Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-62478

users unable to configure multibranch jobs without global Job/Build permission

    XMLWordPrintable

    Details

    • Similar Issues:

      Description

      steps to recreate:

      1. create a folder
      2. enable folder based permissions
      3. add a user and grant all the available permissions
      4. create a multibranch job in the folder
      5. in branch source, choose gitlab.
      6. user gets the following error message between the "projects" section and the "Behaviours" section:
        ------------------------------
        Access Denied
        <username> is missing the Job/Build permission
        --------------------------------

       

       

      workaround:

      granting the user the Job/Build permission in "Configure Global Security " solves the problem, but this is major breach in security.

       

      it appears as if the plugin doesn't take into account the permissions granted to the user at the folder level.

        Attachments

          Issue Links

            Activity

            amidar Amit Dar created issue -
            amidar Amit Dar made changes -
            Field Original Value New Value
            Attachment job-configuration-error.jpg [ 51323 ]
            Attachment folder-level-configuration.jpg [ 51324 ]
            Issue Type Improvement [ 4 ] Bug [ 1 ]
            amidar Amit Dar made changes -
            Attachment jenkins-log.txt [ 51325 ]
            amidar Amit Dar made changes -
            Environment jenkins server 2.222.3
            folders plugin 6.12
            matrix authorization plugin 2.6.1
            matrix project plugin 1.14
            gitlab branch source plugin 1.5.1
            gitlab server 12.10.0-ee

            jenkins server 2.222.3
            folders plugin 6.12
            matrix authorization plugin 2.6.1
            matrix project plugin 1.14
            gitlab branch source plugin 1.5.1



            amidar Amit Dar made changes -
            Description steps to recreate:
             # create a folder
             # enable folder based permissions
             # add a user and grant all the available permissions
             # create a multibranch job in the folder
             # in branch source, choose gitlab.
             # user gets the following error message between the "projects" section and the "Behaviours" section:
            ------------------------------
            Access Denied
            <username> is missing the Job/Build permission
            --------------------------------



             

             

            workaround:

            granting the user the Job/Build permission in "Configure Global Security " solves the problem, but this is major breach in security.

             

            it appears as if the plugin doesn't take into account the permissions granted to the user at the folder level.

            i'll provide the line from the log shortly.
            steps to recreate:
             # create a folder
             # enable folder based permissions
             # add a user and grant all the available permissions
             # create a multibranch job in the folder
             # in branch source, choose gitlab.
             # user gets the following error message between the "projects" section and the "Behaviours" section:
             ------------------------------
             Access Denied
             <username> is missing the Job/Build permission
             --------------------------------

             

             

            workaround:

            granting the user the Job/Build permission in "Configure Global Security " solves the problem, but this is major breach in security.

             

            it appears as if the plugin doesn't take into account the permissions granted to the user at the folder level.
            amidar Amit Dar made changes -
            Environment gitlab server 12.10.0-ee

            jenkins server 2.222.3
            folders plugin 6.12
            matrix authorization plugin 2.6.1
            matrix project plugin 1.14
            gitlab branch source plugin 1.5.1



            gitlab server 12.10.0-ee

            jenkins server 2.222.3
            folders plugin 6.12
            matrix authorization plugin 2.6.1
            matrix project plugin 1.14
            gitlab branch source plugin 1.5.1
            multiple scms plugin 0.6



            amidar Amit Dar made changes -
            Status Open [ 1 ] In Progress [ 3 ]
            amidar Amit Dar made changes -
            Status In Progress [ 3 ] Open [ 1 ]
            Hide
            justinharringa Justin Harringa added a comment -

            Hey Amit Dar,

            What is the expected behavior that you would like to see? Perhaps you could describe the ideal situation?

            In order to actually create a job, a user will need more privileges than Job/Build (Job/Configure). Job/Build will just let users kick off a build. If you're trying to set up an org you might take a look at the [Job DSL Plugin|https://plugins.jenkins.io/job-dsl/].

            Hope that helps.

            Show
            justinharringa Justin Harringa added a comment - Hey Amit Dar , What is the expected behavior that you would like to see? Perhaps you could describe the ideal situation? In order to actually create a job, a user will need more privileges than Job/Build (Job/Configure). Job/Build will just let users kick off a build. If you're trying to set up an org you might take a look at the [Job DSL Plugin| https://plugins.jenkins.io/job-dsl/ ]. Hope that helps.
            Hide
            amidar Amit Dar added a comment - - edited

            Hi Justin Harringa,

            the expected behavior I would like to see is the ability to create the job when a user has all the permissions available - locally (meaning, at the folder level).

            If you take a look at the images I added to the issue, you see that the user (named devops6723) has all the available permissions at the folder level, but is unable to create a job since the plugin is reporting the usre is missing the Job/Build permission.

             

            once I give that user the Job/Build permission at the global level, he is able to create the job.

             

            IMHO, the user should be able to manually create a job  (any kind of job...) inside a folder if he has all the available permission on that folder.

            Show
            amidar Amit Dar added a comment - - edited Hi Justin Harringa , the expected behavior I would like to see is the ability to create the job when a user has all the permissions available - locally (meaning, at the folder level). If you take a look at the images I added to the issue, you see that the user (named devops6723) has all the available permissions at the folder level, but is unable to create a job since the plugin is reporting the usre is missing the Job/Build permission.   once I give that user the Job/Build permission at the global level, he is able to create the job.   IMHO, the user should be able to manually create a job  (any kind of job...) inside a folder if he has all the available permission on that folder.
            Hide
            justinharringa Justin Harringa added a comment -

            Amit Dar - are you trying to create these under one of the multi-branch folders or are you creating a regular folder and then trying to put jobs in it? If this is a regular folder and you can't put any kind of job into it, it seems like this may be an issue with how the Folders plugin or a plugin it uses would resolve permissions. 

             

            Hope you are well.

            Show
            justinharringa Justin Harringa added a comment - Amit Dar - are you trying to create these under one of the multi-branch folders or are you creating a regular folder and then trying to put jobs in it? If this is a regular folder and you can't put any kind of job into it, it seems like this may be an issue with how the Folders plugin or a plugin it uses would resolve permissions.    Hope you are well.
            amidar Amit Dar made changes -
            Summary users unable to create multibranch jobs without global Job/Build permission users unable to configure multibranch jobs without global Job/Build permission
            Hide
            amidar Amit Dar added a comment - - edited

            Justin Harringa, I just updated the issue header from "create" to "configure".

             

            the multibranch pipeline job (or should I actually say - folder) is actually created, but the user is unable to configure it properly (the image I attached shows the problem. please notice that it is only relevant to multi branch pipeline line jobs with gitlab project as source.

             

            meanwhile, we updated jenkins to 2.222.4, no change here - same behaviour.

            Show
            amidar Amit Dar added a comment - - edited Justin Harringa , I just updated the issue header from "create" to "configure".   the multibranch pipeline job (or should I actually say - folder) is actually created, but the user is unable to configure it properly (the image I attached shows the problem. please notice that it is only relevant to multi branch pipeline line jobs with gitlab project as source.   meanwhile, we updated jenkins to 2.222.4, no change here - same behaviour.
            amidar Amit Dar made changes -
            amidar Amit Dar made changes -
            Attachment jenkins-plugins-installed.txt [ 51665 ]
            Hide
            amidar Amit Dar added a comment -

            I have just reconstructed this error on my laptop, at home, using latest docker image. 

            attached are all the images and the plugins list I have installed (most important are the folders plugin, project matrix plugin, gitlab branch source and multibranch pipeline plugins.

            I have a user called admin, which has the admin permission, and another user, called "user" with overall/read permission.

            I created a folder called "some_folder" and granted the user called user all available permissions.

            I defined a gitlab server (pointing to the real gitlab server, but that doesn't matter, all that matters is that at least one server will be defined).

            when the user called "user" is trying to create a multibranch pipeline with gitlab project as the branch source, the problem appears.

             

            please let me know if you still need more information. jenkins-plugins-installed.txt

             

            Show
            amidar Amit Dar added a comment - I have just reconstructed this error on my laptop, at home, using latest docker image.  attached are all the images and the plugins list I have installed (most important are the folders plugin, project matrix plugin, gitlab branch source and multibranch pipeline plugins. I have a user called admin, which has the admin permission, and another user, called "user" with overall/read permission. I created a folder called "some_folder" and granted the user called user all available permissions. I defined a gitlab server (pointing to the real gitlab server, but that doesn't matter, all that matters is that at least one server will be defined). when the user called "user" is trying to create a multibranch pipeline with gitlab project as the branch source, the problem appears.   please let me know if you still need more information. jenkins-plugins-installed.txt  
            amidar Amit Dar made changes -
            Attachment folder-level-configuration.jpg [ 51324 ]
            amidar Amit Dar made changes -
            Attachment jenkins-log.txt [ 51325 ]
            amidar Amit Dar made changes -
            Attachment job-configuration-error.jpg [ 51323 ]
            Hide
            amidar Amit Dar added a comment -

            while trying to create the multibranch pipeline, the following message appeared in the log console:

            o.e.j.s.h.ContextHandler$Context#log: While serving http://localhost:8080/job/some_folder/job/multibranch_pipeline/descriptorByName/io.jenkins.plugins.gitlabbranchsource.GitLabSCMSource/fillProjectPathItems: hudson.security.AccessDeniedException2: user is missing the Job/Build permission

            Show
            amidar Amit Dar added a comment - while trying to create the multibranch pipeline, the following message appeared in the log console: o.e.j.s.h.ContextHandler$Context#log: While serving http://localhost:8080/job/some_folder/job/multibranch_pipeline/descriptorByName/io.jenkins.plugins.gitlabbranchsource.GitLabSCMSource/fillProjectPathItems: hudson.security.AccessDeniedException2: user is missing the Job/Build permission
            amidar Amit Dar made changes -
            Environment gitlab server 12.10.0-ee

            jenkins server 2.222.3
            folders plugin 6.12
            matrix authorization plugin 2.6.1
            matrix project plugin 1.14
            gitlab branch source plugin 1.5.1
            multiple scms plugin 0.6



            gitlab server (www.gitlab.com)

            jenkins docker official image 2.222.4

            plugins and configuration attached as files.
            amidar Amit Dar made changes -
            Assignee Parichay Barpanda [ baymac ] Rick [ surenpi ]
            Hide
            amidar Amit Dar added a comment -

            Rick, please take a look at this issue, it includes simple reconstruction instructions, and is causing us a lot of pain...

            Show
            amidar Amit Dar added a comment - Rick , please take a look at this issue, it includes simple reconstruction instructions, and is causing us a lot of pain...
            amidar Amit Dar made changes -
            Environment gitlab server (www.gitlab.com)

            jenkins docker official image 2.222.4

            plugins and configuration attached as files.
            gitlab server (www.gitlab.com)

            jenkins docker official image 2.222.4 (occurs in 2.163.1 as well)

            plugins and configuration attached as files.
            amidar Amit Dar made changes -
            Environment gitlab server (www.gitlab.com)

            jenkins docker official image 2.222.4 (occurs in 2.163.1 as well)

            plugins and configuration attached as files.
            gitlab server (www.gitlab.com)

            jenkins docker official image 2.222.4 (occurs in 2.263.1 as well)

            plugins and configuration attached as files.
            Hide
            saku MARY Olivier added a comment -

            Hi there,

             

            Same problem for us. Any solution before fix ? I can't "open bar" for all users just for that..........

             

             

            Show
            saku MARY Olivier added a comment - Hi there,   Same problem for us. Any solution before fix ? I can't "open bar" for all users just for that..........    
            Hide
            seb_bdx Sébastien added a comment -

            Hi,

            Same problem. Does anyone have a solution?

            Thanks.

            Show
            seb_bdx Sébastien added a comment - Hi, Same problem. Does anyone have a solution? Thanks.
            Hide
            mymarche Mikhail Marchenko added a comment -

            Hi,

            i tied to fix this issue. But i don't know somebody who can review my PR. 

            Show
            mymarche Mikhail Marchenko added a comment - Hi, i tied to fix this issue. But i don't know somebody who can review my PR. 
            mymarche Mikhail Marchenko made changes -
            Remote Link This issue links to "PR-156 (Web Link)" [ 26859 ]
            Hide
            amidar Amit Dar added a comment -

            Mikhail Marchenko, can you provide a link to your PR?

            can you also provide an installable version of your fix so we can test it ourselves? 

            it would be greatly appreciated.

            Show
            amidar Amit Dar added a comment - Mikhail Marchenko , can you provide a link to your PR? can you also provide an installable version of your fix so we can test it ourselves?  it would be greatly appreciated.
            mymarche Mikhail Marchenko made changes -
            Attachment gitlab-branch-source.hpi [ 55363 ]
            Hide
            mymarche Mikhail Marchenko added a comment -

            Amit Dar, of course

            link PR-156

            And installable version: gitlab-branch-source.hpi

            Show
            mymarche Mikhail Marchenko added a comment - Amit Dar , of course link PR-156 And installable version:  gitlab-branch-source.hpi
            Hide
            amidar Amit Dar added a comment -

            Mikhail Marchenko, your fix is working as expected!

            please file the PR with the plugin maintainer ASAP.

             

            your effort is greatly appreciated!

             

            P.S. I didn't check ALL the plugin capabilities, so I guess anyone who's willing to add more tests is welcome.

            Show
            amidar Amit Dar added a comment - Mikhail Marchenko , your fix is working as expected! please file the PR with the plugin maintainer ASAP.   your effort is greatly appreciated!   P.S. I didn't check ALL the plugin capabilities, so I guess anyone who's willing to add more tests is welcome.
            Hide
            amidar Amit Dar added a comment -

            Rick, is there a way to speed up handling of this issue?

            Show
            amidar Amit Dar added a comment - Rick , is there a way to speed up handling of this issue?
            Hide
            didier_c Didier Crest added a comment -

            Hi,

             

            We tried the PR on our environment too. The bug is no more present.

            Our security have to check the source code. But we hope the PR will be merged and a new version delivered.

            Show
            didier_c Didier Crest added a comment - Hi,   We tried the PR on our environment too. The bug is no more present. Our security have to check the source code. But we hope the PR will be merged and a new version delivered.

              People

              Assignee:
              surenpi Rick
              Reporter:
              amidar Amit Dar
              Votes:
              2 Vote for this issue
              Watchers:
              7 Start watching this issue

                Dates

                Created:
                Updated: