• github-oauth-0.31

      When updating to Jenkins 2.146 the "GitHub Committer Authorization strategy" no longer works.

      Users can log in but get granted no permissions at all.

      Downgrading to Jenkins 2.145 fixes the issue (but due to security advisories being present isn't a good solution at all)

      Setting logging to FINEST shows the plugin "tries" to grant the correct permissions, but Jenkins does not seem to respect them.

          [JENKINS-54031] GitHub OAuth plugin fails with Jenkins 2.146

          AnneTheAgile added a comment - - edited

          jkmatt fyi, the upgrade guide referenced in above PR against this ticket  adds;

          As a workaround, it is possible to temporarily disable part of the security hardening by setting the https://wiki.jenkins.io/display/JENKINS/Features+controlled+by+system+properties[Java system properties] `hudson.model.AbstractItem.skipPermissionCheck` and `hudson.model.Run.skipPermissionCheck` to `true`. 

          AnneTheAgile added a comment - - edited jkmatt fyi, the upgrade guide referenced in above PR against this ticket  adds; As a workaround, it is possible to temporarily disable part of the security hardening by setting the https: //wiki.jenkins.io/display/JENKINS/Features+controlled+by+system+properties[Java system properties] `hudson.model.AbstractItem.skipPermissionCheck` and `hudson.model.Run.skipPermissionCheck` to ` true `.

          Steph Gosling added a comment - - edited

          On Ubuntu 16.04 with 2.138.2 (as packaged by Canonical) setting the two properties does indeed appear to resolve: non-admin-in-jenkins github users are able to browse projects, see console logs for builds

          Steph Gosling added a comment - - edited On Ubuntu 16.04 with 2.138.2 (as packaged by Canonical) setting the two properties does indeed appear to resolve: non-admin-in-jenkins github users are able to browse projects, see console logs for builds

          Daniel Beck added a comment -

          steph Thanks! Merged the doc update and will lower priority to reflect the presence of a workaround.

          Daniel Beck added a comment - steph Thanks! Merged the doc update and will lower priority to reflect the presence of a workaround.

          Matt Friedman added a comment -

          Does setting those skip permission check options to true (re)introduce a security issue? Thank you. 

          Matt Friedman added a comment - Does setting those skip permission check options to true (re)introduce a security issue? Thank you. 

          Adam Lock added a comment -

          Any update on this?  The workaround seems like it could become a concern.

          Adam Lock added a comment - Any update on this?  The workaround seems like it could become a concern.

          Keith Harvey added a comment -

          Any update on this, Thanks

          Keith Harvey added a comment - Any update on this, Thanks

          Daniel Beck added a comment -

          Per today's security advisory, it is indeed not safe to apply the workaround that disables the additional permission check. Previously published documentation has been updated.

          https://jenkins.io/security/advisory/2018-12-05/#SECURITY-595

          https://jenkins.io/doc/upgrade-guide/2.138/#security-hardening-impacts-use-of-github-oauth-plugin

           

          Daniel Beck added a comment - Per today's security advisory, it is indeed not safe to apply the workaround that disables the additional permission check. Previously published documentation has been updated. https://jenkins.io/security/advisory/2018-12-05/#SECURITY-595 https://jenkins.io/doc/upgrade-guide/2.138/#security-hardening-impacts-use-of-github-oauth-plugin  

          Are there any workarounds that don't cause security issues?

          Daniel Lo Nigro added a comment - Are there any workarounds that don't cause security issues?

          Sam Gleske added a comment -

          A few minutes ago I released 0.31 which includes https://github.com/jenkinsci/github-oauth-plugin/pull/103. This should be resolved. Please re-open if not.

          Sam Gleske added a comment - A few minutes ago I released 0.31 which includes https://github.com/jenkinsci/github-oauth-plugin/pull/103 . This should be resolved. Please re-open if not.

          sag47 and doridian, this is still an issue all the way from 2.131.2 to LTS (2.164.2). We are stuck on 2.131.1 and unable to move forwards until this is resolved. Could you please revisit this issue?

          jeremy hochheiser added a comment - sag47  and doridian , this is still an issue all the way from 2.131.2 to LTS (2.164.2). We are stuck on 2.131.1 and unable to move forwards until this is resolved. Could you please revisit this issue?

            sag47 Sam Gleske
            doridian Mark Dietzer
            Votes:
            13 Vote for this issue
            Watchers:
            23 Start watching this issue

              Created:
              Updated:
              Resolved: