Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-49744

Users with Manage Ownership permissions are unable to change Folder ownership from CLI/REST API

XMLWordPrintable

      This is a regression after the 0.12.0 security release. The plugin will reject Ownership Changes by XML submission from non-Admin users having the Manage Ownership Permission.

      Proposed fix:

      • OwnershipDescription readResolve() logic should consult with extension points to verify the required permission
      • Extension points and their implementations are extended to support the API

          [JENKINS-49744] Users with Manage Ownership permissions are unable to change Folder ownership from CLI/REST API

          Oleg Nenashev created issue -
          Oleg Nenashev made changes -
          Status Original: Open [ 1 ] New: In Progress [ 3 ]
          Filipe Rocha Nogueira made changes -
          Comment [ That is also occuring to me. The users cannot copy a job, but they can edit and create a new one.

          Ein Problem ist bei der Verarbeitung der Anfrage aufgetreten. Bitte suchen Sie in unserem Bug-Tracker nach bereits erstellten, ähnlichen Bug-Reports. Wenn es zu diesem Fehler bereits einen Bericht gibt, stimmen Sie bitte für ihn. Wenn Sie glauben, dass dies ein neues Problem ist, senden Sie uns bitte einen neuen Bug-Report. Achten Sie beim Verfassen eines Bug-Reports darauf, mindestens den vollständigen Stack-Trace, sowie die Versionen von Jenkins und relevanter Plugins mitzuteilen. Die Mailingliste für Jenkins-Nutzer könnte ebenfalls hilfreich sein, um das Problem zu verstehen.
          Stack-Trace
          java.io.InvalidObjectException: email@email.com fehlt das Recht „Allgemein/Administer“
           at com.synopsys.arc.jenkins.plugins.ownership.OwnershipDescription.throwIfMissingPermission(OwnershipDescription.java:429)
           at com.synopsys.arc.jenkins.plugins.ownership.OwnershipDescription.checkUnsecuredConfiguration(OwnershipDescription.java:422)
           at com.synopsys.arc.jenkins.plugins.ownership.OwnershipDescription.readResolve(OwnershipDescription.java:378)
           at sun.reflect.GeneratedMethodAccessor12.invoke(Unknown Source)
           at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
           at java.lang.reflect.Method.invoke(Method.java:498)
           at com.thoughtworks.xstream.converters.reflection.SerializationMethodInvoker.callReadResolve(SerializationMethodInvoker.java:66)
          Caused: com.thoughtworks.xstream.converters.reflection.ObjectAccessException: Could not call com.synopsys.arc.jenkins.plugins.ownership.OwnershipDescription.readResolve() : email@email.com fehlt das Recht „Allgemein/Administer“
           at com.thoughtworks.xstream.converters.reflection.SerializationMethodInvoker.callReadResolve(SerializationMethodInvoker.java:72)
           at hudson.util.RobustReflectionConverter.unmarshal(RobustReflectionConverter.java:271)
           at com.thoughtworks.xstream.core.TreeUnmarshaller.convert(TreeUnmarshaller.java:72)
          Caused: com.thoughtworks.xstream.converters.ConversionException: Could not call com.synopsys.arc.jenkins.plugins.ownership.OwnershipDescription.readResolve() : email@email.com fehlt das Recht „Allgemein/Administer“ : Could not call com.synopsys.arc.jenkins.plugins.ownership.OwnershipDescription.readResolve() : email@email.com fehlt das Recht „Allgemein/Administer“
          ---- Debugging information ----
          message : Could not call com.synopsys.arc.jenkins.plugins.ownership.OwnershipDescription.readResolve() : email@email.com fehlt das Recht „Allgemein/Administer“
          cause-exception : com.thoughtworks.xstream.converters.reflection.ObjectAccessException
          cause-message : Could not call com.synopsys.arc.jenkins.plugins.ownership.OwnershipDescription.readResolve() : email@email.com fehlt das Recht „Allgemein/Administer“
          class : com.synopsys.arc.jenkins.plugins.ownership.OwnershipDescription
          required-type : com.synopsys.arc.jenkins.plugins.ownership.OwnershipDescription
          converter-type : hudson.util.RobustReflectionConverter
          path : /flow-definition/properties/com.synopsys.arc.jenkins.plugins.ownership.jobs.JobOwnerJobProperty/ownership
          line number : 98
          -------------------------------
           at com.thoughtworks.xstream.core.TreeUnmarshaller.convert(TreeUnmarshaller.java:79)
           at com.thoughtworks.xstream.core.AbstractReferenceUnmarshaller.convert(AbstractReferenceUnmarshaller.java:65)
           at com.thoughtworks.xstream.core.TreeUnmarshaller.convertAnother(TreeUnmarshaller.java:66)
           at hudson.util.RobustReflectionConverter.unmarshalField(RobustReflectionConverter.java:393)
           at hudson.util.RobustReflectionConverter.doUnmarshal(RobustReflectionConverter.java:331)
          Caused: jenkins.util.xstream.CriticalXStreamException: Could not call com.synopsys.arc.jenkins.plugins.ownership.OwnershipDescription.readResolve() : email@email.com fehlt das Recht „Allgemein/Administer“ : Could not call com.synopsys.arc.jenkins.plugins.ownership.OwnershipDescription.readResolve() : email@email.com fehlt das Recht „Allgemein/Administer“
          ---- Debugging information ----
          message : Could not call com.synopsys.arc.jenkins.plugins.ownership.OwnershipDescription.readResolve() : email@email.com fehlt das Recht „Allgemein/Administer“
          cause-exception : com.thoughtworks.xstream.converters.reflection.ObjectAccessException
          cause-message : Could not call com.synopsys.arc.jenkins.plugins.ownership.OwnershipDescription.readResolve() : email@email.com fehlt das Recht „Allgemein/Administer“
          class : com.synopsys.arc.jenkins.plugins.ownership.OwnershipDescription
          required-type : com.synopsys.arc.jenkins.plugins.ownership.OwnershipDescription
          converter-type : hudson.util.RobustReflectionConverter
          path : /flow-definition/properties/com.synopsys.arc.jenkins.plugins.ownership.jobs.JobOwnerJobProperty/ownership
          line number : 98
          ------------------------------- : Could not call com.synopsys.arc.jenkins.plugins.ownership.OwnershipDescription.readResolve() : email@email.com fehlt das Recht „Allgemein/Administer“ : Could not call com.synopsys.arc.jenkins.plugins.ownership.OwnershipDescription.readResolve() : email@email.com fehlt das Recht „Allgemein/Administer“
          ---- Debugging information ----
          message : Could not call com.synopsys.arc.jenkins.plugins.ownership.OwnershipDescription.readResolve() : email@email.com fehlt das Recht „Allgemein/Administer“
          cause-exception : com.thoughtworks.xstream.converters.reflection.ObjectAccessException
          cause-message : Could not call com.synopsys.arc.jenkins.plugins.ownership.OwnershipDescription.readResolve() : email@email.com fehlt das Recht „Allgemein/Administer“
          class : com.synopsys.arc.jenkins.plugins.ownership.OwnershipDescription
          required-type : com.synopsys.arc.jenkins.plugins.ownership.OwnershipDescription
          converter-type : hudson.util.RobustReflectionConverter
          path : /flow-definition/properties/com.synopsys.arc.jenkins.plugins.ownership.jobs.JobOwnerJobProperty/ownership
          line number : 98
          -------------------------------
          message : Could not call com.synopsys.arc.jenkins.plugins.ownership.OwnershipDescription.readResolve() : email@email.com fehlt das Recht „Allgemein/Administer“ : Could not call com.synopsys.arc.jenkins.plugins.ownership.OwnershipDescription.readResolve() : email@email.com fehlt das Recht „Allgemein/Administer“
          ---- Debugging information ----
          message : Could not call com.synopsys.arc.jenkins.plugins.ownership.OwnershipDescription.readResolve() : email@email.com fehlt das Recht „Allgemein/Administer“
          cause-exception : com.thoughtworks.xstream.converters.reflection.ObjectAccessException
          cause-message : Could not call com.synopsys.arc.jenkins.plugins.ownership.OwnershipDescription.readResolve() : email@email.com fehlt das Recht „Allgemein/Administer“
          class : com.synopsys.arc.jenkins.plugins.ownership.OwnershipDescription
          required-type : com.synopsys.arc.jenkins.plugins.ownership.OwnershipDescription
          converter-type : hudson.util.RobustReflectionConverter
          path : /flow-definition/properties/com.synopsys.arc.jenkins.plugins.ownership.jobs.JobOwnerJobProperty/ownership
          line number : 98
          -------------------------------
          cause-exception : com.thoughtworks.xstream.converters.ConversionException
          cause-message : Could not call com.synopsys.arc.jenkins.plugins.ownership.OwnershipDescription.readResolve() : email@email.com fehlt das Recht „Allgemein/Administer“ : Could not call com.synopsys.arc.jenkins.plugins.ownership.OwnershipDescription.readResolve() : email@email.com fehlt das Recht „Allgemein/Administer“
          class : com.synopsys.arc.jenkins.plugins.ownership.jobs.JobOwnerJobProperty
          required-type : com.synopsys.arc.jenkins.plugins.ownership.OwnershipDescription
          converter-type : hudson.util.RobustReflectionConverter
          path : /flow-definition/properties/com.synopsys.arc.jenkins.plugins.ownership.jobs.JobOwnerJobProperty/ownership
          line number : 98
          class[1] : hudson.util.CopyOnWriteList
          converter-type[1] : hudson.util.XStream2$AssociatedConverterImpl
          class[2] : org.jenkinsci.plugins.workflow.job.WorkflowJob
          version : not available
          -------------------------------
           at hudson.util.RobustReflectionConverter.doUnmarshal(RobustReflectionConverter.java:356)
           at hudson.util.RobustReflectionConverter.unmarshal(RobustReflectionConverter.java:270)
           at com.thoughtworks.xstream.core.TreeUnmarshaller.convert(TreeUnmarshaller.java:72)
           at com.thoughtworks.xstream.core.AbstractReferenceUnmarshaller.convert(AbstractReferenceUnmarshaller.java:65)
           at com.thoughtworks.xstream.core.TreeUnmarshaller.convertAnother(TreeUnmarshaller.java:66)
           at com.thoughtworks.xstream.core.TreeUnmarshaller.convertAnother(TreeUnmarshaller.java:50)
           at com.thoughtworks.xstream.converters.collections.AbstractCollectionConverter.readItem(AbstractCollectionConverter.java:71)
           at hudson.util.CopyOnWriteList$ConverterImpl.unmarshal(CopyOnWriteList.java:197)
           at hudson.util.CopyOnWriteList$ConverterImpl.unmarshal(CopyOnWriteList.java:176)
           at hudson.util.XStream2$AssociatedConverterImpl.unmarshal(XStream2.java:465)
           at com.thoughtworks.xstream.core.TreeUnmarshaller.convert(TreeUnmarshaller.java:72)
           at com.thoughtworks.xstream.core.AbstractReferenceUnmarshaller.convert(AbstractReferenceUnmarshaller.java:65)
           at com.thoughtworks.xstream.core.TreeUnmarshaller.convertAnother(TreeUnmarshaller.java:66)
           at hudson.util.RobustReflectionConverter.unmarshalField(RobustReflectionConverter.java:393)
           at hudson.util.RobustReflectionConverter.doUnmarshal(RobustReflectionConverter.java:331)
           at hudson.util.RobustReflectionConverter.unmarshal(RobustReflectionConverter.java:270)
           at com.thoughtworks.xstream.core.TreeUnmarshaller.convert(TreeUnmarshaller.java:72)
           at com.thoughtworks.xstream.core.AbstractReferenceUnmarshaller.convert(AbstractReferenceUnmarshaller.java:65)
           at com.thoughtworks.xstream.core.TreeUnmarshaller.convertAnother(TreeUnmarshaller.java:66)
           at com.thoughtworks.xstream.core.TreeUnmarshaller.convertAnother(TreeUnmarshaller.java:50)
           at com.thoughtworks.xstream.core.TreeUnmarshaller.start(TreeUnmarshaller.java:134)
           at com.thoughtworks.xstream.core.AbstractTreeMarshallingStrategy.unmarshal(AbstractTreeMarshallingStrategy.java:32)
           at com.thoughtworks.xstream.XStream.unmarshal(XStream.java:1189)
           at hudson.util.XStream2.unmarshal(XStream2.java:160)
           at hudson.util.XStream2.unmarshal(XStream2.java:131)
           at com.thoughtworks.xstream.XStream.unmarshal(XStream.java:1173)
           at com.thoughtworks.xstream.XStream.fromXML(XStream.java:1053)
           at hudson.XmlFile.read(XmlFile.java:147)
          Caused: java.io.IOException: Unable to read /opt/ci/jobs/APPSfactory/jobs/Unity_Demo/jobs/Unity_Demo_4/config.xml
           at hudson.XmlFile.read(XmlFile.java:149)
           at hudson.model.Items.load(Items.java:371)
           at hudson.model.ItemGroupMixIn$3.call(ItemGroupMixIn.java:248)
           at hudson.model.ItemGroupMixIn$3.call(ItemGroupMixIn.java:246)
           at hudson.model.Items.whileUpdatingByXml(Items.java:135)
           at hudson.model.ItemGroupMixIn.copy(ItemGroupMixIn.java:246)
