Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-62478

users unable to configure multibranch jobs without global Job/Build permission

    XMLWordPrintable

Details

    Description

      steps to recreate:

      1. create a folder
      2. enable folder based permissions
      3. add a user and grant all the available permissions
      4. create a multibranch job in the folder
      5. in branch source, choose gitlab.
      6. user gets the following error message between the "projects" section and the "Behaviours" section:
        ------------------------------
        Access Denied
        <username> is missing the Job/Build permission
        --------------------------------

       

       

      workaround:

      granting the user the Job/Build permission in "Configure Global Security " solves the problem, but this is major breach in security.

       

      it appears as if the plugin doesn't take into account the permissions granted to the user at the folder level.

      Attachments

        Issue Links

          Activity

            amidar Amit Dar created issue -
            amidar Amit Dar made changes -
            Field Original Value New Value
            Attachment job-configuration-error.jpg [ 51323 ]
            Attachment folder-level-configuration.jpg [ 51324 ]
            Issue Type Improvement [ 4 ] Bug [ 1 ]
            amidar Amit Dar made changes -
            Attachment jenkins-log.txt [ 51325 ]
            amidar Amit Dar made changes -
            Environment jenkins server 2.222.3
            folders plugin 6.12
            matrix authorization plugin 2.6.1
            matrix project plugin 1.14
            gitlab branch source plugin 1.5.1
            gitlab server 12.10.0-ee

            jenkins server 2.222.3
            folders plugin 6.12
            matrix authorization plugin 2.6.1
            matrix project plugin 1.14
            gitlab branch source plugin 1.5.1



            amidar Amit Dar made changes -
            Description steps to recreate:
             # create a folder
             # enable folder based permissions
             # add a user and grant all the available permissions
             # create a multibranch job in the folder
             # in branch source, choose gitlab.
             # user gets the following error message between the "projects" section and the "Behaviours" section:
            ------------------------------
            Access Denied
            <username> is missing the Job/Build permission
            --------------------------------



             

             

            workaround:

            granting the user the Job/Build permission in "Configure Global Security " solves the problem, but this is major breach in security.

             

            it appears as if the plugin doesn't take into account the permissions granted to the user at the folder level.

            i'll provide the line from the log shortly.
            steps to recreate:
             # create a folder
             # enable folder based permissions
             # add a user and grant all the available permissions
             # create a multibranch job in the folder
             # in branch source, choose gitlab.
             # user gets the following error message between the "projects" section and the "Behaviours" section:
             ------------------------------
             Access Denied
             <username> is missing the Job/Build permission
             --------------------------------

             

             

            workaround:

            granting the user the Job/Build permission in "Configure Global Security " solves the problem, but this is major breach in security.

             

            it appears as if the plugin doesn't take into account the permissions granted to the user at the folder level.
            amidar Amit Dar made changes -
            Environment gitlab server 12.10.0-ee

            jenkins server 2.222.3
            folders plugin 6.12
            matrix authorization plugin 2.6.1
            matrix project plugin 1.14
            gitlab branch source plugin 1.5.1



            gitlab server 12.10.0-ee

            jenkins server 2.222.3
            folders plugin 6.12
            matrix authorization plugin 2.6.1
            matrix project plugin 1.14
            gitlab branch source plugin 1.5.1
            multiple scms plugin 0.6



            amidar Amit Dar made changes -
            Status Open [ 1 ] In Progress [ 3 ]
            amidar Amit Dar made changes -
            Status In Progress [ 3 ] Open [ 1 ]

            Hey amidar,

            What is the expected behavior that you would like to see? Perhaps you could describe the ideal situation?

            In order to actually create a job, a user will need more privileges than Job/Build (Job/Configure). Job/Build will just let users kick off a build. If you're trying to set up an org you might take a look at the [Job DSL Plugin|https://plugins.jenkins.io/job-dsl/].

            Hope that helps.

            justinharringa Justin Harringa added a comment - Hey amidar , What is the expected behavior that you would like to see? Perhaps you could describe the ideal situation? In order to actually create a job, a user will need more privileges than Job/Build (Job/Configure). Job/Build will just let users kick off a build. If you're trying to set up an org you might take a look at the [Job DSL Plugin| https://plugins.jenkins.io/job-dsl/ ]. Hope that helps.
            amidar Amit Dar added a comment - - edited

            Hi justinharringa,

            the expected behavior I would like to see is the ability to create the job when a user has all the permissions available - locally (meaning, at the folder level).

            If you take a look at the images I added to the issue, you see that the user (named devops6723) has all the available permissions at the folder level, but is unable to create a job since the plugin is reporting the usre is missing the Job/Build permission.

             

            once I give that user the Job/Build permission at the global level, he is able to create the job.

             

            IMHO, the user should be able to manually create a job  (any kind of job...) inside a folder if he has all the available permission on that folder.

            amidar Amit Dar added a comment - - edited Hi justinharringa , the expected behavior I would like to see is the ability to create the job when a user has all the permissions available - locally (meaning, at the folder level). If you take a look at the images I added to the issue, you see that the user (named devops6723) has all the available permissions at the folder level, but is unable to create a job since the plugin is reporting the usre is missing the Job/Build permission.   once I give that user the Job/Build permission at the global level, he is able to create the job.   IMHO, the user should be able to manually create a job  (any kind of job...) inside a folder if he has all the available permission on that folder.

            amidar - are you trying to create these under one of the multi-branch folders or are you creating a regular folder and then trying to put jobs in it? If this is a regular folder and you can't put any kind of job into it, it seems like this may be an issue with how the Folders plugin or a plugin it uses would resolve permissions. 

             

            Hope you are well.

            justinharringa Justin Harringa added a comment - amidar - are you trying to create these under one of the multi-branch folders or are you creating a regular folder and then trying to put jobs in it? If this is a regular folder and you can't put any kind of job into it, it seems like this may be an issue with how the Folders plugin or a plugin it uses would resolve permissions.    Hope you are well.
            amidar Amit Dar made changes -
            Summary users unable to create multibranch jobs without global Job/Build permission users unable to configure multibranch jobs without global Job/Build permission
            amidar Amit Dar added a comment - - edited

            justinharringa, I just updated the issue header from "create" to "configure".

             

            the multibranch pipeline job (or should I actually say - folder) is actually created, but the user is unable to configure it properly (the image I attached shows the problem. please notice that it is only relevant to multi branch pipeline line jobs with gitlab project as source.

             

            meanwhile, we updated jenkins to 2.222.4, no change here - same behaviour.

            amidar Amit Dar added a comment - - edited justinharringa , I just updated the issue header from "create" to "configure".   the multibranch pipeline job (or should I actually say - folder) is actually created, but the user is unable to configure it properly (the image I attached shows the problem. please notice that it is only relevant to multi branch pipeline line jobs with gitlab project as source.   meanwhile, we updated jenkins to 2.222.4, no change here - same behaviour.
            amidar Amit Dar made changes -
            amidar Amit Dar made changes -
            Attachment jenkins-plugins-installed.txt [ 51665 ]
            amidar Amit Dar added a comment -

            I have just reconstructed this error on my laptop, at home, using latest docker image. 

            attached are all the images and the plugins list I have installed (most important are the folders plugin, project matrix plugin, gitlab branch source and multibranch pipeline plugins.

            I have a user called admin, which has the admin permission, and another user, called "user" with overall/read permission.

            I created a folder called "some_folder" and granted the user called user all available permissions.

            I defined a gitlab server (pointing to the real gitlab server, but that doesn't matter, all that matters is that at least one server will be defined).

            when the user called "user" is trying to create a multibranch pipeline with gitlab project as the branch source, the problem appears.

             

            please let me know if you still need more information. jenkins-plugins-installed.txt

             

            amidar Amit Dar added a comment - I have just reconstructed this error on my laptop, at home, using latest docker image.  attached are all the images and the plugins list I have installed (most important are the folders plugin, project matrix plugin, gitlab branch source and multibranch pipeline plugins. I have a user called admin, which has the admin permission, and another user, called "user" with overall/read permission. I created a folder called "some_folder" and granted the user called user all available permissions. I defined a gitlab server (pointing to the real gitlab server, but that doesn't matter, all that matters is that at least one server will be defined). when the user called "user" is trying to create a multibranch pipeline with gitlab project as the branch source, the problem appears.   please let me know if you still need more information. jenkins-plugins-installed.txt  
            amidar Amit Dar made changes -
            Attachment folder-level-configuration.jpg [ 51324 ]
            amidar Amit Dar made changes -
            Attachment jenkins-log.txt [ 51325 ]
            amidar Amit Dar made changes -
            Attachment job-configuration-error.jpg [ 51323 ]
            amidar Amit Dar added a comment -

            while trying to create the multibranch pipeline, the following message appeared in the log console:

            o.e.j.s.h.ContextHandler$Context#log: While serving http://localhost:8080/job/some_folder/job/multibranch_pipeline/descriptorByName/io.jenkins.plugins.gitlabbranchsource.GitLabSCMSource/fillProjectPathItems: hudson.security.AccessDeniedException2: user is missing the Job/Build permission

            amidar Amit Dar added a comment - while trying to create the multibranch pipeline, the following message appeared in the log console: o.e.j.s.h.ContextHandler$Context#log: While serving http://localhost:8080/job/some_folder/job/multibranch_pipeline/descriptorByName/io.jenkins.plugins.gitlabbranchsource.GitLabSCMSource/fillProjectPathItems: hudson.security.AccessDeniedException2: user is missing the Job/Build permission
            amidar Amit Dar made changes -
            Environment gitlab server 12.10.0-ee

            jenkins server 2.222.3
            folders plugin 6.12
            matrix authorization plugin 2.6.1
            matrix project plugin 1.14
            gitlab branch source plugin 1.5.1
            multiple scms plugin 0.6



            gitlab server (www.gitlab.com)

            jenkins docker official image 2.222.4

            plugins and configuration attached as files.
            amidar Amit Dar made changes -
            Assignee Parichay Barpanda [ baymac ] Rick [ surenpi ]
            amidar Amit Dar added a comment -

            surenpi, please take a look at this issue, it includes simple reconstruction instructions, and is causing us a lot of pain...

            amidar Amit Dar added a comment - surenpi , please take a look at this issue, it includes simple reconstruction instructions, and is causing us a lot of pain...
            amidar Amit Dar made changes -
            Environment gitlab server (www.gitlab.com)

            jenkins docker official image 2.222.4

            plugins and configuration attached as files.
            gitlab server (www.gitlab.com)

            jenkins docker official image 2.222.4 (occurs in 2.163.1 as well)

            plugins and configuration attached as files.
            amidar Amit Dar made changes -
            Environment gitlab server (www.gitlab.com)

            jenkins docker official image 2.222.4 (occurs in 2.163.1 as well)

            plugins and configuration attached as files.
            gitlab server (www.gitlab.com)

            jenkins docker official image 2.222.4 (occurs in 2.263.1 as well)

            plugins and configuration attached as files.
            saku MARY Olivier added a comment -

            Hi there,

             

            Same problem for us. Any solution before fix ? I can't "open bar" for all users just for that..........

             

             

            saku MARY Olivier added a comment - Hi there,   Same problem for us. Any solution before fix ? I can't "open bar" for all users just for that..........    
            seb_bdx Sébastien added a comment -

            Hi,

            Same problem. Does anyone have a solution?

            Thanks.

            seb_bdx Sébastien added a comment - Hi, Same problem. Does anyone have a solution? Thanks.

            Hi,

            i tied to fix this issue. But i don't know somebody who can review my PR. 

            mymarche Mikhail Marchenko added a comment - Hi, i tied to fix this issue. But i don't know somebody who can review my PR. 
            mymarche Mikhail Marchenko made changes -
            Remote Link This issue links to "PR-156 (Web Link)" [ 26859 ]
            amidar Amit Dar added a comment -

            mymarche, can you provide a link to your PR?

            can you also provide an installable version of your fix so we can test it ourselves? 

            it would be greatly appreciated.

            amidar Amit Dar added a comment - mymarche , can you provide a link to your PR? can you also provide an installable version of your fix so we can test it ourselves?  it would be greatly appreciated.
            mymarche Mikhail Marchenko made changes -
            Attachment gitlab-branch-source.hpi [ 55363 ]

            amidar, of course

            link PR-156

            And installable version: gitlab-branch-source.hpi

            mymarche Mikhail Marchenko added a comment - amidar , of course link PR-156 And installable version:  gitlab-branch-source.hpi
            amidar Amit Dar added a comment -

            mymarche, your fix is working as expected!

            please file the PR with the plugin maintainer ASAP.

             

            your effort is greatly appreciated!

             

            P.S. I didn't check ALL the plugin capabilities, so I guess anyone who's willing to add more tests is welcome.

            amidar Amit Dar added a comment - mymarche , your fix is working as expected! please file the PR with the plugin maintainer ASAP.   your effort is greatly appreciated!   P.S. I didn't check ALL the plugin capabilities, so I guess anyone who's willing to add more tests is welcome.
            amidar Amit Dar added a comment -

            surenpi, is there a way to speed up handling of this issue?

            amidar Amit Dar added a comment - surenpi , is there a way to speed up handling of this issue?
            didier_c Didier Crest added a comment -

            Hi,

             

            We tried the PR on our environment too. The bug is no more present.

            Our security have to check the source code. But we hope the PR will be merged and a new version delivered.

            didier_c Didier Crest added a comment - Hi,   We tried the PR on our environment too. The bug is no more present. Our security have to check the source code. But we hope the PR will be merged and a new version delivered.
            mymarche Mikhail Marchenko added a comment - https://github.com/jenkinsci/gitlab-branch-source-plugin/pull/156
            mymarche Mikhail Marchenko made changes -
            Released As https://github.com/jenkinsci/gitlab-branch-source-plugin/releases/tag/625.v85cf3a_400cfe
            Assignee Rick [ surenpi ] Mikhail Marchenko [ mymarche ]
            Resolution Fixed [ 1 ]
            Status Open [ 1 ] Resolved [ 5 ]

            People

              mymarche Mikhail Marchenko
              amidar Amit Dar
              Votes:
              2 Vote for this issue
              Watchers:
              7 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: