Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-52181

Use jenkins-cli to get console of a project requires user has Job/Build permission

    • Icon: Bug Bug
    • Resolution: Fixed
    • Icon: Minor Minor
    • cli
    • Jenkins ver. 2.107.3 on 4.1.12-112.14.13.el6uek.x86_64

      I have user emreporter which doesn't have build permission for job "EM Ops - OMS - MIGDC2 EM OMS Patch (Real Run)" but can read the build history of the job. So, from Jenkins UI, the user can check the job execution history and go into a execution for example #16 to get its information in console.

      However, when I am using CLI to get the console for latest job execution result, it reported error about the user is missing build permission.

      That is to say, the behavior of CLI is not same to UI.

      Here is the command result:
      + java -jar jenkins-cli.jar -s
      http://MyJenkinsServer:8080
      -http -auth emreporter:******** console 'EM Ops - OMS - MIGDC2 EM OMS Patch (Real Run)' -f

      ERROR: emreporter is missing the Job/Build permission
       

      Please see attached screenshot for the comparison result on both UI and CLI.

          [JENKINS-52181] Use jenkins-cli to get console of a project requires user has Job/Build permission

          Oleg Nenashev added a comment -

          It looks like a real defect/RFE. Item.READ should be enough in the current permission model.
          Generally a patch needed here: https://github.com/jenkinsci/jenkins/blob/master/core/src/main/java/hudson/cli/ConsoleCommand.java#L44
          This change was introduced in 2012 by the original commit (https://github.com/jenkinsci/jenkins/commit/63b6e0bc89c1a5885dd132329e3f149d58ad76bc), so it's not a regression.

          ericyu2018 It seems to be an easy patch. Would you be interested to propose a pull request for review?

          Oleg Nenashev added a comment - It looks like a real defect/RFE. Item.READ should be enough in the current permission model. Generally a patch needed here: https://github.com/jenkinsci/jenkins/blob/master/core/src/main/java/hudson/cli/ConsoleCommand.java#L44 This change was introduced in 2012 by the original commit ( https://github.com/jenkinsci/jenkins/commit/63b6e0bc89c1a5885dd132329e3f149d58ad76bc ), so it's not a regression. ericyu2018 It seems to be an easy patch. Would you be interested to propose a pull request for review?

          Eric Yu added a comment -

          Hi oleg_nenashev,

          Thanks for the guidance of issue fixing. I created PR: Fix JENKINS-52181 about permission issue when using cli to get console #3527. Could you please help to review?

          Thanks,

          Eric

          Eric Yu added a comment - Hi  oleg_nenashev , Thanks for the guidance of issue fixing. I created PR: Fix JENKINS-52181 about permission issue when using cli to get console #3527. Could you please help to review? Thanks, Eric

          Eric Yu added a comment -

          I see test case https://ci.jenkins.io/blue/organizations/jenkins/Core%2Fjenkins/detail/PR-3527/1/tests failed.

          Hi oleg_nenashev

          Could you please help to advise if the following test case in  test\src\test\java\hudson\cli\ConsoleCommandTest.java should be removed?

          @Test public void consoleShouldFailWithoutItemBuildPermission() throws Exception

          { j.createFreeStyleProject("aProject"); final CLICommandInvoker.Result result = command .authorizedTo(Jenkins.READ, Job.READ) .invokeWithArgs("aProject"); assertThat(result, failedWith(6)); assertThat(result, hasNoStandardOutput()); assertThat(result.stderr(), containsString("ERROR: user is missing the Job/Build permission")); }

          Thanks,

          Eric

          Eric Yu added a comment - I see test case https://ci.jenkins.io/blue/organizations/jenkins/Core%2Fjenkins/detail/PR-3527/1/tests  failed. Hi  oleg_nenashev ,  Could you please help to advise if the following test case in  test\src\test\java\hudson\cli\ConsoleCommandTest.java should be removed? @Test public void consoleShouldFailWithoutItemBuildPermission() throws Exception { j.createFreeStyleProject("aProject"); final CLICommandInvoker.Result result = command .authorizedTo(Jenkins.READ, Job.READ) .invokeWithArgs("aProject"); assertThat(result, failedWith(6)); assertThat(result, hasNoStandardOutput()); assertThat(result.stderr(), containsString("ERROR: user is missing the Job/Build permission")); } Thanks, Eric

          Oleg Nenashev added a comment -

          Removed - unlikely. But they could be somehow adjusted to verify the permissions
          I would recommend to get feedback from the reviewers first. Maybe there is a reason to keep it restricted which I am missing

          Oleg Nenashev added a comment - Removed - unlikely. But they could be somehow adjusted to verify the permissions I would recommend to get feedback from the reviewers first. Maybe there is a reason to keep it restricted which I am missing

          Eric Yu added a comment -

          I am new to this project. Could you please help to advise who to be added as reviewer and how to add it? In Jira or github?

          Thanks,

          Eric

           

          Eric Yu added a comment - I am new to this project. Could you please help to advise who to be added as reviewer and how to add it? In Jira or github? Thanks, Eric  

          Oleg Nenashev added a comment -

          ericyu2018 the pull request is fine, it may take few days to get a response. But no additional actions are required, thanks!

          Oleg Nenashev added a comment - ericyu2018 the pull request is fine, it may take few days to get a response. But no additional actions are required, thanks!

          Eric Yu added a comment -

          Thanks for your confirmation, oleg_nenashev.

          Eric Yu added a comment - Thanks for your confirmation, oleg_nenashev .

            ericyu2018 Eric Yu
            ericyu2018 Eric Yu
            Votes:
            0 Vote for this issue
            Watchers:
            3 Start watching this issue

              Created:
              Updated:
              Resolved: