Details
-
Type:
Bug
-
Status: Open (View Workflow)
-
Priority:
Critical
-
Resolution: Unresolved
-
Component/s: gitlab-branch-source-plugin
-
Labels:
-
Environment:gitlab server (www.gitlab.com)
jenkins docker official image 2.222.4 (occurs in 2.263.1 as well)
plugins and configuration attached as files.
-
Similar Issues:
Description
steps to recreate:
- create a folder
- enable folder based permissions
- add a user and grant all the available permissions
- create a multibranch job in the folder
- in branch source, choose gitlab.
- user gets the following error message between the "projects" section and the "Behaviours" section:
------------------------------
Access Denied
<username> is missing the Job/Build permission
--------------------------------
workaround:
granting the user the Job/Build permission in "Configure Global Security " solves the problem, but this is major breach in security.
it appears as if the plugin doesn't take into account the permissions granted to the user at the folder level.
Attachments
Issue Links
- links to
Activity
Amit Dar
created issue -
Amit Dar
made changes -
| Field | Original Value | New Value |
|---|---|---|
| Attachment | job-configuration-error.jpg [ 51323 ] | |
| Attachment | folder-level-configuration.jpg [ 51324 ] | |
| Issue Type | Improvement [ 4 ] | Bug [ 1 ] |
Amit Dar
made changes -
| Attachment | jenkins-log.txt [ 51325 ] |
Amit Dar
made changes -
| Environment |
jenkins server 2.222.3 folders plugin 6.12 matrix authorization plugin 2.6.1 matrix project plugin 1.14 gitlab branch source plugin 1.5.1 |
gitlab server 12.10.0-ee jenkins server 2.222.3 folders plugin 6.12 matrix authorization plugin 2.6.1 matrix project plugin 1.14 gitlab branch source plugin 1.5.1 |
Amit Dar
made changes -
| Description |
steps to recreate: # create a folder # enable folder based permissions # add a user and grant all the available permissions # create a multibranch job in the folder # in branch source, choose gitlab. # user gets the following error message between the "projects" section and the "Behaviours" section: ------------------------------ Access Denied <username> is missing the Job/Build permission -------------------------------- workaround: granting the user the Job/Build permission in "Configure Global Security " solves the problem, but this is major breach in security. it appears as if the plugin doesn't take into account the permissions granted to the user at the folder level. i'll provide the line from the log shortly. |
steps to recreate: # create a folder # enable folder based permissions # add a user and grant all the available permissions # create a multibranch job in the folder # in branch source, choose gitlab. # user gets the following error message between the "projects" section and the "Behaviours" section: ------------------------------ Access Denied <username> is missing the Job/Build permission -------------------------------- workaround: granting the user the Job/Build permission in "Configure Global Security " solves the problem, but this is major breach in security. it appears as if the plugin doesn't take into account the permissions granted to the user at the folder level. |
Amit Dar
made changes -
| Environment |
gitlab server 12.10.0-ee jenkins server 2.222.3 folders plugin 6.12 matrix authorization plugin 2.6.1 matrix project plugin 1.14 gitlab branch source plugin 1.5.1 |
gitlab server 12.10.0-ee jenkins server 2.222.3 folders plugin 6.12 matrix authorization plugin 2.6.1 matrix project plugin 1.14 gitlab branch source plugin 1.5.1 multiple scms plugin 0.6 |
Amit Dar
made changes -
| Status | Open [ 1 ] | In Progress [ 3 ] |
Amit Dar
made changes -
| Status | In Progress [ 3 ] | Open [ 1 ] |
Hi Justin Harringa,
the expected behavior I would like to see is the ability to create the job when a user has all the permissions available - locally (meaning, at the folder level).
If you take a look at the images I added to the issue, you see that the user (named devops6723) has all the available permissions at the folder level, but is unable to create a job since the plugin is reporting the usre is missing the Job/Build permission.
once I give that user the Job/Build permission at the global level, he is able to create the job.
IMHO, the user should be able to manually create a job (any kind of job...) inside a folder if he has all the available permission on that folder.
Amit Dar
added a comment - - edited Hi Justin Harringa ,
the expected behavior I would like to see is the ability to create the job when a user has all the permissions available - locally (meaning, at the folder level).
If you take a look at the images I added to the issue, you see that the user (named devops6723) has all the available permissions at the folder level, but is unable to create a job since the plugin is reporting the usre is missing the Job/Build permission.
once I give that user the Job/Build permission at the global level, he is able to create the job.
IMHO, the user should be able to manually create a job (any kind of job...) inside a folder if he has all the available permission on that folder. Amit Dar - are you trying to create these under one of the multi-branch folders or are you creating a regular folder and then trying to put jobs in it? If this is a regular folder and you can't put any kind of job into it, it seems like this may be an issue with how the Folders plugin or a plugin it uses would resolve permissions.
Hope you are well.
Amit Dar
made changes -
| Summary | users unable to create multibranch jobs without global Job/Build permission | users unable to configure multibranch jobs without global Job/Build permission |
Justin Harringa, I just updated the issue header from "create" to "configure".
the multibranch pipeline job (or should I actually say - folder) is actually created, but the user is unable to configure it properly (the image I attached shows the problem. please notice that it is only relevant to multi branch pipeline line jobs with gitlab project as source.
meanwhile, we updated jenkins to 2.222.4, no change here - same behaviour.
Amit Dar
added a comment - - edited Justin Harringa , I just updated the issue header from "create" to "configure".
the multibranch pipeline job (or should I actually say - folder) is actually created, but the user is unable to configure it properly (the image I attached shows the problem. please notice that it is only relevant to multi branch pipeline line jobs with gitlab project as source.
meanwhile, we updated jenkins to 2.222.4, no change here - same behaviour. Amit Dar
made changes -
| Attachment | creating a multibranch pipeline as the user.jpg [ 51657 ] | |
| Attachment | creating the multi branch pipeline as the user.jpg [ 51658 ] | |
| Attachment | gitlab server definition.jpg [ 51659 ] | |
| Attachment | jenkins root folder.jpg [ 51660 ] | |
| Attachment | jenkins security definition.jpg [ 51661 ] | |
| Attachment | jenkins user definition.jpg [ 51662 ] | |
| Attachment | some_folder configuration.jpg [ 51663 ] | |
| Attachment | uesr receive error message when creating gitlab project.jpg [ 51664 ] |
Amit Dar
made changes -
| Attachment | jenkins-plugins-installed.txt [ 51665 ] |
I have just reconstructed this error on my laptop, at home, using latest docker image.
attached are all the images and the plugins list I have installed (most important are the folders plugin, project matrix plugin, gitlab branch source and multibranch pipeline plugins.
I have a user called admin, which has the admin permission, and another user, called "user" with overall/read permission.
I created a folder called "some_folder" and granted the user called user all available permissions.
I defined a gitlab server (pointing to the real gitlab server, but that doesn't matter, all that matters is that at least one server will be defined).
when the user called "user" is trying to create a multibranch pipeline with gitlab project as the branch source, the problem appears.
please let me know if you still need more information. 
jenkins-plugins-installed.txt
Amit Dar
added a comment - I have just reconstructed this error on my laptop, at home, using latest docker image.
attached are all the images and the plugins list I have installed (most important are the folders plugin, project matrix plugin, gitlab branch source and multibranch pipeline plugins.
I have a user called admin, which has the admin permission, and another user, called "user" with overall/read permission.
I created a folder called "some_folder" and granted the user called user all available permissions.
I defined a gitlab server (pointing to the real gitlab server, but that doesn't matter, all that matters is that at least one server will be defined).
when the user called "user" is trying to create a multibranch pipeline with gitlab project as the branch source, the problem appears.
please let me know if you still need more information. jenkins-plugins-installed.txt
Amit Dar
made changes -
| Attachment | folder-level-configuration.jpg [ 51324 ] |
Amit Dar
made changes -
| Attachment | jenkins-log.txt [ 51325 ] |
Amit Dar
made changes -
| Attachment | job-configuration-error.jpg [ 51323 ] |
while trying to create the multibranch pipeline, the following message appeared in the log console:
o.e.j.s.h.ContextHandler$Context#log: While serving http://localhost:8080/job/some_folder/job/multibranch_pipeline/descriptorByName/io.jenkins.plugins.gitlabbranchsource.GitLabSCMSource/fillProjectPathItems: hudson.security.AccessDeniedException2: user is missing the Job/Build permission
Amit Dar
added a comment - while trying to create the multibranch pipeline, the following message appeared in the log console:
o.e.j.s.h.ContextHandler$Context#log: While serving http://localhost:8080/job/some_folder/job/multibranch_pipeline/descriptorByName/io.jenkins.plugins.gitlabbranchsource.GitLabSCMSource/fillProjectPathItems: hudson.security.AccessDeniedException2: user is missing the Job/Build permission Amit Dar
made changes -
| Environment |
gitlab server 12.10.0-ee jenkins server 2.222.3 folders plugin 6.12 matrix authorization plugin 2.6.1 matrix project plugin 1.14 gitlab branch source plugin 1.5.1 multiple scms plugin 0.6 |
gitlab server (www.gitlab.com) jenkins docker official image 2.222.4 plugins and configuration attached as files. |
Amit Dar
made changes -
| Assignee | Parichay Barpanda [ baymac ] | Rick [ surenpi ] |
Rick, please take a look at this issue, it includes simple reconstruction instructions, and is causing us a lot of pain... 
Amit Dar
added a comment - Rick , please take a look at this issue, it includes simple reconstruction instructions, and is causing us a lot of pain... Amit Dar
made changes -
| Environment |
gitlab server (www.gitlab.com) jenkins docker official image 2.222.4 plugins and configuration attached as files. |
gitlab server (www.gitlab.com)
jenkins docker official image 2.222.4 (occurs in 2.163.1 as well) plugins and configuration attached as files. |
Amit Dar
made changes -
| Environment |
gitlab server (www.gitlab.com)
jenkins docker official image 2.222.4 (occurs in 2.163.1 as well) plugins and configuration attached as files. |
gitlab server (www.gitlab.com)
jenkins docker official image 2.222.4 (occurs in 2.263.1 as well) plugins and configuration attached as files. |
Hi there,
Same problem for us. Any solution before fix ? I can't "open bar" for all users just for that..........
MARY Olivier
added a comment - Hi there,
Same problem for us. Any solution before fix ? I can't "open bar" for all users just for that..........
Hi,
Same problem. Does anyone have a solution?
Thanks.
Sébastien
added a comment - Hi,
Same problem. Does anyone have a solution?
Thanks. Hi,
i tied to fix this issue. But i don't know somebody who can review my PR.
Mikhail Marchenko
added a comment - Hi,
i tied to fix this issue. But i don't know somebody who can review my PR. Mikhail Marchenko
made changes -
| Remote Link | This issue links to "PR-156 (Web Link)" [ 26859 ] |
Mikhail Marchenko, can you provide a link to your PR?
can you also provide an installable version of your fix so we can test it ourselves?
it would be greatly appreciated.
Amit Dar
added a comment - Mikhail Marchenko , can you provide a link to your PR?
can you also provide an installable version of your fix so we can test it ourselves?
it would be greatly appreciated. Mikhail Marchenko
made changes -
| Attachment | gitlab-branch-source.hpi [ 55363 ] |
Mikhail Marchenko
added a comment - Amit Dar , of course
link PR-156
And installable version: gitlab-branch-source.hpi Mikhail Marchenko, your fix is working as expected!
please file the PR with the plugin maintainer ASAP.
your effort is greatly appreciated!
P.S. I didn't check ALL the plugin capabilities, so I guess anyone who's willing to add more tests is welcome.
Amit Dar
added a comment - Mikhail Marchenko , your fix is working as expected!
please file the PR with the plugin maintainer ASAP.
your effort is greatly appreciated!
P.S. I didn't check ALL the plugin capabilities, so I guess anyone who's willing to add more tests is welcome. Amit Dar
added a comment - Rick , is there a way to speed up handling of this issue? Hi,
We tried the PR on our environment too. The bug is no more present.
Our security have to check the source code. But we hope the PR will be merged and a new version delivered.
Hey Amit Dar,
What is the expected behavior that you would like to see? Perhaps you could describe the ideal situation?
In order to actually create a job, a user will need more privileges than Job/Build (Job/Configure). Job/Build will just let users kick off a build. If you're trying to set up an org you might take a look at the [Job DSL Plugin|https://plugins.jenkins.io/job-dsl/].
Hope that helps.