-
Improvement
-
Resolution: Won't Do
-
Major
Jenkins version: 2.32.2
Affected Role Strategy plugin version: 2.4.0
Summary: While the goal of the 2.4.0 version is "Dangerous permissions can be configured independently of Administer permission" there is a use case where you should consider allowable use of UploadPlugins to function without needing Administer to be checked. Within my team, we use chef to provide full configuration management of Jenkins. As such, in order to install plugins, this is done as anonymous - and chef has been able to do this without issue as long as anonymous has access to UploadPlugins. Anonymous for obvious reasons should not have Administer permissions. With 2.3.2 installed, the chef converge happens without issue. However, if we use 2.4.0 converge will fail:
Mixlib::ShellOut::ShellCommandFailed
------------------------------------
Expected process to exit with [0], but received '6'
---- Begin output of "/usr/lib/jvm/jre/bin/java" -jar "/var/chef/cache/jenkins-cli.jar" -s http://localhost:8080 install-plugin /var/chef/cache/analysis-core-1.86.plugin -name analysis-core ----
STDOUT:
STDERR: [WARN] Failed to authenticate with your SSH keys. Proceeding as anonymous
ERROR: anonymous is missing the Overall/UploadPlugins permission
---- End output of "/usr/lib/jvm/jre/bin/java" -jar "/var/chef/cache/jenkins-cli.jar" -s http://localhost:8080 install-plugin /var/chef/cache/analysis-core-1.86.plugin -name analysis-core ----
Ran "/usr/lib/jvm/jre/bin/java" -jar "/var/chef/cache/jenkins-cli.jar" -s http://localhost:8080 install-plugin /var/chef/cache/analysis-core-1.86.plugin -name analysis-core returned 6
The error message is interesting:
STDERR: [WARN] Failed to authenticate with your SSH keys. Proceeding as anonymous
ERROR: anonymous is missing the Overall/UploadPlugins permission
This message is not entirely accurate, as this has already been configured for anonymous. What's going on here is that Overall/Administer has to be active in addition to Overall/UploadPlugins in order for this action to occur with this version of the plugin installed.
The ask for this JIRA ticket is either to:
- Allow UploadPlugins to function without the need for Administer to also be set in order to upload plugins
- Update the error messaging to clearly indicate that Administer AND UploadPlugins are both required in order for the user to upload plugins.
- is related to
-
JENKINS-43547 Add support of displaying effective global permissions on the Jenkins level
-
- Open
-
[JENKINS-43524] Improve diagnostics of disabled Dangerous Permissions
as long as anonymous has access to UploadPlugins
In such a case you may as well disable security on your instance, since anyone with physical access to the network can take over Jenkins with a couple minutes’ work.
Fix your Chef scripts to authenticate as an actual user with administrative privileges.
| Resolution | New: Not A Defect [ 7 ] | |
| Status | Original: Open [ 1 ] | New: Resolved [ 5 ] |
Yes, fixing scripts is a good approach. I suppose it is just a Jenkins 2 leftover. Though I wanted to confirm the issue is in just that before closing it
This is fair enough. Since the permissions will not be fixed, can you please consider updating error messages to clearly indicate to the user what permissions and settings are required? Right now, the output is inaccurate.
Observed:
ERROR: $USER is missing the Overall/UploadPlugins permission
Expected:
ERROR: $USER is missing the Overall/UploadPlugins and Overall/Administer permission
> ERROR: $USER is missing the Overall/UploadPlugins and Overall/Administer permission
It would be incorrect. User is missing the "Overall/UploadPlugins" permission only, because the plugin is just blocking it. I am afraid there is no way to easily update the text message though I could probably add logging of this warning. OTOH the administrative monitor should be warning you, no?
BTW, I created JENKINS-43547 to Security Inspector plugin in order to get better reporting.
CC danielbeck since the concern also applies to Matrix Auth
| Resolution | Original: Not A Defect [ 7 ] | |
| Status | Original: Resolved [ 5 ] | New: Reopened [ 4 ] |
| Issue Type | Original: Bug [ 1 ] | New: Improvement [ 4 ] |
| Link | New: This issue is related to JENKINS-43547 [ JENKINS-43547 ] |
You can enable the dangerous permissions using the "org.jenkinsci.plugins.rolestrategy.permissions.DangerousPermissionHandlingMode.enableDangerousPermissions" flag. Once you do it, the Administer permission will not be required.