-
Bug
-
Resolution: Unresolved
-
Blocker
This is a regression after the 0.12.0 security release. The plugin will reject Ownership Changes by XML submission from non-Admin users having the Manage Ownership Permission.
Proposed fix:
- OwnershipDescription readResolve() logic should consult with extension points to verify the required permission
- Extension points and their implementations are extended to support the API
- is blocked by
-
JENKINS-50807 Add OwnershipHelperLocator implementations for Computer and Node classes
-
- Resolved
-
- is duplicated by
-
-
- Reopened
-
-
-
- Resolved
-
- links to
[JENKINS-49744] Users with Manage Ownership permissions are unable to change Folder ownership from CLI/REST API
Andrew Barnish
added a comment - We are seeing the same problem when copying a job using Jenkins Web interface as we get a stack trace for users who have manage ownership but no admin permission.
the stacktrace includes messages like:
Caused: com.thoughtworks.xstream.converters.reflection.ObjectAccessException: Could not call com.synopsys.arc.jenkins.plugins.ownership.OwnershipDescription.readResolve() : <USER> is missing the Overall/Administer permission
I can provide the full stacktrace if necessary.
Andrew Barnish
added a comment - We are seeing the same problem when copying a job using Jenkins Web interface as we get a stack trace for users who have manage ownership but no admin permission.
the stacktrace includes messages like:
Caused: com.thoughtworks.xstream.converters.reflection.ObjectAccessException: Could not call com.synopsys.arc.jenkins.plugins.ownership.OwnershipDescription.readResolve() : <USER> is missing the Overall/Administer permission
I can provide the full stacktrace if necessary. | Status | Original: Open [ 1 ] | New: In Progress [ 3 ] |
barnish To confirm, you are only seeing the error when users attempt to configure folders, but not jobs or nodes, right?
Andrew Barnish
added a comment - It happens when copying a job (within a folder) to a new job in a folder.
The new job gets created but the configuration is not copied over correctly.
It is not preventing users from configuring existing jobs. We have not tried node configuration.
Andrew Barnish
added a comment - It happens when copying a job (within a folder) to a new job in a folder.
The new job gets created but the configuration is not copied over correctly.
It is not preventing users from configuring existing jobs. We have not tried node configuration.
Filipe Rocha Nogueira
made changes -
| Comment |
[ That is also occuring to me. The users cannot copy a job, but they can edit and create a new one. Ein Problem ist bei der Verarbeitung der Anfrage aufgetreten. Bitte suchen Sie in unserem Bug-Tracker nach bereits erstellten, ähnlichen Bug-Reports. Wenn es zu diesem Fehler bereits einen Bericht gibt, stimmen Sie bitte für ihn. Wenn Sie glauben, dass dies ein neues Problem ist, senden Sie uns bitte einen neuen Bug-Report. Achten Sie beim Verfassen eines Bug-Reports darauf, mindestens den vollständigen Stack-Trace, sowie die Versionen von Jenkins und relevanter Plugins mitzuteilen. Die Mailingliste für Jenkins-Nutzer könnte ebenfalls hilfreich sein, um das Problem zu verstehen. Stack-Trace java.io.InvalidObjectException: email@email.com fehlt das Recht „Allgemein/Administer“ at com.synopsys.arc.jenkins.plugins.ownership.OwnershipDescription.throwIfMissingPermission(OwnershipDescription.java:429) at com.synopsys.arc.jenkins.plugins.ownership.OwnershipDescription.checkUnsecuredConfiguration(OwnershipDescription.java:422) at com.synopsys.arc.jenkins.plugins.ownership.OwnershipDescription.readResolve(OwnershipDescription.java:378) at sun.reflect.GeneratedMethodAccessor12.invoke(Unknown Source) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.lang.reflect.Method.invoke(Method.java:498) at com.thoughtworks.xstream.converters.reflection.SerializationMethodInvoker.callReadResolve(SerializationMethodInvoker.java:66) Caused: com.thoughtworks.xstream.converters.reflection.ObjectAccessException: Could not call com.synopsys.arc.jenkins.plugins.ownership.OwnershipDescription.readResolve() : email@email.com fehlt das Recht „Allgemein/Administer“ at com.thoughtworks.xstream.converters.reflection.SerializationMethodInvoker.callReadResolve(SerializationMethodInvoker.java:72) at hudson.util.RobustReflectionConverter.unmarshal(RobustReflectionConverter.java:271) at com.thoughtworks.xstream.core.TreeUnmarshaller.convert(TreeUnmarshaller.java:72) Caused: com.thoughtworks.xstream.converters.ConversionException: Could not call com.synopsys.arc.jenkins.plugins.ownership.OwnershipDescription.readResolve() : email@email.com fehlt das Recht „Allgemein/Administer“ : Could not call com.synopsys.arc.jenkins.plugins.ownership.OwnershipDescription.readResolve() : email@email.com fehlt das Recht „Allgemein/Administer“ ---- Debugging information ---- message : Could not call com.synopsys.arc.jenkins.plugins.ownership.OwnershipDescription.readResolve() : email@email.com fehlt das Recht „Allgemein/Administer“ cause-exception : com.thoughtworks.xstream.converters.reflection.ObjectAccessException cause-message : Could not call com.synopsys.arc.jenkins.plugins.ownership.OwnershipDescription.readResolve() : email@email.com fehlt das Recht „Allgemein/Administer“ class : com.synopsys.arc.jenkins.plugins.ownership.OwnershipDescription required-type : com.synopsys.arc.jenkins.plugins.ownership.OwnershipDescription converter-type : hudson.util.RobustReflectionConverter path : /flow-definition/properties/com.synopsys.arc.jenkins.plugins.ownership.jobs.JobOwnerJobProperty/ownership line number : 98 ------------------------------- at com.thoughtworks.xstream.core.TreeUnmarshaller.convert(TreeUnmarshaller.java:79) at com.thoughtworks.xstream.core.AbstractReferenceUnmarshaller.convert(AbstractReferenceUnmarshaller.java:65) at com.thoughtworks.xstream.core.TreeUnmarshaller.convertAnother(TreeUnmarshaller.java:66) at hudson.util.RobustReflectionConverter.unmarshalField(RobustReflectionConverter.java:393) at hudson.util.RobustReflectionConverter.doUnmarshal(RobustReflectionConverter.java:331) Caused: jenkins.util.xstream.CriticalXStreamException: Could not call com.synopsys.arc.jenkins.plugins.ownership.OwnershipDescription.readResolve() : email@email.com fehlt das Recht „Allgemein/Administer“ : Could not call com.synopsys.arc.jenkins.plugins.ownership.OwnershipDescription.readResolve() : email@email.com fehlt das Recht „Allgemein/Administer“ ---- Debugging information ---- message : Could not call com.synopsys.arc.jenkins.plugins.ownership.OwnershipDescription.readResolve() : email@email.com fehlt das Recht „Allgemein/Administer“ cause-exception : com.thoughtworks.xstream.converters.reflection.ObjectAccessException cause-message : Could not call com.synopsys.arc.jenkins.plugins.ownership.OwnershipDescription.readResolve() : email@email.com fehlt das Recht „Allgemein/Administer“ class : com.synopsys.arc.jenkins.plugins.ownership.OwnershipDescription required-type : com.synopsys.arc.jenkins.plugins.ownership.OwnershipDescription converter-type : hudson.util.RobustReflectionConverter path : /flow-definition/properties/com.synopsys.arc.jenkins.plugins.ownership.jobs.JobOwnerJobProperty/ownership line number : 98 ------------------------------- : Could not call com.synopsys.arc.jenkins.plugins.ownership.OwnershipDescription.readResolve() : email@email.com fehlt das Recht „Allgemein/Administer“ : Could not call com.synopsys.arc.jenkins.plugins.ownership.OwnershipDescription.readResolve() : email@email.com fehlt das Recht „Allgemein/Administer“ ---- Debugging information ---- message : Could not call com.synopsys.arc.jenkins.plugins.ownership.OwnershipDescription.readResolve() : email@email.com fehlt das Recht „Allgemein/Administer“ cause-exception : com.thoughtworks.xstream.converters.reflection.ObjectAccessException cause-message : Could not call com.synopsys.arc.jenkins.plugins.ownership.OwnershipDescription.readResolve() : email@email.com fehlt das Recht „Allgemein/Administer“ class : com.synopsys.arc.jenkins.plugins.ownership.OwnershipDescription required-type : com.synopsys.arc.jenkins.plugins.ownership.OwnershipDescription converter-type : hudson.util.RobustReflectionConverter path : /flow-definition/properties/com.synopsys.arc.jenkins.plugins.ownership.jobs.JobOwnerJobProperty/ownership line number : 98 ------------------------------- message : Could not call com.synopsys.arc.jenkins.plugins.ownership.OwnershipDescription.readResolve() : email@email.com fehlt das Recht „Allgemein/Administer“ : Could not call com.synopsys.arc.jenkins.plugins.ownership.OwnershipDescription.readResolve() : email@email.com fehlt das Recht „Allgemein/Administer“ ---- Debugging information ---- message : Could not call com.synopsys.arc.jenkins.plugins.ownership.OwnershipDescription.readResolve() : email@email.com fehlt das Recht „Allgemein/Administer“ cause-exception : com.thoughtworks.xstream.converters.reflection.ObjectAccessException cause-message : Could not call com.synopsys.arc.jenkins.plugins.ownership.OwnershipDescription.readResolve() : email@email.com fehlt das Recht „Allgemein/Administer“ class : com.synopsys.arc.jenkins.plugins.ownership.OwnershipDescription required-type : com.synopsys.arc.jenkins.plugins.ownership.OwnershipDescription converter-type : hudson.util.RobustReflectionConverter path : /flow-definition/properties/com.synopsys.arc.jenkins.plugins.ownership.jobs.JobOwnerJobProperty/ownership line number : 98 ------------------------------- cause-exception : com.thoughtworks.xstream.converters.ConversionException cause-message : Could not call com.synopsys.arc.jenkins.plugins.ownership.OwnershipDescription.readResolve() : email@email.com fehlt das Recht „Allgemein/Administer“ : Could not call com.synopsys.arc.jenkins.plugins.ownership.OwnershipDescription.readResolve() : email@email.com fehlt das Recht „Allgemein/Administer“ class : com.synopsys.arc.jenkins.plugins.ownership.jobs.JobOwnerJobProperty required-type : com.synopsys.arc.jenkins.plugins.ownership.OwnershipDescription converter-type : hudson.util.RobustReflectionConverter path : /flow-definition/properties/com.synopsys.arc.jenkins.plugins.ownership.jobs.JobOwnerJobProperty/ownership line number : 98 class[1] : hudson.util.CopyOnWriteList converter-type[1] : hudson.util.XStream2$AssociatedConverterImpl class[2] : org.jenkinsci.plugins.workflow.job.WorkflowJob version : not available ------------------------------- at hudson.util.RobustReflectionConverter.doUnmarshal(RobustReflectionConverter.java:356) at hudson.util.RobustReflectionConverter.unmarshal(RobustReflectionConverter.java:270) at com.thoughtworks.xstream.core.TreeUnmarshaller.convert(TreeUnmarshaller.java:72) at com.thoughtworks.xstream.core.AbstractReferenceUnmarshaller.convert(AbstractReferenceUnmarshaller.java:65) at com.thoughtworks.xstream.core.TreeUnmarshaller.convertAnother(TreeUnmarshaller.java:66) at com.thoughtworks.xstream.core.TreeUnmarshaller.convertAnother(TreeUnmarshaller.java:50) at com.thoughtworks.xstream.converters.collections.AbstractCollectionConverter.readItem(AbstractCollectionConverter.java:71) at hudson.util.CopyOnWriteList$ConverterImpl.unmarshal(CopyOnWriteList.java:197) at hudson.util.CopyOnWriteList$ConverterImpl.unmarshal(CopyOnWriteList.java:176) at hudson.util.XStream2$AssociatedConverterImpl.unmarshal(XStream2.java:465) at com.thoughtworks.xstream.core.TreeUnmarshaller.convert(TreeUnmarshaller.java:72) at com.thoughtworks.xstream.core.AbstractReferenceUnmarshaller.convert(AbstractReferenceUnmarshaller.java:65) at com.thoughtworks.xstream.core.TreeUnmarshaller.convertAnother(TreeUnmarshaller.java:66) at hudson.util.RobustReflectionConverter.unmarshalField(RobustReflectionConverter.java:393) at hudson.util.RobustReflectionConverter.doUnmarshal(RobustReflectionConverter.java:331) at hudson.util.RobustReflectionConverter.unmarshal(RobustReflectionConverter.java:270) at com.thoughtworks.xstream.core.TreeUnmarshaller.convert(TreeUnmarshaller.java:72) at com.thoughtworks.xstream.core.AbstractReferenceUnmarshaller.convert(AbstractReferenceUnmarshaller.java:65) at com.thoughtworks.xstream.core.TreeUnmarshaller.convertAnother(TreeUnmarshaller.java:66) at com.thoughtworks.xstream.core.TreeUnmarshaller.convertAnother(TreeUnmarshaller.java:50) at com.thoughtworks.xstream.core.TreeUnmarshaller.start(TreeUnmarshaller.java:134) at com.thoughtworks.xstream.core.AbstractTreeMarshallingStrategy.unmarshal(AbstractTreeMarshallingStrategy.java:32) at com.thoughtworks.xstream.XStream.unmarshal(XStream.java:1189) at hudson.util.XStream2.unmarshal(XStream2.java:160) at hudson.util.XStream2.unmarshal(XStream2.java:131) at com.thoughtworks.xstream.XStream.unmarshal(XStream.java:1173) at com.thoughtworks.xstream.XStream.fromXML(XStream.java:1053) at hudson.XmlFile.read(XmlFile.java:147) Caused: java.io.IOException: Unable to read /opt/ci/jobs/APPSfactory/jobs/Unity_Demo/jobs/Unity_Demo_4/config.xml at hudson.XmlFile.read(XmlFile.java:149) at hudson.model.Items.load(Items.java:371) at hudson.model.ItemGroupMixIn$3.call(ItemGroupMixIn.java:248) at hudson.model.ItemGroupMixIn$3.call(ItemGroupMixIn.java:246) at hudson.model.Items.whileUpdatingByXml(Items.java:135) at hudson.model.ItemGroupMixIn.copy(ItemGroupMixIn.java:246) at hudson.model.ItemGroupMixIn.createTopLevelItem(ItemGroupMixIn.java:186) at com.cloudbees.hudson.plugins.folder.Folder.doCreateItem(Folder.java:231) at java.lang.invoke.MethodHandle.invokeWithArguments(MethodHandle.java:627) at org.kohsuke.stapler.Function$MethodFunction.invoke(Function.java:343) at org.kohsuke.stapler.Function.bindAndInvoke(Function.java:184) at org.kohsuke.stapler.Function.bindAndInvokeAndServeResponse(Function.java:117) at org.kohsuke.stapler.MetaClass$1.doDispatch(MetaClass.java:129) at org.kohsuke.stapler.NameBasedDispatcher.dispatch(NameBasedDispatcher.java:58) at org.kohsuke.stapler.Stapler.tryInvoke(Stapler.java:715) at org.kohsuke.stapler.Stapler.invoke(Stapler.java:845) at org.kohsuke.stapler.MetaClass$5.doDispatch(MetaClass.java:248) at org.kohsuke.stapler.NameBasedDispatcher.dispatch(NameBasedDispatcher.java:58) at org.kohsuke.stapler.Stapler.tryInvoke(Stapler.java:715) at org.kohsuke.stapler.Stapler.invoke(Stapler.java:845) at org.kohsuke.stapler.MetaClass$5.doDispatch(MetaClass.java:248) at org.kohsuke.stapler.NameBasedDispatcher.dispatch(NameBasedDispatcher.java:58) at org.kohsuke.stapler.Stapler.tryInvoke(Stapler.java:715) at org.kohsuke.stapler.Stapler.invoke(Stapler.java:845) at org.kohsuke.stapler.Stapler.invoke(Stapler.java:649) at org.kohsuke.stapler.Stapler.service(Stapler.java:238) at javax.servlet.http.HttpServlet.service(HttpServlet.java:790) at org.eclipse.jetty.servlet.ServletHolder.handle(ServletHolder.java:841) at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1650) at hudson.util.PluginServletFilter$1.doFilter(PluginServletFilter.java:154) at org.jenkinsci.plugins.ssegateway.Endpoint$SSEListenChannelFilter.doFilter(Endpoint.java:225) at hudson.util.PluginServletFilter$1.doFilter(PluginServletFilter.java:151) at jenkins.metrics.impl.MetricsFilter.doFilter(MetricsFilter.java:125) at hudson.util.PluginServletFilter$1.doFilter(PluginServletFilter.java:151) at hudson.util.PluginServletFilter.doFilter(PluginServletFilter.java:157) at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1637) at hudson.security.csrf.CrumbFilter.doFilter(CrumbFilter.java:99) at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1637) at hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:84) at hudson.security.UnwrapSecurityExceptionFilter.doFilter(UnwrapSecurityExceptionFilter.java:51) at hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:87) at jenkins.security.ExceptionTranslationFilter.doFilter(ExceptionTranslationFilter.java:117) at hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:87) at org.acegisecurity.providers.anonymous.AnonymousProcessingFilter.doFilter(AnonymousProcessingFilter.java:125) at hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:87) at org.acegisecurity.ui.rememberme.RememberMeProcessingFilter.doFilter(RememberMeProcessingFilter.java:142) at hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:87) at org.acegisecurity.ui.AbstractProcessingFilter.doFilter(AbstractProcessingFilter.java:271) at hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:87) at jenkins.security.BasicHeaderProcessor.doFilter(BasicHeaderProcessor.java:93) at hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:87) at org.acegisecurity.context.HttpSessionContextIntegrationFilter.doFilter(HttpSessionContextIntegrationFilter.java:249) at hudson.security.HttpSessionContextIntegrationFilter2.doFilter(HttpSessionContextIntegrationFilter2.java:67) at hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:87) at hudson.security.ChainedServletFilter.doFilter(ChainedServletFilter.java:90) at hudson.security.HudsonFilter.doFilter(HudsonFilter.java:171) at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1637) at org.kohsuke.stapler.compression.CompressionFilter.doFilter(CompressionFilter.java:49) at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1637) at hudson.util.CharacterEncodingFilter.doFilter(CharacterEncodingFilter.java:82) at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1637) at org.kohsuke.stapler.DiagnosticThreadNameFilter.doFilter(DiagnosticThreadNameFilter.java:30) at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1637) at org.eclipse.jetty.servlet.ServletHandler.doHandle(ServletHandler.java:533) at org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:143) at org.eclipse.jetty.security.SecurityHandler.handle(SecurityHandler.java:524) at org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:132) at org.eclipse.jetty.server.handler.ScopedHandler.nextHandle(ScopedHandler.java:190) at org.eclipse.jetty.server.session.SessionHandler.doHandle(SessionHandler.java:1595) at org.eclipse.jetty.server.handler.ScopedHandler.nextHandle(ScopedHandler.java:188) at org.eclipse.jetty.server.handler.ContextHandler.doHandle(ContextHandler.java:1253) at org.eclipse.jetty.server.handler.ScopedHandler.nextScope(ScopedHandler.java:168) at org.eclipse.jetty.servlet.ServletHandler.doScope(ServletHandler.java:473) at org.eclipse.jetty.server.session.SessionHandler.doScope(SessionHandler.java:1564) at org.eclipse.jetty.server.handler.ScopedHandler.nextScope(ScopedHandler.java:166) at org.eclipse.jetty.server.handler.ContextHandler.doScope(ContextHandler.java:1155) at org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:141) at org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:132) at org.eclipse.jetty.server.Server.handle(Server.java:564) at org.eclipse.jetty.server.HttpChannel.handle(HttpChannel.java:317) at org.eclipse.jetty.server.HttpConnection.onFillable(HttpConnection.java:251) at org.eclipse.jetty.io.AbstractConnection$ReadCallback.succeeded(AbstractConnection.java:279) at org.eclipse.jetty.io.FillInterest.fillable(FillInterest.java:110) at org.eclipse.jetty.io.ChannelEndPoint$2.run(ChannelEndPoint.java:124) at org.eclipse.jetty.util.thread.Invocable.invokePreferred(Invocable.java:128) at org.eclipse.jetty.util.thread.Invocable$InvocableExecutor.invoke(Invocable.java:222) at org.eclipse.jetty.util.thread.strategy.EatWhatYouKill.doProduce(EatWhatYouKill.java:294) at org.eclipse.jetty.util.thread.strategy.EatWhatYouKill.run(EatWhatYouKill.java:199) at winstone.BoundedExecutorService$1.run(BoundedExecutorService.java:77) at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149) at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624) at java.lang.Thread.run(Thread.java:748) ] |
Filipe Rocha Nogueira
added a comment - I have the same problem when copying a job to a new job. 
Alexander Ukhanov
added a comment - Same problem with copying job from web-interface
Code changed in jenkins
User: Oleg Nenashev
Path:
CHANGELOG.md
http://jenkins-ci.org/commit/ownership-plugin/5829e72f07434090286933830c0056dc99db7309
Log:
Changelog: Noting 0.12.0 with SECURITY-498 fix and the JENKINS-49744 regression