• Type: Bug
• Resolution: Cannot Reproduce
• Priority: Critical
• Component/s: cctray-xml-plugin, core, ldap-plugin
• Labels:

  • cc.xml

[JENKINS-48896] anonymous read of cc.xml file works only for root (ldap)

Sorin Sbarnea created issue - 2018-01-11 13:24

Sorin Sbarnea made changes - 2018-01-11 13:24

Link

New: This issue is related to JENKINS-2885 [ JENKINS-2885 ]

Sorin Sbarnea made changes - 2018-01-11 13:24

Remote Link

New: This issue links to "pull-52 (Web Link)" [ 19762 ]

Sorin Sbarnea made changes - 2018-01-11 13:25

Component/s		New: ldap-plugin [ 17122 ]
Component/s	Original: github-oauth-plugin [ 15900 ]

Sorin Sbarnea made changes - 2018-01-11 13:26

Description

Original: It seems that the option to allow anonymous users to read the /cc.xml works only for the root one and not for those associated with other views, or the special "all" view which is exposed at /view/All/cc.xml This bug has a serious impact because due to it, it means that you can only expose the status of the jobs present on the default view. On any serious setup, the default view does not expose ALL jobs. Even worse, it seems that if you try to get the other cc.xml files you get a 403 but if you try to use basic auth, you will get a 500 error. Ideally the github integration plugin should expose github login as basic auth, so we can use it from other applications too. Still, this would be subject to a different bug report.

New: This refers to LDAP plugin. Exactly the same issue was raised and fixed against github-auth plugin in the past. It seems that the option to allow anonymous users to read the /cc.xml works only for the root one and not for those associated with other views, or the special "all" view which is exposed at /view/All/cc.xml This bug has a serious impact because due to it, it means that you can only expose the status of the jobs present on the default view. On any serious setup, the default view does not expose ALL jobs. Even worse, it seems that if you try to get the other cc.xml files you get a 403 but if you try to use basic auth, you will get a 500 error.

Sorin Sbarnea made changes - 2018-01-11 13:27

Assignee

Original: Sam Gleske [ sag47 ]

New: Kohsuke Kawaguchi [ kohsuke ]

Oleg Nenashev made changes - 2018-01-18 09:02

Component/s

New: cctray-xml-plugin [ 21967 ]

Oleg Nenashev made changes - 2018-01-18 09:02

Component/s

New: core [ 15593 ]

Collapse comment: Oleg Nenashev added a comment - 2018-01-18 09:03

Oleg Nenashev added a comment - 2018-01-18 09:03

CC danielbeck and dnusbaum who were working on this area recently

Expand comment: Oleg Nenashev added a comment - 2018-01-18 09:03

Oleg Nenashev added a comment - 2018-01-18 09:03 CC danielbeck and dnusbaum who were working on this area recently

Collapse comment: Daniel Beck added a comment - 2018-01-18 09:22

Daniel Beck added a comment - 2018-01-18 09:22

It is not clear to me what this is even referring to. The option mentioned, AFAICT, is specific to github-oauth plugin. So it'd be a bug if any cc.xml were accessible without Overall/Read permission.

Expand comment: Daniel Beck added a comment - 2018-01-18 09:22

Daniel Beck added a comment - 2018-01-18 09:22 It is not clear to me what this is even referring to. The option mentioned, AFAICT, is specific to github-oauth plugin. So it'd be a bug if any cc.xml were accessible without Overall/Read permission.

Load more newer events