Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-48219

Cannot create pipelines using BlueOcean as a non-Admin user

    • Icon: Bug Bug
    • Resolution: Unresolved
    • Icon: Major Major
    • blueocean-plugin
    • None
    • Blue Ocean 1.4 - beta 3, Blue Ocean 1.4 - beta 5

      Attachments:

      1. Manage Roles Screen - shows Roles configuration which will replicate the issue
      2. Assign Roles Screen - shows user role assignments which will replicated the issue
      3. Error Screen - BlueOcean error screen showing non-admin user being unable to create pipeline even though they have been assigned all the Job persmissions via their role assignment.

      Problem:

      I have come across an issue Using Role Strategy plugin and Blueocean Plugin. I found I cannot create pipelines using BlueOcean when using a user who does not have the Overall Global Administer permission granted in "Manage Roles".

      Only Administrative users can create and edit pipelines. Other Users cannot create pipelines even though they have been assigned the permission in project roles in "Manage Roles" and "Assign Roles".

      When non-administrative users try the Jenkins logs show the following:

      INFO: While serving http://<HOST>/blue/rest/organizations/jenkins/pipelines/<PROJECT>/scm/content: hudson.security.AccessDeniedException2: <USER> is missing the N/A/GenericRead permission

       

      This remains true even if the regular expression is set to allow all projects. As long as the Administer permission is not granted to the user they cannot create pipelines.

      Temporary Fix:

      **1. Go to jenkins home directory.
      If using docker: docker exec -u root -it [container_id] bash
      Then Navigate to: /var/jenkins_home
      2. Edit the file config.xml
      3. Add following permission to your required role name in projectRoles:
      <permission>hudson.security.Permission.GenericRead</permission>

      4. Save file
      5. Restart Jenkins or use "Reload Configuration from Disk" at "Manage Jenkins" page
      6. The affected user will now be able to create and edit pipelines.

      This is a temporary fix as the issue resurfaces when further additions or edits are made to Manage Roles. The added permission is deleted and we have to manually perform the steps again for each created project role.

      Example:

      <useSecurity>true</useSecurity>
        <authorizationStrategy class="com.michelin.cio.hudson.plugins.rolestrategy.RoleBasedAuthorizationStrategy">
              <roleMap type="projectRoles">
                    <role name="m<REMOVED TO MATCH PIC>s" pattern="<REMOVED TO MATCH PIC>.*">
                      <permissions>
                        <permission>com.cloudbees.plugins.credentials.CredentialsProvider.Update</permission>
                        <permission>hudson.model.Item.Create</permission>
                        <permission>hudson.model.Run.Delete</permission>
                        <permission>hudson.model.Item.Workspace</permission>
                        <permission>com.cloudbees.plugins.credentials.CredentialsProvider.Delete</permission>
                        <permission>com.cloudbees.plugins.credentials.CredentialsProvider.ManageDomains</permission>
                        <permission>hudson.model.Run.Replay</permission>
                        <permission>hudson.model.Item.Configure</permission>
                        <permission>hudson.model.Item.Cancel</permission>
                        <permission>hudson.model.Item.Delete</permission>
                        <permission>hudson.model.Item.Read</permission>                  
                        <permission>com.cloudbees.plugins.credentials.CredentialsProvider.View</permission>
                        <permission>com.cloudbees.plugins.credentials.CredentialsProvider.Create</permission>
                        <permission>hudson.model.Item.Build</permission>
                        <permission>hudson.scm.SCM.Tag</permission>
                        <permission>hudson.model.Item.Move</permission>
                        <permission>hudson.model.Item.Discover</permission>
                        <permission>hudson.model.Run.Update</permission>
                        <permission>hudson.security.Permission.GenericRead</permission> <!-- THIS IS WHERE YOU ADD. JENKINS SORTS ON RESTART -->
                      </permissions>
                      <assignedSIDs>
                        <sid>d<REMOVED TO MATCH PIC>1</sid>
                        <sid>k<REMOVED TO MATCH PIC>1</sid>
                      </assignedSIDs>
                    </role>
                  </roleMap>

       

      Suggestion:
      Have the Role Strategy plugin assign the hudson.security.Permission.GenericRead permission. This will allow the Job permissions under Project Roles to work as desired without the need of manual intervention.

      The makers of the plugin can decide whether it is best to place this in the Project role or in the Global Roles. As Project Roles can be defined in absence of a Global role it might be wise to explicitly add it in the Project Roles.

      This may have to be checked for the Slave Node roles as well. I did not do so.

      It is interesting to note that users created under "Manage Users" do no have this permission granted.

       

       

        1. roles.png
          roles.png
          590 kB
        2. assigned_roles.png
          assigned_roles.png
          520 kB
        3. Assign_Roles.png
          Assign_Roles.png
          185 kB
        4. Error.png
          Error.png
          150 kB
        5. ManageRoles.png
          ManageRoles.png
          147 kB

          [JENKINS-48219] Cannot create pipelines using BlueOcean as a non-Admin user

          Xavier Caddle created issue -
          Xavier Caddle made changes -
          Environment Original: HOST OS: openSUSE Leap 42.2 64 bit
          Docker: Docker version 17.04.0-ce, build 78d1802
          Jenkins: Running in docker created from jenkinsci/blueocean:latest
          Jenkins Version: 2.73.2
          Java Version: 8u121



          New: HOST OS: openSUSE Leap 42.2 64 bit
          Docker: Docker version 17.04.0-ce, build 78d1802
          Jenkins: Running in docker created from jenkinsci/blueocean:latest
          Jenkins Version: 2.73.2
          Java Version: 8u121
          Role Strategy Plugin version: 2.6.1



          Oleg Nenashev made changes -
          Component/s New: blueocean-plugin [ 21481 ]
          Component/s Original: role-strategy-plugin [ 15758 ]
          Oleg Nenashev made changes -
          Assignee Original: Oleg Nenashev [ oleg_nenashev ]
          Daniel Beck made changes -
          Priority Original: Minor [ 4 ] New: Critical [ 2 ]
          Oleg Nenashev made changes -
          Summary Original: Cannot create pipelines using BlueOcean and Role Strategy plugin New: Cannot create pipelines using BlueOcean as a non-Admin user
          Michael Neale made changes -
          Assignee New: Vivek Pandey [ vivek ]
          Michael Neale made changes -
          Priority Original: Critical [ 2 ] New: Major [ 3 ]
          Xavier Caddle made changes -
          Attachment New: 137.40.0.3.har [ 41026 ]
          Xavier Caddle made changes -
          Attachment New: assigned_roles.png [ 41027 ]
          Attachment New: roles.png [ 41028 ]
          Xavier Caddle made changes -
          Attachment Original: 137.40.0.3.har [ 41026 ]

            vivek Vivek Pandey
            xaviercaddle Xavier Caddle
            Votes:
            0 Vote for this issue
            Watchers:
            8 Start watching this issue

              Created:
              Updated: