-
Improvement
-
Resolution: Fixed
-
Major
-
None
-
-
Pipeline - October, Pipeline - December
As a Jenkins administrator, I would like for developers to be able to configure jobs, but only have certain users able to build those jobs. Through various means like RBAC and controlled agents, I have given jobs in a certain folder the ability to access agents and secrets. While I trust developers to configure those jobs, I have business requirements to only allow certain users to build those jobs.
However, Jenkins allows users to Replay a build even if they don't have the Run/Replay or Job/Build permissions. This seems to due the fact that Run/Replay is implied by Job/Configure.
Put another way, Job/Build isn't implied by Job/Configure, so why does Job/Configure imply Run/Replay? Instead, it seems like Run/Replay should only be implied if a user has both Job/Build and Job/Configure.
- is related to
-
JENKINS-63080 Replay link is shown to users with push access to repo, but replay page shows no script editor
-
- Resolved
-
-
-
- Reopened
-
-
-
- Resolved
-
- links to
- mentioned in
-
Page Loading...
[JENKINS-47339] Add Rebuild action for users who can Build but not Replay (was: Users with only Job/Configure shouldn't be able to replay jobs)
| Rank | New: Ranked higher |
| Component/s | New: pipeline [ 21692 ] |
| Sprint | New: Pipeline - October [ 406 ] |
abayer Just pointing out for clarity that a permission does not have to be implied by any other permission, because the above seems to imply it must have an implied by..
| Status | Original: Open [ 1 ] | New: In Progress [ 3 ] |
| Status | Original: In Progress [ 3 ] | New: In Review [ 10005 ] |
PR up for workflow-cps at https://github.com/jenkinsci/workflow-cps-plugin/pull/187 that adds a new ReplayAction.REBUILD permission (implied by Item.BUILD) for simply re-running a build with the same script, i.e., without the ability to edit the script contents.
| Remote Link | New: This issue links to "workflow-cps PR #187 (Web Link)" [ 17997 ] |
Ok, thought about this a bit - ReplayAction.REPLAY should be implied by Item.CONFIGURE. That's because replaying a build lets you make changes to what was run. So we definitely don't want to just allow anyone with Item.BUILD permissions to be able to replay a build unless they also have Item.CONFIGURE. And since, as far as I know, there's no way to do two required permissions to imply a third, we're restricted to having ReplayAction.REPLAY implied by one of Item.CONFIGURE or Item.BUILD but not the other, and in that scenario, Item.CONFIGURE is definitely the right one.