-
Improvement
-
Resolution: Fixed
-
Major
-
None
-
-
Pipeline - October, Pipeline - December
As a Jenkins administrator, I would like for developers to be able to configure jobs, but only have certain users able to build those jobs. Through various means like RBAC and controlled agents, I have given jobs in a certain folder the ability to access agents and secrets. While I trust developers to configure those jobs, I have business requirements to only allow certain users to build those jobs.
However, Jenkins allows users to Replay a build even if they don't have the Run/Replay or Job/Build permissions. This seems to due the fact that Run/Replay is implied by Job/Configure.
Put another way, Job/Build isn't implied by Job/Configure, so why does Job/Configure imply Run/Replay? Instead, it seems like Run/Replay should only be implied if a user has both Job/Build and Job/Configure.
- is related to
-
JENKINS-63080 Replay link is shown to users with push access to repo, but replay page shows no script editor
-
- Resolved
-
-
-
- Reopened
-
-
-
- Resolved
-
- links to
- mentioned in
-
Page Loading...
[JENKINS-47339] Add Rebuild action for users who can Build but not Replay (was: Users with only Job/Configure shouldn't be able to replay jobs)
abayer Just pointing out for clarity that a permission does not have to be implied by any other permission, because the above seems to imply it must have an implied by..
PR up for workflow-cps at https://github.com/jenkinsci/workflow-cps-plugin/pull/187 that adds a new ReplayAction.REBUILD permission (implied by Item.BUILD) for simply re-running a build with the same script, i.e., without the ability to edit the script contents.
Downstream Blue Ocean PR up at https://github.com/jenkinsci/blueocean-plugin/pull/1536
Code changed in jenkins
User: Andrew Bayer
Path:
src/main/java/org/jenkinsci/plugins/workflow/cps/replay/ReplayAction.java
src/main/resources/org/jenkinsci/plugins/workflow/cps/replay/Messages.properties
src/main/resources/org/jenkinsci/plugins/workflow/cps/replay/ReplayAction/index.jelly
src/test/java/org/jenkinsci/plugins/workflow/cps/replay/ReplayActionTest.java
http://jenkins-ci.org/commit/workflow-cps-plugin/bf938edf4a2b24cbd175e118acce1a22dc4acd49
Log:
[FIXED JENKINS-47339] Add build-implied REBUILD permission.
Allows rebuilding a Pipeline run with the exact same script.
Releasing workflow-cps 1.42 with this fix, updating the Blue Ocean PR accordingly. This should be marked resolved once it's merged in Blue Ocean.
Looks like ReplayPipelineCommand was forgotten here, so the CLI does not support the new option.
Ok, thought about this a bit - ReplayAction.REPLAY should be implied by Item.CONFIGURE. That's because replaying a build lets you make changes to what was run. So we definitely don't want to just allow anyone with Item.BUILD permissions to be able to replay a build unless they also have Item.CONFIGURE. And since, as far as I know, there's no way to do two required permissions to imply a third, we're restricted to having ReplayAction.REPLAY implied by one of Item.CONFIGURE or Item.BUILD but not the other, and in that scenario, Item.CONFIGURE is definitely the right one.