Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-48828

Bitbucket Team/Folder project: View Configuration pages shows Access Denied, Jenkins throws hudson.security.AccessDeniedException2

    XMLWordPrintable

    Details

    • Type: Bug
    • Status: Closed (View Workflow)
    • Priority: Blocker
    • Resolution: Fixed
    • Environment:
    • Similar Issues:

      Description

      Summary:
      On a Jenkins instance where Security is set to "Logged in users can do anything," the logged in user admin is shown Access Denied: admin is missing the Job/Configure permission when viewing repositories inside of a Bitbucket Team project. At the same time this is shown, the Jenkins log shows a hudson.security.AccessDeniedException2.

      Steps to recreate:
      1. Go to Global Security, and set it to "Logged-in users can do anything."

      2. Set up a Bitbucket Team/Project job:

      3. Go through the Configuration screen and set up the project in a normal way:

      4. Verify that the project has been created:

      5. Verify that you can at least run some builds for repos inside of this Team Project. In this case I'm looking at a particular branch:

      6. (Optional) If you have shell access to the instance, tail -f the Jenkins log.

      7. Go back up to the top level of the project, select the drop down next to one of the repositories, and pick "View Configuration:"

      8. In the Branch Sources section, directly under the "Repository Name" pulldown, notice there's sort of a second Jenkins UI being shown, which says "Access Denied."

      9. The Jenkins log will display the following information on loading the View Configuration page:

      Jan 05, 2018 7:25:45 PM org.eclipse.jetty.server.handler.ContextHandler$Context log
      INFO: While serving http://172.18.40.95:8080/job/bitbucket-access-denied-demo/job/test-of-pull-requests/descriptorByName/com.cloudbees.jenkins.plugins.bitbucket.BitbucketSCMSource/fillRepositoryItems: hudson.security.AccessDeniedException2: admin is missing the Job/Configure permission
      

      This is an issue for two reasons. First, there shouldn't be this second UI at all. Second, it's not clear why a logged-in user on a system which has been set to "Logged in users can do anything" would be denied access to anything

        Attachments

          Issue Links

            Activity

            kshultz Karl Shultz created issue -
            Hide
            mquinn_akkadianlabs Mitchell Quinn added a comment -

            I am running into this exact issue. If you found any work arounds or solutions I would greatly appreciate it!

            Show
            mquinn_akkadianlabs Mitchell Quinn added a comment - I am running into this exact issue. If you found any work arounds or solutions I would greatly appreciate it!
            Hide
            rickjames961 Rick James added a comment -

            Same issue here. 

            Show
            rickjames961 Rick James added a comment - Same issue here. 
            kshultz Karl Shultz made changes -
            Field Original Value New Value
            Priority Minor [ 4 ] Major [ 3 ]
            Hide
            jarrodj83 Jarrod Johnson added a comment -

            Same issue here. Even if we explicitly grant the user the job/configure permission they are still unable to make changes on the repository configuration page. This is wildly annoying as our current configuration requires us to poll for new branches that are created and the default polling period is one day. Is there a version of the plugin this works with that we can roll back to or is it due to updates in newer versions of jenkins? We are running:

            Jenkins 2.89.4

            Bitbucket Plugin 1.1.7

             

             

            Show
            jarrodj83 Jarrod Johnson added a comment - Same issue here. Even if we explicitly grant the user the job/configure permission they are still unable to make changes on the repository configuration page. This is wildly annoying as our current configuration requires us to poll for new branches that are created and the default polling period is one day. Is there a version of the plugin this works with that we can roll back to or is it due to updates in newer versions of jenkins? We are running: Jenkins 2.89.4 Bitbucket Plugin 1.1.7    
            Hide
            mpridemore Michael Pridemore added a comment -

            Same issue.

            Jenkins 2.107.3

            Bitbucket Pipeline for Blue Ocean 1.5.0

            Show
            mpridemore Michael Pridemore added a comment - Same issue. Jenkins 2.107.3 Bitbucket Pipeline for Blue Ocean 1.5.0
            Hide
            grpatter Greg Patterson added a comment -

            Same issue

             

            Jenkins 2.124

            Bitbucket Pipeline for Blue Ocean 1.7.2 (Latest 1.8.2 - no fix IDed)
            Bitbucket Branch Source Plugin 2.2.12 (Current)
            Bitbucket Plugin 1.1.8 (Current)

            Show
            grpatter Greg Patterson added a comment - Same issue   Jenkins 2.124 Bitbucket Pipeline for Blue Ocean 1.7.2 (Latest 1.8.2 - no fix IDed) Bitbucket Branch Source Plugin 2.2.12 (Current) Bitbucket Plugin 1.1.8 (Current)
            Hide
            davideoli Davide Olivieri added a comment - - edited

            Hi,

            In my organization we are running into the same issue but we are using "Role-Based Strategy" instead of "Logged-in users can do anything". The users are LDAP users (MS Active Directory)

            The message in the log is the same as the one posted by the Reporter.

            Show
            davideoli Davide Olivieri added a comment - - edited Hi, In my organization we are running into the same issue but we are using "Role-Based Strategy" instead of "Logged-in users can do anything". The users are LDAP users (MS Active Directory) The message in the log is the same as the one posted by the Reporter.
            Hide
            taz77 Brady Owens added a comment -

            Same here. Using the Jenkins 2.1.41 and plugin version 2.2.12

            Show
            taz77 Brady Owens added a comment - Same here. Using the Jenkins 2.1.41 and plugin version 2.2.12
            taz77 Brady Owens made changes -
            Priority Major [ 3 ] Critical [ 2 ]
            taz77 Brady Owens made changes -
            Labels bitbucket bitbucket-branch-source-plugin
            Hide
            thilken Tobias Hilken added a comment -

            Same issue using Jenkins version 2.138.1 and Bitbucket plugin version 1.1.8 and being admin with role-based strategy.

            Show
            thilken Tobias Hilken added a comment - Same issue using Jenkins version 2.138.1 and Bitbucket plugin version 1.1.8 and being admin with role-based strategy.
            Hide
            smaynard Steve Maynard added a comment -

            Same issue using Jenkins version 2.138.2 and Bitbucket plugin version 2.2.14 - tried all admin strategies
             

            Show
            smaynard Steve Maynard added a comment - Same issue using Jenkins version 2.138.2 and Bitbucket plugin version 2.2.14 - tried all admin strategies  
            Hide
            quinn_mikelson Quinn Mikelson added a comment -

            Same issue using Jenkins ver. 2.138.3 and Bitbucket plugin version 2.2.14

            Show
            quinn_mikelson Quinn Mikelson added a comment - Same issue using Jenkins ver. 2.138.3 and Bitbucket plugin version 2.2.14
            taz77 Brady Owens made changes -
            Priority Critical [ 2 ] Blocker [ 1 ]
            Hide
            taz77 Brady Owens added a comment -

            Agreed. Another release of the module and still this problem exists. Setting this issue as a blocker so hopefully, it gets picked up before the next release. There is no workaround that I know of to get the module to operate properly.

            Show
            taz77 Brady Owens added a comment - Agreed. Another release of the module and still this problem exists. Setting this issue as a blocker so hopefully, it gets picked up before the next release. There is no workaround that I know of to get the module to operate properly.
            Hide
            rzhou Ronnie Zhou added a comment - - edited

            Bitbucket Team is creating jobs based on the Jenkinsfile in each branch. It kinda makes sense that Bitbucket Team doesn't have configure permission to change the Jenkinsfile dynamically.

            The error message is confusing but the issue shouldn't be a blocker. You just have to make change to the Jenkinsfile.

            Show
            rzhou Ronnie Zhou added a comment - - edited Bitbucket Team is creating jobs based on the Jenkinsfile in each branch. It kinda makes sense that Bitbucket Team doesn't have configure permission to change the Jenkinsfile dynamically. The error message is confusing but the issue shouldn't be a blocker. You just have to make change to the Jenkinsfile.
            Hide
            mquinn_akkadianlabs Mitchell Quinn added a comment -

            Ronnie Zhou can you give an example?

            Show
            mquinn_akkadianlabs Mitchell Quinn added a comment - Ronnie Zhou can you give an example?
            Hide
            jmkgreen James Green added a comment -

            We have just encountered this - using Role based permissions and a Bitbucket Folder project. Is the suggestion that the bit where permission denied is shown can only be adjusted through the Jenkinsfile? I.e. it's really the wrong error message?

            Show
            jmkgreen James Green added a comment - We have just encountered this - using Role based permissions and a Bitbucket Folder project. Is the suggestion that the bit where permission denied is shown can only be adjusted through the Jenkinsfile? I.e. it's really the wrong error message?
            Hide
            teeem Timothy Tabing added a comment -

            Same issue here. Any update?
            I am running 

            Jenkins: 2.181

            Bitbucket Branch Source: 2.4.4

             

            Show
            teeem Timothy Tabing added a comment - Same issue here. Any update? I am running  Jenkins: 2.181 Bitbucket Branch Source: 2.4.4  
            Hide
            teeem Timothy Tabing added a comment -

            I am still facing the same issue after upgrading

            Jenkins: 2.209

            Bitbucket Branch Source Plugin: 2.6.0

            Show
            teeem Timothy Tabing added a comment - I am still facing the same issue after upgrading Jenkins: 2.209 Bitbucket Branch Source Plugin: 2.6.0
            Hide
            thomhane Thomas Haney added a comment - - edited

            For the comments regarding having to setup permission in the jenkinsfile, That only sets the permissions on the branch plans, The multi branch pipelines that get created by the plugin don't inherit the permissions of the child based on the jenkinsfile. The default should be to always inherit from the parent.

            Show
            thomhane Thomas Haney added a comment - - edited For the comments regarding having to setup permission in the jenkinsfile, That only sets the permissions on the branch plans, The multi branch pipelines that get created by the plugin don't inherit the permissions of the child based on the jenkinsfile. The default should be to always inherit from the parent.
            Hide
            jcaraujo Jean Araujo added a comment -

            Same problem here.

            Jenkins: 2.240
            Bitbucket Branch Source Plugin: 2.8.0

            Show
            jcaraujo Jean Araujo added a comment - Same problem here. Jenkins: 2.240 Bitbucket Branch Source Plugin: 2.8.0
            velisavnotna Anton Vasilev made changes -
            Assignee Anton Vasilev [ velisavnotna ]
            velisavnotna Anton Vasilev made changes -
            Assignee Anton Vasilev [ velisavnotna ]
            Hide
            velisavnotna Anton Vasilev added a comment -

            Hi, this workaround helped me.

            import com.cloudbees.hudson.plugins.folder.Folder
            
            for (item in Jenkins.instance.getAllItems(jenkins.branch.MultiBranchProject.class)) {
                if(item.fullName.contains("test_Bitbucket_Team_Project")) {
                   println "Found item: "+ item.fullName 
                   item.triggers.each {descriptor, trigger ->    
                       item.removeTrigger(trigger)        
                       item.save()        
                       println "Success delete trigger: " + item.fullName 
                   }  
                }
            }
            
            Show
            velisavnotna Anton Vasilev added a comment - Hi, this workaround helped me. import com.cloudbees.hudson.plugins.folder.Folder for (item in Jenkins.instance.getAllItems(jenkins.branch.MultiBranchProject.class)) { if (item.fullName.contains( "test_Bitbucket_Team_Project" )) { println "Found item: " + item.fullName item.triggers.each {descriptor, trigger ->         item.removeTrigger(trigger)        item.save()        println "Success delete trigger: " + item.fullName }  } }
            tzach_solomon Tzach Solomon made changes -
            Component/s bitbucket-branch-source-plugin [ 21428 ]
            Component/s bitbucket-plugin [ 18755 ]
            Hide
            tzach_solomon Tzach Solomon added a comment -

            Karl Shultz i've changed the component from bitbucket-plugin to bitbucket-branch-source-plugin since they are different plugins

            Show
            tzach_solomon Tzach Solomon added a comment - Karl Shultz i've changed the component from bitbucket-plugin to bitbucket-branch-source-plugin since they are different plugins
            bitwiseman Liam Newman made changes -
            Status Open [ 1 ] In Progress [ 3 ]
            bitwiseman Liam Newman made changes -
            Assignee Liam Newman [ bitwiseman ]
            Hide
            bitwiseman Liam Newman added a comment -

            I've created a PR that appears to fix this.

            Show
            bitwiseman Liam Newman added a comment - I've created a PR that appears to fix this.
            bitwiseman Liam Newman made changes -
            Remote Link This issue links to "PR-377 (Web Link)" [ 25921 ]
            vildand Martin Wielandt made changes -
            Status In Progress [ 3 ] In Review [ 10005 ]
            vildand Martin Wielandt made changes -
            Status In Review [ 10005 ] In Progress [ 3 ]
            jglick Jesse Glick made changes -
            Resolution Fixed [ 1 ]
            Status In Progress [ 3 ] Fixed but Unreleased [ 10203 ]
            bitwiseman Liam Newman made changes -

              People

              Assignee:
              bitwiseman Liam Newman
              Reporter:
              kshultz Karl Shultz
              Votes:
              27 Vote for this issue
              Watchers:
              34 Start watching this issue

                Dates

                Created:
                Updated:
                Resolved: