Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-62478

users unable to configure multibranch jobs without global Job/Build permission

    XMLWordPrintable

    Details

    • Similar Issues:

      Description

      steps to recreate:

      1. create a folder
      2. enable folder based permissions
      3. add a user and grant all the available permissions
      4. create a multibranch job in the folder
      5. in branch source, choose gitlab.
      6. user gets the following error message between the "projects" section and the "Behaviours" section:
        ------------------------------
        Access Denied
        <username> is missing the Job/Build permission
        --------------------------------

       

       

      workaround:

      granting the user the Job/Build permission in "Configure Global Security " solves the problem, but this is major breach in security.

       

      it appears as if the plugin doesn't take into account the permissions granted to the user at the folder level.

        Attachments

          Activity

          Hide
          justinharringa Justin Harringa added a comment -

          Hey Amit Dar,

          What is the expected behavior that you would like to see? Perhaps you could describe the ideal situation?

          In order to actually create a job, a user will need more privileges than Job/Build (Job/Configure). Job/Build will just let users kick off a build. If you're trying to set up an org you might take a look at the [Job DSL Plugin|https://plugins.jenkins.io/job-dsl/].

          Hope that helps.

          Show
          justinharringa Justin Harringa added a comment - Hey Amit Dar , What is the expected behavior that you would like to see? Perhaps you could describe the ideal situation? In order to actually create a job, a user will need more privileges than Job/Build (Job/Configure). Job/Build will just let users kick off a build. If you're trying to set up an org you might take a look at the [Job DSL Plugin| https://plugins.jenkins.io/job-dsl/ ]. Hope that helps.
          Hide
          amidar Amit Dar added a comment - - edited

          Hi Justin Harringa,

          the expected behavior I would like to see is the ability to create the job when a user has all the permissions available - locally (meaning, at the folder level).

          If you take a look at the images I added to the issue, you see that the user (named devops6723) has all the available permissions at the folder level, but is unable to create a job since the plugin is reporting the usre is missing the Job/Build permission.

           

          once I give that user the Job/Build permission at the global level, he is able to create the job.

           

          IMHO, the user should be able to manually create a job  (any kind of job...) inside a folder if he has all the available permission on that folder.

          Show
          amidar Amit Dar added a comment - - edited Hi Justin Harringa , the expected behavior I would like to see is the ability to create the job when a user has all the permissions available - locally (meaning, at the folder level). If you take a look at the images I added to the issue, you see that the user (named devops6723) has all the available permissions at the folder level, but is unable to create a job since the plugin is reporting the usre is missing the Job/Build permission.   once I give that user the Job/Build permission at the global level, he is able to create the job.   IMHO, the user should be able to manually create a job  (any kind of job...) inside a folder if he has all the available permission on that folder.
          Hide
          justinharringa Justin Harringa added a comment -

          Amit Dar - are you trying to create these under one of the multi-branch folders or are you creating a regular folder and then trying to put jobs in it? If this is a regular folder and you can't put any kind of job into it, it seems like this may be an issue with how the Folders plugin or a plugin it uses would resolve permissions. 

           

          Hope you are well.

          Show
          justinharringa Justin Harringa added a comment - Amit Dar - are you trying to create these under one of the multi-branch folders or are you creating a regular folder and then trying to put jobs in it? If this is a regular folder and you can't put any kind of job into it, it seems like this may be an issue with how the Folders plugin or a plugin it uses would resolve permissions.    Hope you are well.
          Hide
          amidar Amit Dar added a comment - - edited

          Justin Harringa, I just updated the issue header from "create" to "configure".

           

          the multibranch pipeline job (or should I actually say - folder) is actually created, but the user is unable to configure it properly (the image I attached shows the problem. please notice that it is only relevant to multi branch pipeline line jobs with gitlab project as source.

           

          meanwhile, we updated jenkins to 2.222.4, no change here - same behaviour.

          Show
          amidar Amit Dar added a comment - - edited Justin Harringa , I just updated the issue header from "create" to "configure".   the multibranch pipeline job (or should I actually say - folder) is actually created, but the user is unable to configure it properly (the image I attached shows the problem. please notice that it is only relevant to multi branch pipeline line jobs with gitlab project as source.   meanwhile, we updated jenkins to 2.222.4, no change here - same behaviour.
          Hide
          amidar Amit Dar added a comment -

          I have just reconstructed this error on my laptop, at home, using latest docker image. 

          attached are all the images and the plugins list I have installed (most important are the folders plugin, project matrix plugin, gitlab branch source and multibranch pipeline plugins.

          I have a user called admin, which has the admin permission, and another user, called "user" with overall/read permission.

          I created a folder called "some_folder" and granted the user called user all available permissions.

          I defined a gitlab server (pointing to the real gitlab server, but that doesn't matter, all that matters is that at least one server will be defined).

          when the user called "user" is trying to create a multibranch pipeline with gitlab project as the branch source, the problem appears.

           

          please let me know if you still need more information. jenkins-plugins-installed.txt

           

          Show
          amidar Amit Dar added a comment - I have just reconstructed this error on my laptop, at home, using latest docker image.  attached are all the images and the plugins list I have installed (most important are the folders plugin, project matrix plugin, gitlab branch source and multibranch pipeline plugins. I have a user called admin, which has the admin permission, and another user, called "user" with overall/read permission. I created a folder called "some_folder" and granted the user called user all available permissions. I defined a gitlab server (pointing to the real gitlab server, but that doesn't matter, all that matters is that at least one server will be defined). when the user called "user" is trying to create a multibranch pipeline with gitlab project as the branch source, the problem appears.   please let me know if you still need more information. jenkins-plugins-installed.txt  
          Hide
          amidar Amit Dar added a comment -

          while trying to create the multibranch pipeline, the following message appeared in the log console:

          o.e.j.s.h.ContextHandler$Context#log: While serving http://localhost:8080/job/some_folder/job/multibranch_pipeline/descriptorByName/io.jenkins.plugins.gitlabbranchsource.GitLabSCMSource/fillProjectPathItems: hudson.security.AccessDeniedException2: user is missing the Job/Build permission

          Show
          amidar Amit Dar added a comment - while trying to create the multibranch pipeline, the following message appeared in the log console: o.e.j.s.h.ContextHandler$Context#log: While serving http://localhost:8080/job/some_folder/job/multibranch_pipeline/descriptorByName/io.jenkins.plugins.gitlabbranchsource.GitLabSCMSource/fillProjectPathItems: hudson.security.AccessDeniedException2: user is missing the Job/Build permission

            People

            Assignee:
            baymac Parichay Barpanda
            Reporter:
            amidar Amit Dar
            Votes:
            0 Vote for this issue
            Watchers:
            2 Start watching this issue

              Dates

              Created:
              Updated: