-
Bug
-
Resolution: Fixed
-
Critical
-
gitlab server (www.gitlab.com)
jenkins docker official image 2.222.4 (occurs in 2.263.1 as well)
plugins and configuration attached as files.
steps to recreate:
- create a folder
- enable folder based permissions
- add a user and grant all the available permissions
- create a multibranch job in the folder
- in branch source, choose gitlab.
- user gets the following error message between the "projects" section and the "Behaviours" section:
------------------------------
Access Denied
<username> is missing the Job/Build permission
--------------------------------
workaround:
granting the user the Job/Build permission in "Configure Global Security " solves the problem, but this is major breach in security.
it appears as if the plugin doesn't take into account the permissions granted to the user at the folder level.
- links to
[JENKINS-62478] users unable to configure multibranch jobs without global Job/Build permission
Amit Dar
created issue -
Amit Dar
made changes -
| Attachment | New: job-configuration-error.jpg [ 51323 ] | |
| Attachment | New: folder-level-configuration.jpg [ 51324 ] | |
| Issue Type | Original: Improvement [ 4 ] | New: Bug [ 1 ] |
Amit Dar
made changes -
| Attachment | New: jenkins-log.txt [ 51325 ] |
Amit Dar
made changes -
| Environment |
Original:
jenkins server 2.222.3 folders plugin 6.12 matrix authorization plugin 2.6.1 matrix project plugin 1.14 gitlab branch source plugin 1.5.1 |
New:
gitlab server 12.10.0-ee jenkins server 2.222.3 folders plugin 6.12 matrix authorization plugin 2.6.1 matrix project plugin 1.14 gitlab branch source plugin 1.5.1 |
Amit Dar
made changes -
| Description |
Original:
steps to recreate: # create a folder # enable folder based permissions # add a user and grant all the available permissions # create a multibranch job in the folder # in branch source, choose gitlab. # user gets the following error message between the "projects" section and the "Behaviours" section: ------------------------------ Access Denied <username> is missing the Job/Build permission -------------------------------- workaround: granting the user the Job/Build permission in "Configure Global Security " solves the problem, but this is major breach in security. it appears as if the plugin doesn't take into account the permissions granted to the user at the folder level. i'll provide the line from the log shortly. |
New:
steps to recreate: # create a folder # enable folder based permissions # add a user and grant all the available permissions # create a multibranch job in the folder # in branch source, choose gitlab. # user gets the following error message between the "projects" section and the "Behaviours" section: ------------------------------ Access Denied <username> is missing the Job/Build permission -------------------------------- workaround: granting the user the Job/Build permission in "Configure Global Security " solves the problem, but this is major breach in security. it appears as if the plugin doesn't take into account the permissions granted to the user at the folder level. |
Amit Dar
made changes -
| Environment |
Original:
gitlab server 12.10.0-ee jenkins server 2.222.3 folders plugin 6.12 matrix authorization plugin 2.6.1 matrix project plugin 1.14 gitlab branch source plugin 1.5.1 |
New:
gitlab server 12.10.0-ee jenkins server 2.222.3 folders plugin 6.12 matrix authorization plugin 2.6.1 matrix project plugin 1.14 gitlab branch source plugin 1.5.1 multiple scms plugin 0.6 |
Amit Dar
made changes -
| Status | Original: Open [ 1 ] | New: In Progress [ 3 ] |
Amit Dar
made changes -
| Status | Original: In Progress [ 3 ] | New: Open [ 1 ] |
Hi justinharringa,
the expected behavior I would like to see is the ability to create the job when a user has all the permissions available - locally (meaning, at the folder level).
If you take a look at the images I added to the issue, you see that the user (named devops6723) has all the available permissions at the folder level, but is unable to create a job since the plugin is reporting the usre is missing the Job/Build permission.
once I give that user the Job/Build permission at the global level, he is able to create the job.
IMHO, the user should be able to manually create a job (any kind of job...) inside a folder if he has all the available permission on that folder.
Amit Dar
added a comment - - edited Hi justinharringa ,
the expected behavior I would like to see is the ability to create the job when a user has all the permissions available - locally (meaning, at the folder level).
If you take a look at the images I added to the issue, you see that the user (named devops6723) has all the available permissions at the folder level, but is unable to create a job since the plugin is reporting the usre is missing the Job/Build permission.
once I give that user the Job/Build permission at the global level, he is able to create the job.
IMHO, the user should be able to manually create a job (any kind of job...) inside a folder if he has all the available permission on that folder. 
Hey amidar,
What is the expected behavior that you would like to see? Perhaps you could describe the ideal situation?
In order to actually create a job, a user will need more privileges than Job/Build (Job/Configure). Job/Build will just let users kick off a build. If you're trying to set up an org you might take a look at the [Job DSL Plugin|https://plugins.jenkins.io/job-dsl/].
Hope that helps.