           at hudson.model.ItemGroupMixIn.createTopLevelItem(ItemGroupMixIn.java:186)
           at com.cloudbees.hudson.plugins.folder.Folder.doCreateItem(Folder.java:231)
           at java.lang.invoke.MethodHandle.invokeWithArguments(MethodHandle.java:627)
           at org.kohsuke.stapler.Function$MethodFunction.invoke(Function.java:343)
           at org.kohsuke.stapler.Function.bindAndInvoke(Function.java:184)
           at org.kohsuke.stapler.Function.bindAndInvokeAndServeResponse(Function.java:117)
           at org.kohsuke.stapler.MetaClass$1.doDispatch(MetaClass.java:129)
           at org.kohsuke.stapler.NameBasedDispatcher.dispatch(NameBasedDispatcher.java:58)
           at org.kohsuke.stapler.Stapler.tryInvoke(Stapler.java:715)
           at org.kohsuke.stapler.Stapler.invoke(Stapler.java:845)
           at org.kohsuke.stapler.MetaClass$5.doDispatch(MetaClass.java:248)
           at org.kohsuke.stapler.NameBasedDispatcher.dispatch(NameBasedDispatcher.java:58)
           at org.kohsuke.stapler.Stapler.tryInvoke(Stapler.java:715)
           at org.kohsuke.stapler.Stapler.invoke(Stapler.java:845)
           at org.kohsuke.stapler.MetaClass$5.doDispatch(MetaClass.java:248)
           at org.kohsuke.stapler.NameBasedDispatcher.dispatch(NameBasedDispatcher.java:58)
           at org.kohsuke.stapler.Stapler.tryInvoke(Stapler.java:715)
           at org.kohsuke.stapler.Stapler.invoke(Stapler.java:845)
           at org.kohsuke.stapler.Stapler.invoke(Stapler.java:649)
           at org.kohsuke.stapler.Stapler.service(Stapler.java:238)
           at javax.servlet.http.HttpServlet.service(HttpServlet.java:790)
           at org.eclipse.jetty.servlet.ServletHolder.handle(ServletHolder.java:841)
           at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1650)
           at hudson.util.PluginServletFilter$1.doFilter(PluginServletFilter.java:154)
           at org.jenkinsci.plugins.ssegateway.Endpoint$SSEListenChannelFilter.doFilter(Endpoint.java:225)
           at hudson.util.PluginServletFilter$1.doFilter(PluginServletFilter.java:151)
           at jenkins.metrics.impl.MetricsFilter.doFilter(MetricsFilter.java:125)
           at hudson.util.PluginServletFilter$1.doFilter(PluginServletFilter.java:151)
           at hudson.util.PluginServletFilter.doFilter(PluginServletFilter.java:157)
           at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1637)
           at hudson.security.csrf.CrumbFilter.doFilter(CrumbFilter.java:99)
           at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1637)
           at hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:84)
           at hudson.security.UnwrapSecurityExceptionFilter.doFilter(UnwrapSecurityExceptionFilter.java:51)
           at hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:87)
           at jenkins.security.ExceptionTranslationFilter.doFilter(ExceptionTranslationFilter.java:117)
           at hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:87)
           at org.acegisecurity.providers.anonymous.AnonymousProcessingFilter.doFilter(AnonymousProcessingFilter.java:125)
           at hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:87)
           at org.acegisecurity.ui.rememberme.RememberMeProcessingFilter.doFilter(RememberMeProcessingFilter.java:142)
           at hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:87)
           at org.acegisecurity.ui.AbstractProcessingFilter.doFilter(AbstractProcessingFilter.java:271)
           at hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:87)
           at jenkins.security.BasicHeaderProcessor.doFilter(BasicHeaderProcessor.java:93)
           at hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:87)
           at org.acegisecurity.context.HttpSessionContextIntegrationFilter.doFilter(HttpSessionContextIntegrationFilter.java:249)
           at hudson.security.HttpSessionContextIntegrationFilter2.doFilter(HttpSessionContextIntegrationFilter2.java:67)
           at hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:87)
           at hudson.security.ChainedServletFilter.doFilter(ChainedServletFilter.java:90)
           at hudson.security.HudsonFilter.doFilter(HudsonFilter.java:171)
           at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1637)
           at org.kohsuke.stapler.compression.CompressionFilter.doFilter(CompressionFilter.java:49)
           at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1637)
           at hudson.util.CharacterEncodingFilter.doFilter(CharacterEncodingFilter.java:82)
           at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1637)
           at org.kohsuke.stapler.DiagnosticThreadNameFilter.doFilter(DiagnosticThreadNameFilter.java:30)
           at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1637)
           at org.eclipse.jetty.servlet.ServletHandler.doHandle(ServletHandler.java:533)
           at org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:143)
           at org.eclipse.jetty.security.SecurityHandler.handle(SecurityHandler.java:524)
           at org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:132)
           at org.eclipse.jetty.server.handler.ScopedHandler.nextHandle(ScopedHandler.java:190)
           at org.eclipse.jetty.server.session.SessionHandler.doHandle(SessionHandler.java:1595)
           at org.eclipse.jetty.server.handler.ScopedHandler.nextHandle(ScopedHandler.java:188)
           at org.eclipse.jetty.server.handler.ContextHandler.doHandle(ContextHandler.java:1253)
           at org.eclipse.jetty.server.handler.ScopedHandler.nextScope(ScopedHandler.java:168)
           at org.eclipse.jetty.servlet.ServletHandler.doScope(ServletHandler.java:473)
           at org.eclipse.jetty.server.session.SessionHandler.doScope(SessionHandler.java:1564)
           at org.eclipse.jetty.server.handler.ScopedHandler.nextScope(ScopedHandler.java:166)
           at org.eclipse.jetty.server.handler.ContextHandler.doScope(ContextHandler.java:1155)
           at org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:141)
           at org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:132)
           at org.eclipse.jetty.server.Server.handle(Server.java:564)
           at org.eclipse.jetty.server.HttpChannel.handle(HttpChannel.java:317)
           at org.eclipse.jetty.server.HttpConnection.onFillable(HttpConnection.java:251)
           at org.eclipse.jetty.io.AbstractConnection$ReadCallback.succeeded(AbstractConnection.java:279)
           at org.eclipse.jetty.io.FillInterest.fillable(FillInterest.java:110)
           at org.eclipse.jetty.io.ChannelEndPoint$2.run(ChannelEndPoint.java:124)
           at org.eclipse.jetty.util.thread.Invocable.invokePreferred(Invocable.java:128)
           at org.eclipse.jetty.util.thread.Invocable$InvocableExecutor.invoke(Invocable.java:222)
           at org.eclipse.jetty.util.thread.strategy.EatWhatYouKill.doProduce(EatWhatYouKill.java:294)
           at org.eclipse.jetty.util.thread.strategy.EatWhatYouKill.run(EatWhatYouKill.java:199)
           at winstone.BoundedExecutorService$1.run(BoundedExecutorService.java:77)
           at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
           at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
           at java.lang.Thread.run(Thread.java:748) ]
          Oleg Nenashev made changes -
          Link New: This issue is duplicated by JENKINS-50792 [ JENKINS-50792 ]
          Oleg Nenashev made changes -
          Link New: This issue is duplicated by JENKINS-49959 [ JENKINS-49959 ]
          Oleg Nenashev made changes -
          Remote Link New: This issue links to "https://github.com/jenkinsci/ownership-plugin/pull/73 (Web Link)" [ 20432 ]
          Oleg Nenashev made changes -
          Link New: This issue is blocked by JENKINS-50807 [ JENKINS-50807 ]
          Oleg Nenashev made changes -
          Summary Original: Users with Manage Ownership permissions are unable to change Foler ownership from CLI/REST API New: Users with Manage Ownership permissions are unable to change Folder ownership from CLI/REST API
          Oleg Nenashev made changes -
          Priority Original: Minor [ 4 ] New: Blocker [ 1 ]
          Oleg Nenashev made changes -
          Status Original: In Progress [ 3 ] New: Open [ 1 ]
          Oleg Nenashev made changes -
          Assignee Original: Oleg Nenashev [ oleg_nenashev ]

            Unassigned Unassigned
            oleg_nenashev Oleg Nenashev
            Votes:
            11 Vote for this issue
            Watchers:
            23 Start watching this issue

              Created:
              Updated: