Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-61902

"authenticated" group doesn't work with Authorize Project plugin

    XMLWordPrintable

    Details

    • Similar Issues:

      Description

      Using Authorize Project plugin I have setting we have "Project Default build Authorization" set to "Run as User who Triggered Build".

      Then I have project roles letting particular users to run specific jobs. To allow said people to also build on the nodes I assign to them Slave role (see assign_roles.png). That Slave role is allowed to build on ".*" nodes (see manage_roles.png). But still when project is triggered from such a user, in the queue a message can be seen:

      > 'myusername' lacks permission to run on 'my-node-name-1'

      My workaround is to allow global Agent/Build permission to everybody but this is not ideal.

      Jenkins 2.190.3
      Authorize Project 1.3.0
      Role-based Authorization Strategy 2.13

        Attachments

          Activity

          Hide
          ikedam ikedam added a comment -

          Groups that a user is assigned depends on the security realm you use.
          I suppose the security realm you use doesn't assign "authenticated" group to the user when authorize-project queries the user.

          I could not reproduce the issue with built-in "Jenkins’ own user database" as it always assigns "authenticated" group to the user.

          I don't think it's a bug of the security realm as the query by the authorize-project plugin is independent from user's login process. The security realm can't say to authorized-project plugin whether the user is authenticated.
          I suppose "authenticated" group is always assigned for Web UI operations as Jenkins knows the user is actually authenticated.

          I won't fix this issue as managing actual permissions is out of the domain of authorize-project and managing permissions carelessly can easily cause security issues.

          Please instead create a new group for all Jenkins users and assign the role to that group.

          Show
          ikedam ikedam added a comment - Groups that a user is assigned depends on the security realm you use. I suppose the security realm you use doesn't assign "authenticated" group to the user when authorize-project queries the user. I could not reproduce the issue with built-in "Jenkins’ own user database" as it always assigns "authenticated" group to the user. I don't think it's a bug of the security realm as the query by the authorize-project plugin is independent from user's login process. The security realm can't say to authorized-project plugin whether the user is authenticated. I suppose "authenticated" group is always assigned for Web UI operations as Jenkins knows the user is actually authenticated. I won't fix this issue as managing actual permissions is out of the domain of authorize-project and managing permissions carelessly can easily cause security issues. Please instead create a new group for all Jenkins users and assign the role to that group.

            People

            Assignee:
            akostadinov akostadinov
            Reporter:
            akostadinov akostadinov
            Votes:
            0 Vote for this issue
            Watchers:
            2 Start watching this issue

              Dates

              Created:
              Updated: