Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-43524

Improve diagnostics of disabled Dangerous Permissions

XMLWordPrintable

      Jenkins version: 2.32.2

      Affected Role Strategy plugin version: 2.4.0

      Summary: While the goal of the 2.4.0 version is  "Dangerous permissions can be configured independently of Administer permission" there is a use case where you should consider allowable use of UploadPlugins to function without needing Administer to be checked. Within my team, we use chef to provide full configuration management of Jenkins. As such, in order to install plugins, this is done as anonymous - and chef has been able to do this without issue as long as anonymous has access to UploadPlugins. Anonymous for obvious reasons should not have Administer permissions.  With 2.3.2 installed, the chef converge happens without issue. However, if we use 2.4.0 converge will fail:

       

      Mixlib::ShellOut::ShellCommandFailed
      ------------------------------------
      Expected process to exit with [0], but received '6'
      ---- Begin output of "/usr/lib/jvm/jre/bin/java" -jar "/var/chef/cache/jenkins-cli.jar" -s http://localhost:8080 install-plugin /var/chef/cache/analysis-core-1.86.plugin -name analysis-core ----
      STDOUT:
      STDERR: [WARN] Failed to authenticate with your SSH keys. Proceeding as anonymous
      ERROR: anonymous is missing the Overall/UploadPlugins permission
      ---- End output of "/usr/lib/jvm/jre/bin/java" -jar "/var/chef/cache/jenkins-cli.jar" -s http://localhost:8080 install-plugin /var/chef/cache/analysis-core-1.86.plugin -name analysis-core ----
      Ran "/usr/lib/jvm/jre/bin/java" -jar "/var/chef/cache/jenkins-cli.jar" -s http://localhost:8080 install-plugin /var/chef/cache/analysis-core-1.86.plugin -name analysis-core returned 6

       

      The error message is interesting:

      STDERR: [WARN] Failed to authenticate with your SSH keys. Proceeding as anonymous
      ERROR: anonymous is missing the Overall/UploadPlugins permission

       

      This message is not entirely accurate, as this has already been configured for anonymous. What's going on here is that Overall/Administer has to be active in addition to Overall/UploadPlugins in order for this action to occur with this version of the plugin installed.

      The ask for this JIRA ticket is either to:

      1. Allow UploadPlugins to function without the need for Administer to also be set in order to upload plugins
      2. Update the error messaging to clearly indicate that Administer AND UploadPlugins are both required in order for the user to upload plugins.

            oleg_nenashev Oleg Nenashev
            brenna_flood Brenna Flood
            Votes:
            0 Vote for this issue
            Watchers:
            3 Start watching this issue

              Created:
              Updated:
              Resolved: