Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-48219

Cannot create pipelines using BlueOcean as a non-Admin user

    • Icon: Bug Bug
    • Resolution: Unresolved
    • Icon: Major Major
    • blueocean-plugin
    • None
    • Blue Ocean 1.4 - beta 3, Blue Ocean 1.4 - beta 5

      Attachments:

      1. Manage Roles Screen - shows Roles configuration which will replicate the issue
      2. Assign Roles Screen - shows user role assignments which will replicated the issue
      3. Error Screen - BlueOcean error screen showing non-admin user being unable to create pipeline even though they have been assigned all the Job persmissions via their role assignment.

      Problem:

      I have come across an issue Using Role Strategy plugin and Blueocean Plugin. I found I cannot create pipelines using BlueOcean when using a user who does not have the Overall Global Administer permission granted in "Manage Roles".

      Only Administrative users can create and edit pipelines. Other Users cannot create pipelines even though they have been assigned the permission in project roles in "Manage Roles" and "Assign Roles".

      When non-administrative users try the Jenkins logs show the following:

      INFO: While serving http://<HOST>/blue/rest/organizations/jenkins/pipelines/<PROJECT>/scm/content: hudson.security.AccessDeniedException2: <USER> is missing the N/A/GenericRead permission

       

      This remains true even if the regular expression is set to allow all projects. As long as the Administer permission is not granted to the user they cannot create pipelines.

      Temporary Fix:

      **1. Go to jenkins home directory.
      If using docker: docker exec -u root -it [container_id] bash
      Then Navigate to: /var/jenkins_home
      2. Edit the file config.xml
      3. Add following permission to your required role name in projectRoles:
      <permission>hudson.security.Permission.GenericRead</permission>

      4. Save file
      5. Restart Jenkins or use "Reload Configuration from Disk" at "Manage Jenkins" page
      6. The affected user will now be able to create and edit pipelines.

      This is a temporary fix as the issue resurfaces when further additions or edits are made to Manage Roles. The added permission is deleted and we have to manually perform the steps again for each created project role.

      Example:

      <useSecurity>true</useSecurity>
        <authorizationStrategy class="com.michelin.cio.hudson.plugins.rolestrategy.RoleBasedAuthorizationStrategy">
              <roleMap type="projectRoles">
                    <role name="m<REMOVED TO MATCH PIC>s" pattern="<REMOVED TO MATCH PIC>.*">
                      <permissions>
                        <permission>com.cloudbees.plugins.credentials.CredentialsProvider.Update</permission>
                        <permission>hudson.model.Item.Create</permission>
                        <permission>hudson.model.Run.Delete</permission>
                        <permission>hudson.model.Item.Workspace</permission>
                        <permission>com.cloudbees.plugins.credentials.CredentialsProvider.Delete</permission>
                        <permission>com.cloudbees.plugins.credentials.CredentialsProvider.ManageDomains</permission>
                        <permission>hudson.model.Run.Replay</permission>
                        <permission>hudson.model.Item.Configure</permission>
                        <permission>hudson.model.Item.Cancel</permission>
                        <permission>hudson.model.Item.Delete</permission>
                        <permission>hudson.model.Item.Read</permission>                  
                        <permission>com.cloudbees.plugins.credentials.CredentialsProvider.View</permission>
                        <permission>com.cloudbees.plugins.credentials.CredentialsProvider.Create</permission>
                        <permission>hudson.model.Item.Build</permission>
                        <permission>hudson.scm.SCM.Tag</permission>
                        <permission>hudson.model.Item.Move</permission>
                        <permission>hudson.model.Item.Discover</permission>
                        <permission>hudson.model.Run.Update</permission>
                        <permission>hudson.security.Permission.GenericRead</permission> <!-- THIS IS WHERE YOU ADD. JENKINS SORTS ON RESTART -->
                      </permissions>
                      <assignedSIDs>
                        <sid>d<REMOVED TO MATCH PIC>1</sid>
                        <sid>k<REMOVED TO MATCH PIC>1</sid>
                      </assignedSIDs>
                    </role>
                  </roleMap>

       

      Suggestion:
      Have the Role Strategy plugin assign the hudson.security.Permission.GenericRead permission. This will allow the Job permissions under Project Roles to work as desired without the need of manual intervention.

      The makers of the plugin can decide whether it is best to place this in the Project role or in the Global Roles. As Project Roles can be defined in absence of a Global role it might be wise to explicitly add it in the Project Roles.

      This may have to be checked for the Slave Node roles as well. I did not do so.

      It is interesting to note that users created under "Manage Users" do no have this permission granted.

       

       

        1. Assign_Roles.png
          Assign_Roles.png
          185 kB
        2. assigned_roles.png
          assigned_roles.png
          520 kB
        3. Error.png
          Error.png
          150 kB
        4. ManageRoles.png
          ManageRoles.png
          147 kB
        5. roles.png
          roles.png
          590 kB

          [JENKINS-48219] Cannot create pipelines using BlueOcean as a non-Admin user

          Oleg Nenashev added a comment -

          I am just a messenger who checked the technical side of the issue, please ask the issue reporter if you need additional info.

          Oleg Nenashev added a comment - I am just a messenger who checked the technical side of the issue, please ask the issue reporter if you need additional info.

          Michael Neale added a comment -

          Ack. Just wasn’t sure if bitten lately. Should be enough here to build a test case out of.

          Michael Neale added a comment - Ack. Just wasn’t sure if bitten lately. Should be enough here to build a test case out of.

          Vivek Pandey added a comment -

          xaviercaddle do you see this issue with specific type of SCM (git or Github or Bitbucket) or with all? I suspect its Git creation flow, we expect user to have READ permission on the multi-branch-pipeline (Job) item. Does the non-admin user has READ permission for job?

          Also, can you capture and send HAR when this error happens? You can send it directly to me if it has confidential information. Or if you can provide details around HTTP request that resulted in 403 will be helpful.

          Vivek Pandey added a comment - xaviercaddle do you see this issue with specific type of SCM (git or Github or Bitbucket) or with all? I suspect its Git creation flow, we expect user to have READ permission on the multi-branch-pipeline (Job) item. Does the non-admin user has READ permission for job? Also, can you capture and send HAR when this error happens? You can send it directly to me if it has confidential information. Or if you can provide details around HTTP request that resulted in 403 will be helpful.

          Xavier Caddle added a comment - - edited

          vivek: I see this with the Git creation flow. I have not tested with Github or Bitbucket.

          Yes the user has READ permission for job. This can be seen in roles.png and assigned_roles.png

          As requested HAR has been emailed.

          Xavier Caddle added a comment - - edited vivek : I see this with the Git creation flow. I have not tested with Github or Bitbucket. Yes the user has READ permission for job. This can be seen in roles.png and assigned_roles.png As requested HAR has been emailed.

          Vivek Pandey added a comment -

          Vivek Pandey added a comment - xaviercaddle Thanks. PR https://github.com/jenkinsci/blueocean-plugin/pull/1607 opened.

          Michael Neale added a comment -

          xaviercaddle - if you are feeling creative, you could build from that branch and see if it helps (the fix does seems simple)

          Michael Neale added a comment - xaviercaddle - if you are feeling creative, you could build from that branch and see if it helps (the fix does seems simple)

          Xavier Caddle added a comment -

          https://github.com/jenkinsci/blueocean-plugin/commit/c547be597a1e85200cf2aabcd2af80f3d27ee34e

          Since the commit was reverted am I to understand that there is/was a problem with the fix? Will the issue be rectified in a later release?

          Xavier Caddle added a comment - https://github.com/jenkinsci/blueocean-plugin/commit/c547be597a1e85200cf2aabcd2af80f3d27ee34e Since the commit was reverted am I to understand that there is/was a problem with the fix? Will the issue be rectified in a later release?

          Michael Neale added a comment -

          xaviercaddle that was never merged, was just a PR trying something out to see if it was a regression (it wasn't) so that revert never happened. 

          Michael Neale added a comment - xaviercaddle that was never merged, was just a PR trying something out to see if it was a regression (it wasn't) so that revert never happened. 

          Pavel Novak added a comment - - edited

          Hi guys, kindly please, what is the status? 

          I noticed, the issue still persist, why the issue is closed then? 

          Seems to be like only global jenkins admins can use blueocean editor for creating pipelines at this point.

           

          we are facing same issue in jenkins standalone LTS

          -  Jenkins ver. 2.107.3, , blue ocean 1.5.0

          Jenkins ver. 2.121.2, blue ocean 1.8.2

           

          Thanks in advance

          Pavel Novak added a comment - - edited Hi guys, kindly please, what is the status?  I noticed, the issue still persist, why the issue is closed then?  Seems to be like only global jenkins admins can use blueocean editor for creating pipelines at this point.   we are facing same issue in jenkins standalone LTS -   Jenkins ver. 2.107.3,  , blue ocean 1.5.0 -  Jenkins ver. 2.121.2 , blue ocean  1.8.2   Thanks in advance

          Latest LTS jenkins and blueocean plugins still got this issue

          Dominik Zalewski added a comment - Latest LTS jenkins and blueocean plugins still got this issue

            vivek Vivek Pandey
            xaviercaddle Xavier Caddle
            Votes:
            0 Vote for this issue
            Watchers:
            8 Start watching this issue

              Created:
              Updated: