Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-42707

ReverseBuildTrigger can throw AccessDeniedException

    XMLWordPrintable

Details

    • Bug
    • Status: Resolved (View Workflow)
    • Major
    • Resolution: Fixed
    • core
    • Jenkins 2.32.3

    Description

      Noticed in a console logs of an upstream job:

      Notifying upstream projects of job completion 
FATAL: Please login to access job upstream 
org.acegisecurity.AccessDeniedException: Please login to access job upstream 
at jenkins.model.Jenkins.getItem(Jenkins.java:2724) 
at jenkins.model.Jenkins.getItem(Jenkins.java:324) 
at jenkins.model.Jenkins.getItemByFullName(Jenkins.java:2830) 
at jenkins.model.Jenkins.getItemByFullName(Jenkins.java:2849) 
at jenkins.triggers.ReverseBuildTrigger.shouldTrigger(ReverseBuildTrigger.java:116) 
at jenkins.triggers.ReverseBuildTrigger.access$000(ReverseBuildTrigger.java:89) 
at jenkins.triggers.ReverseBuildTrigger$1.shouldTriggerBuild(ReverseBuildTrigger.java:146) 
at hudson.tasks.BuildTrigger.execute(BuildTrigger.java:247) 
at hudson.model.AbstractBuild$AbstractBuildExecution.cleanUp(AbstractBuild.java:681) 
at hudson.model.Build$BuildExecution.cleanUp(Build.java:200) 
at hudson.model.Run.execute(Run.java:1775) 
at hudson.model.FreeStyleBuild.run(FreeStyleBuild.java:43) 
at hudson.model.ResourceController.execute(ResourceController.java:98) 
at hudson.model.Executor.run(Executor.java:404) 
Notifying upstream projects of job completion 
FATAL: Please login to access job <foldername> 
org.acegisecurity.AccessDeniedException: Please login to access job upstream 
at jenkins.model.Jenkins.getItem(Jenkins.java:2724) 
at jenkins.model.Jenkins.getItem(Jenkins.java:324) 
at jenkins.model.Jenkins.getItemByFullName(Jenkins.java:2830) 
at jenkins.model.Jenkins.getItemByFullName(Jenkins.java:2849) 
at jenkins.triggers.ReverseBuildTrigger.shouldTrigger(ReverseBuildTrigger.java:116) 
at jenkins.triggers.ReverseBuildTrigger.access$000(ReverseBuildTrigger.java:89) 
at jenkins.triggers.ReverseBuildTrigger$1.shouldTriggerBuild(ReverseBuildTrigger.java:146) 
at hudson.tasks.BuildTrigger.execute(BuildTrigger.java:247) 
at hudson.model.AbstractBuild$AbstractBuildExecution.cleanUp(AbstractBuild.java:681) 
at hudson.model.Build$BuildExecution.cleanUp(Build.java:200) 
at hudson.model.Run.execute(Run.java:1775) 
at hudson.model.FreeStyleBuild.run(FreeStyleBuild.java:43) 
at hudson.model.ResourceController.execute(ResourceController.java:98) 
at hudson.model.Executor.run(Executor.java:404)

      ReverseBuildTrigger.shouldTrigger should be impersonating SYSTEM.

      This seems to happen because the anonymous user has Overall/Read and Item/Discover permission. The workaround is to remove the Item/Discover permission for the anonymous user.

      Attachments

        Issue Links

          is related to

          Bug - A problem which impairs or prevents the functions of the product. JENKINS-42586 OldDataMonitor.referTo can throw AccessDeniedException

          • Major - Major loss of function.
          • Open

          Bug - A problem which impairs or prevents the functions of the product. JENKINS-42556 PlaceholderTask.runForDisplay vulnerable to AccessDeniedException

          • Major - Major loss of function.
          • Resolved

          Bug - A problem which impairs or prevents the functions of the product. JENKINS-63868 PlaceholderTask.getOwnerTask vulnerable to AccessDeniedException

          • Major - Major loss of function.
          • Resolved
          links to

          Web Link CloudBees Internal OSS-2135

          Web Link core-PR#2846

          Activity

            Ascending order - Click to sort in descending order
            danielbeck Daniel Beck added a comment -

            Does the fix for JENKINS-42556 take care of this?

            danielbeck Daniel Beck added a comment - Does the fix for JENKINS-42556 take care of this?
            jglick Jesse Glick added a comment -

            Doubtful. This is an Executor thread, which should not have been affected by that fix.

            jglick Jesse Glick added a comment - Doubtful. This is an Executor thread, which should not have been affected by that fix.
            scm_issue_link SCM/JIRA link daemon added a comment -

            Code changed in jenkins
            User: Allan Burdajewicz
            Path:
            core/src/main/java/jenkins/triggers/ReverseBuildTrigger.java
            test/src/test/java/jenkins/triggers/ReverseBuildTriggerTest.java
            http://jenkins-ci.org/commit/jenkins/17eedcfde8043829b247e639ae985ddb97dd0571
            Log:
            JENKINS-42707 AccessDeniedException exception in ReverseBuildTrigger (#2846)

            • JENKINS-42707 AccessDeniedException vulnerability in ReverseBuildTrigger.
            • JENKINS-42707 Log message according to permission (DISCOVER/READ)
            scm_issue_link SCM/JIRA link daemon added a comment - Code changed in jenkins User: Allan Burdajewicz Path: core/src/main/java/jenkins/triggers/ReverseBuildTrigger.java test/src/test/java/jenkins/triggers/ReverseBuildTriggerTest.java http://jenkins-ci.org/commit/jenkins/17eedcfde8043829b247e639ae985ddb97dd0571 Log: JENKINS-42707 AccessDeniedException exception in ReverseBuildTrigger (#2846) JENKINS-42707 AccessDeniedException vulnerability in ReverseBuildTrigger. JENKINS-42707 Added tests to expose the issue JENKINS-42707 Log message according to permission (DISCOVER/READ) JENKINS-42707 Use MockAuthorizationStrategy JENKINS-42707 Remove internationalization for logger
            scm_issue_link SCM/JIRA link daemon added a comment -

            Code changed in jenkins
            User: Allan Burdajewicz
            Path:
            core/src/main/java/jenkins/triggers/ReverseBuildTrigger.java
            test/src/test/java/jenkins/triggers/ReverseBuildTriggerTest.java
            http://jenkins-ci.org/commit/jenkins/7db9fe95669d426812dd4510b512fcd95ff1a64e
            Log:
            JENKINS-42707 AccessDeniedException exception in ReverseBuildTrigger (#2846)

            • JENKINS-42707 AccessDeniedException vulnerability in ReverseBuildTrigger.
            • JENKINS-42707 Log message according to permission (DISCOVER/READ)

            (cherry picked from commit 17eedcfde8043829b247e639ae985ddb97dd0571)

            scm_issue_link SCM/JIRA link daemon added a comment - Code changed in jenkins User: Allan Burdajewicz Path: core/src/main/java/jenkins/triggers/ReverseBuildTrigger.java test/src/test/java/jenkins/triggers/ReverseBuildTriggerTest.java http://jenkins-ci.org/commit/jenkins/7db9fe95669d426812dd4510b512fcd95ff1a64e Log: JENKINS-42707 AccessDeniedException exception in ReverseBuildTrigger (#2846) JENKINS-42707 AccessDeniedException vulnerability in ReverseBuildTrigger. JENKINS-42707 Added tests to expose the issue JENKINS-42707 Log message according to permission (DISCOVER/READ) JENKINS-42707 Use MockAuthorizationStrategy JENKINS-42707 Remove internationalization for logger (cherry picked from commit 17eedcfde8043829b247e639ae985ddb97dd0571)

            People

              allan_burdajewicz Allan BURDAJEWICZ
              allan_burdajewicz Allan BURDAJEWICZ
              Votes:
              2 Vote for this issue
              Watchers:
              4 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: