Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-56016

Input step submitter parameter is ignored for administrators

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Won't Fix
    • Icon: Major Major
    • pipeline-input-step-plugin
    • None
    • Jenkins 2.151.0
      Pipeline Input Step: 2.9
    • pipeline-input-step-2.12

      I use the following snippet in my DSL pipeline

      operators = "ldapUserGroup"
ChoiceParameterDefinition choice = new ChoiceParameterDefinition('continue', ['YES'] as String[], 'Description')
returnValue = input message: 'DEPLOY ?', 
                    parameters: [choice], 
                    submitter: operators, 
                    submitterParameter: 'approver'

      I am not part of the ldapUserGroup thus I would expect the pipeline not to continue. However the pipeline continues anyway.

      07:39:05 Approved by Surname Lastname
[Pipeline] }

      The same happens if i use a particular userID or list of userIDs rather than an ldapGroup

      operators = "userID0001,userID0002"
ChoiceParameterDefinition choice = new ChoiceParameterDefinition('continue', ['YES'] as String[], 'Description')
returnValue = input message: 'DEPLOY ?', 
                    parameters: [choice], 
                    submitter: operators, 
                    submitterParameter: 'approver'

          [JENKINS-56016] Input step submitter parameter is ignored for administrators

          papanito created issue -
          papanito made changes -
          Description Original: I use the following snippet in my DSL pipeline

           
          {code:java}
          operators = "ldapUserGroup"
          ChoiceParameterDefinition choice = new ChoiceParameterDefinition('continue', ['YES'] as String[], 'Description')
          returnValue = input message: 'DEPLOY ?',
                              parameters: [choice],
                              submitter: operators,
                              submitterParameter: 'approver'
          {code}
          I am not part of the {{ldapUserGroup}} thus I would expect the pipeline not to continue. However the pipeline continues anyway.

           

           
          {code:java}
          07:39:05 Approved by Surname Lastname
          [Pipeline] }
          {code}
           

          The same happens if i use a particular userID or list of userIDs rather than an ldapGroup
          {code:java}
          operators = "userID0001,userID0002"
          ChoiceParameterDefinition choice = new ChoiceParameterDefinition('continue', ['YES'] as String[], 'Description')
          returnValue = input message: 'DEPLOY ?',
                              parameters: [choice],
                              submitter: operators,
                              submitterParameter: 'approver'
          {code}           		New: I use the following snippet in my DSL pipeline
          {code:java}
          operators = "ldapUserGroup"
          ChoiceParameterDefinition choice = new ChoiceParameterDefinition('continue', ['YES'] as String[], 'Description')
          returnValue = input message: 'DEPLOY ?',
                              parameters: [choice],
                              submitter: operators,
                              submitterParameter: 'approver'
          {code}
          I am not part of the {{ldapUserGroup}} thus I would expect the pipeline not to continue. However the pipeline continues anyway.
          {code:java}
          07:39:05 Approved by Surname Lastname
          [Pipeline] }
          {code}
          The same happens if i use a particular userID or list of userIDs rather than an ldapGroup
          {code:java}
          operators = "userID0001,userID0002"
          ChoiceParameterDefinition choice = new ChoiceParameterDefinition('continue', ['YES'] as String[], 'Description')
          returnValue = input message: 'DEPLOY ?',
                              parameters: [choice],
                              submitter: operators,
                              submitterParameter: 'approver'
          {code}

          papanito added a comment -

          Apparently, me as an administrator can answer the question. Other users, which are not administrator are rejected when answering the question.

          Is this the expected behaviour? If yes, I did not see this in the documentation, thus it would be good to mention this behaviour.

          papanito added a comment - Apparently, me as an administrator can answer the question. Other users, which are not administrator are rejected when answering the question. Is this the expected behaviour? If yes, I did not see this in the documentation, thus it would be good to mention this behaviour.

          Omit Rathore added a comment - - edited

          This is very dangerous issue , team relying on permissions control with submitter is broken. We had to revert to 2.8 .

           Ideal flow would be only user/team mentioned as submitter should be allowed to proceed.It is classical example of privilege escalation. It is kind of security threat.

          It's fine to have these feature if submitter is not mentioned.

          Omit Rathore added a comment - - edited This is very dangerous issue , team relying on permissions control with submitter is broken. We had to revert to 2.8 .  Ideal flow would be only user/team mentioned as submitter should be allowed to proceed.It is classical example of privilege escalation. It is kind of security threat. It's fine to have these feature if submitter is not mentioned.

          Wadeck Follonier added a comment -

          It seems that's the expected behavior due to https://issues.jenkins-ci.org/browse/JENKINS-48998. If you're an admin, you bypass the regular check of submitter user/group.

          svanoort could you confirm?

          Wadeck Follonier added a comment - It seems that's the expected behavior due to https://issues.jenkins-ci.org/browse/JENKINS-48998 . If you're an admin, you bypass the regular check of submitter user/group. svanoort could you confirm?

          Devin Nusbaum added a comment -

          wfollonier Yes, based on JENKINS-48998 it looks like it is expected that an admin can approve any input step, and this makes sense because an admin could do this anyway by rewriting the Pipeline, and if they have RUN_SCRIPTS permission as well, directly approve it via the script console or other tricky things.

          I guess we could update help-submitter.html to mention this explicitly.

          Devin Nusbaum added a comment - wfollonier Yes, based on JENKINS-48998 it looks like it is expected that an admin can approve any input step, and this makes sense because an admin could do this anyway by rewriting the Pipeline, and if they have RUN_SCRIPTS permission as well, directly approve it via the script console or other tricky things. I guess we could update help-submitter.html to mention this explicitly.

          papanito added a comment -

          I've created a pull request: https://github.com/jenkinsci/pipeline-input-step-plugin/pull/39

          papanito added a comment - I've created a pull request: https://github.com/jenkinsci/pipeline-input-step-plugin/pull/39

          Omit Rathore added a comment -

          Is there any use case where user is not an Admin  also not in submitter can still approve input step.

           

          Omit Rathore added a comment - Is there any use case where user is not an Admin  also not in submitter can still approve input step.  
          Devin Nusbaum made changes -
          Summary Original: Input Submitter parameter ignored New: Input step submitter parameter is ignored for administrators
          Devin Nusbaum made changes -
          Remote Link New: This issue links to "jenkinsci/pipeline-input-step-plugin#39 (Web Link)" [ 23601 ]

            papanito papanito
            papanito papanito
            Votes:
            2 Vote for this issue
            Watchers:
            8 Start watching this issue

              Created:
              Updated:
              Resolved: