ResourceController.java:98) 
      at hudson.model.Executor.run(Executor.java:404) 
      Notifying upstream projects of job completion 
      FATAL: Please login to access job <foldername> 
      org.acegisecurity.AccessDeniedException: Please login to access job upstream 
      at jenkins.model.Jenkins.getItem(Jenkins.java:2724) 
      at jenkins.model.Jenkins.getItem(Jenkins.java:324) 
      at jenkins.model.Jenkins.getItemByFullName(Jenkins.java:2830) 
      at jenkins.model.Jenkins.getItemByFullName(Jenkins.java:2849) 
      at jenkins.triggers.ReverseBuildTrigger.shouldTrigger(ReverseBuildTrigger.java:116) 
      at jenkins.triggers.ReverseBuildTrigger.access$000(ReverseBuildTrigger.java:89) 
      at jenkins.triggers.ReverseBuildTrigger$1.shouldTriggerBuild(ReverseBuildTrigger.java:146) 
      at hudson.tasks.BuildTrigger.execute(BuildTrigger.java:247) 
      at hudson.model.AbstractBuild$AbstractBuildExecution.cleanUp(AbstractBuild.java:681) 
      at hudson.model.Build$BuildExecution.cleanUp(Build.java:200) 
      at hudson.model.Run.execute(Run.java:1775) 
      at hudson.model.FreeStyleBuild.run(FreeStyleBuild.java:43) 
      at hudson.model.ResourceController.execute(ResourceController.java:98) 
      at hudson.model.Executor.run(Executor.java:404)
      

      ReverseBuildTrigger.shouldTrigger should be impersonating SYSTEM.

      This seems to happen because the anonymous user has Overall/Read and Item/Discover permission. The workaround is to remove the Item/Discover permission for the anonymous user.

          [JENKINS-42707] ReverseBuildTrigger can throw AccessDeniedException

          Daniel Beck added a comment -

          Does the fix for JENKINS-42556 take care of this?

          Daniel Beck added a comment - Does the fix for JENKINS-42556 take care of this?

          Jesse Glick added a comment -

          Doubtful. This is an Executor thread, which should not have been affected by that fix.

          Jesse Glick added a comment - Doubtful. This is an Executor thread, which should not have been affected by that fix.

          Code changed in jenkins
          User: Allan Burdajewicz
          Path:
          core/src/main/java/jenkins/triggers/ReverseBuildTrigger.java
          test/src/test/java/jenkins/triggers/ReverseBuildTriggerTest.java
          http://jenkins-ci.org/commit/jenkins/17eedcfde8043829b247e639ae985ddb97dd0571
          Log:
          JENKINS-42707 AccessDeniedException exception in ReverseBuildTrigger (#2846)

          • JENKINS-42707 AccessDeniedException vulnerability in ReverseBuildTrigger.
          • JENKINS-42707 Log message according to permission (DISCOVER/READ)

          SCM/JIRA link daemon added a comment - Code changed in jenkins User: Allan Burdajewicz Path: core/src/main/java/jenkins/triggers/ReverseBuildTrigger.java test/src/test/java/jenkins/triggers/ReverseBuildTriggerTest.java http://jenkins-ci.org/commit/jenkins/17eedcfde8043829b247e639ae985ddb97dd0571 Log: JENKINS-42707 AccessDeniedException exception in ReverseBuildTrigger (#2846) JENKINS-42707 AccessDeniedException vulnerability in ReverseBuildTrigger. JENKINS-42707 Added tests to expose the issue JENKINS-42707 Log message according to permission (DISCOVER/READ) JENKINS-42707 Use MockAuthorizationStrategy JENKINS-42707 Remove internationalization for logger

          Code changed in jenkins
          User: Allan Burdajewicz
          Path:
          core/src/main/java/jenkins/triggers/ReverseBuildTrigger.java
          test/src/test/java/jenkins/triggers/ReverseBuildTriggerTest.java
          http://jenkins-ci.org/commit/jenkins/7db9fe95669d426812dd4510b512fcd95ff1a64e
          Log:
          JENKINS-42707 AccessDeniedException exception in ReverseBuildTrigger (#2846)

          • JENKINS-42707 AccessDeniedException vulnerability in ReverseBuildTrigger.
          • JENKINS-42707 Log message according to permission (DISCOVER/READ)

          (cherry picked from commit 17eedcfde8043829b247e639ae985ddb97dd0571)

          SCM/JIRA link daemon added a comment - Code changed in jenkins User: Allan Burdajewicz Path: core/src/main/java/jenkins/triggers/ReverseBuildTrigger.java test/src/test/java/jenkins/triggers/ReverseBuildTriggerTest.java http://jenkins-ci.org/commit/jenkins/7db9fe95669d426812dd4510b512fcd95ff1a64e Log: JENKINS-42707 AccessDeniedException exception in ReverseBuildTrigger (#2846) JENKINS-42707 AccessDeniedException vulnerability in ReverseBuildTrigger. JENKINS-42707 Added tests to expose the issue JENKINS-42707 Log message according to permission (DISCOVER/READ) JENKINS-42707 Use MockAuthorizationStrategy JENKINS-42707 Remove internationalization for logger (cherry picked from commit 17eedcfde8043829b247e639ae985ddb97dd0571)

            allan_burdajewicz Allan BURDAJEWICZ
            allan_burdajewicz Allan BURDAJEWICZ
            Votes:
            2 Vote for this issue
            Watchers:
            4 Start watching this issue

              Created:
              Updated:
              Resolved: