Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-62478

users unable to configure multibranch jobs without global Job/Build permission

    XMLWordPrintable

    Details

    • Similar Issues:

      Description

      steps to recreate:

      1. create a folder
      2. enable folder based permissions
      3. add a user and grant all the available permissions
      4. create a multibranch job in the folder
      5. in branch source, choose gitlab.
      6. user gets the following error message between the "projects" section and the "Behaviours" section:
        ------------------------------
        Access Denied
        <username> is missing the Job/Build permission
        --------------------------------

       

       

      workaround:

      granting the user the Job/Build permission in "Configure Global Security " solves the problem, but this is major breach in security.

       

      it appears as if the plugin doesn't take into account the permissions granted to the user at the folder level.

        Attachments

          Activity

          amidar Amit Dar created issue -
          amidar Amit Dar made changes -
          Field Original Value New Value
          Attachment job-configuration-error.jpg [ 51323 ]
          Attachment folder-level-configuration.jpg [ 51324 ]
          Issue Type Improvement [ 4 ] Bug [ 1 ]
          amidar Amit Dar made changes -
          Attachment jenkins-log.txt [ 51325 ]
          amidar Amit Dar made changes -
          Environment jenkins server 2.222.3
          folders plugin 6.12
          matrix authorization plugin 2.6.1
          matrix project plugin 1.14
          gitlab branch source plugin 1.5.1
          gitlab server 12.10.0-ee

          jenkins server 2.222.3
          folders plugin 6.12
          matrix authorization plugin 2.6.1
          matrix project plugin 1.14
          gitlab branch source plugin 1.5.1



          amidar Amit Dar made changes -
          Description steps to recreate:
           # create a folder
           # enable folder based permissions
           # add a user and grant all the available permissions
           # create a multibranch job in the folder
           # in branch source, choose gitlab.
           # user gets the following error message between the "projects" section and the "Behaviours" section:
          ------------------------------
          Access Denied
          <username> is missing the Job/Build permission
          --------------------------------



           

           

          workaround:

          granting the user the Job/Build permission in "Configure Global Security " solves the problem, but this is major breach in security.

           

          it appears as if the plugin doesn't take into account the permissions granted to the user at the folder level.

          i'll provide the line from the log shortly.
          steps to recreate:
           # create a folder
           # enable folder based permissions
           # add a user and grant all the available permissions
           # create a multibranch job in the folder
           # in branch source, choose gitlab.
           # user gets the following error message between the "projects" section and the "Behaviours" section:
           ------------------------------
           Access Denied
           <username> is missing the Job/Build permission
           --------------------------------

           

           

          workaround:

          granting the user the Job/Build permission in "Configure Global Security " solves the problem, but this is major breach in security.

           

          it appears as if the plugin doesn't take into account the permissions granted to the user at the folder level.
          amidar Amit Dar made changes -
          Environment gitlab server 12.10.0-ee

          jenkins server 2.222.3
          folders plugin 6.12
          matrix authorization plugin 2.6.1
          matrix project plugin 1.14
          gitlab branch source plugin 1.5.1



          gitlab server 12.10.0-ee

          jenkins server 2.222.3
          folders plugin 6.12
          matrix authorization plugin 2.6.1
          matrix project plugin 1.14
          gitlab branch source plugin 1.5.1
          multiple scms plugin 0.6



          amidar Amit Dar made changes -
          Status Open [ 1 ] In Progress [ 3 ]
          amidar Amit Dar made changes -
          Status In Progress [ 3 ] Open [ 1 ]
          Hide
          justinharringa Justin Harringa added a comment -

          Hey Amit Dar,

          What is the expected behavior that you would like to see? Perhaps you could describe the ideal situation?

          In order to actually create a job, a user will need more privileges than Job/Build (Job/Configure). Job/Build will just let users kick off a build. If you're trying to set up an org you might take a look at the [Job DSL Plugin|https://plugins.jenkins.io/job-dsl/].

          Hope that helps.

          Show
          justinharringa Justin Harringa added a comment - Hey Amit Dar , What is the expected behavior that you would like to see? Perhaps you could describe the ideal situation? In order to actually create a job, a user will need more privileges than Job/Build (Job/Configure). Job/Build will just let users kick off a build. If you're trying to set up an org you might take a look at the [Job DSL Plugin| https://plugins.jenkins.io/job-dsl/ ]. Hope that helps.
          Hide
          amidar Amit Dar added a comment - - edited

          Hi Justin Harringa,

          the expected behavior I would like to see is the ability to create the job when a user has all the permissions available - locally (meaning, at the folder level).

          If you take a look at the images I added to the issue, you see that the user (named devops6723) has all the available permissions at the folder level, but is unable to create a job since the plugin is reporting the usre is missing the Job/Build permission.

           

          once I give that user the Job/Build permission at the global level, he is able to create the job.

           

          IMHO, the user should be able to manually create a job  (any kind of job...) inside a folder if he has all the available permission on that folder.

          Show
          amidar Amit Dar added a comment - - edited Hi Justin Harringa , the expected behavior I would like to see is the ability to create the job when a user has all the permissions available - locally (meaning, at the folder level). If you take a look at the images I added to the issue, you see that the user (named devops6723) has all the available permissions at the folder level, but is unable to create a job since the plugin is reporting the usre is missing the Job/Build permission.   once I give that user the Job/Build permission at the global level, he is able to create the job.   IMHO, the user should be able to manually create a job  (any kind of job...) inside a folder if he has all the available permission on that folder.
          Hide
          justinharringa Justin Harringa added a comment -

          Amit Dar - are you trying to create these under one of the multi-branch folders or are you creating a regular folder and then trying to put jobs in it? If this is a regular folder and you can't put any kind of job into it, it seems like this may be an issue with how the Folders plugin or a plugin it uses would resolve permissions. 

           

          Hope you are well.

          Show
          justinharringa Justin Harringa added a comment - Amit Dar - are you trying to create these under one of the multi-branch folders or are you creating a regular folder and then trying to put jobs in it? If this is a regular folder and you can't put any kind of job into it, it seems like this may be an issue with how the Folders plugin or a plugin it uses would resolve permissions.    Hope you are well.
          amidar Amit Dar made changes -
          Summary users unable to create multibranch jobs without global Job/Build permission users unable to configure multibranch jobs without global Job/Build permission
          Hide
          amidar Amit Dar added a comment - - edited

          Justin Harringa, I just updated the issue header from "create" to "configure".

           

          the multibranch pipeline job (or should I actually say - folder) is actually created, but the user is unable to configure it properly (the image I attached shows the problem. please notice that it is only relevant to multi branch pipeline line jobs with gitlab project as source.

           

          meanwhile, we updated jenkins to 2.222.4, no change here - same behaviour.

          Show
          amidar Amit Dar added a comment - - edited Justin Harringa , I just updated the issue header from "create" to "configure".   the multibranch pipeline job (or should I actually say - folder) is actually created, but the user is unable to configure it properly (the image I attached shows the problem. please notice that it is only relevant to multi branch pipeline line jobs with gitlab project as source.   meanwhile, we updated jenkins to 2.222.4, no change here - same behaviour.
          amidar Amit Dar made changes -
          amidar Amit Dar made changes -
          Attachment jenkins-plugins-installed.txt [ 51665 ]
          Hide
          amidar Amit Dar added a comment -

          I have just reconstructed this error on my laptop, at home, using latest docker image. 

          attached are all the images and the plugins list I have installed (most important are the folders plugin, project matrix plugin, gitlab branch source and multibranch pipeline plugins.

          I have a user called admin, which has the admin permission, and another user, called "user" with overall/read permission.

          I created a folder called "some_folder" and granted the user called user all available permissions.

          I defined a gitlab server (pointing to the real gitlab server, but that doesn't matter, all that matters is that at least one server will be defined).

          when the user called "user" is trying to create a multibranch pipeline with gitlab project as the branch source, the problem appears.

           

          please let me know if you still need more information. jenkins-plugins-installed.txt

           

          Show
          amidar Amit Dar added a comment - I have just reconstructed this error on my laptop, at home, using latest docker image.  attached are all the images and the plugins list I have installed (most important are the folders plugin, project matrix plugin, gitlab branch source and multibranch pipeline plugins. I have a user called admin, which has the admin permission, and another user, called "user" with overall/read permission. I created a folder called "some_folder" and granted the user called user all available permissions. I defined a gitlab server (pointing to the real gitlab server, but that doesn't matter, all that matters is that at least one server will be defined). when the user called "user" is trying to create a multibranch pipeline with gitlab project as the branch source, the problem appears.   please let me know if you still need more information. jenkins-plugins-installed.txt  
          amidar Amit Dar made changes -
          Attachment folder-level-configuration.jpg [ 51324 ]
          amidar Amit Dar made changes -
          Attachment jenkins-log.txt [ 51325 ]
          amidar Amit Dar made changes -
          Attachment job-configuration-error.jpg [ 51323 ]
          Hide
          amidar Amit Dar added a comment -

          while trying to create the multibranch pipeline, the following message appeared in the log console:

          o.e.j.s.h.ContextHandler$Context#log: While serving http://localhost:8080/job/some_folder/job/multibranch_pipeline/descriptorByName/io.jenkins.plugins.gitlabbranchsource.GitLabSCMSource/fillProjectPathItems: hudson.security.AccessDeniedException2: user is missing the Job/Build permission

          Show
          amidar Amit Dar added a comment - while trying to create the multibranch pipeline, the following message appeared in the log console: o.e.j.s.h.ContextHandler$Context#log: While serving http://localhost:8080/job/some_folder/job/multibranch_pipeline/descriptorByName/io.jenkins.plugins.gitlabbranchsource.GitLabSCMSource/fillProjectPathItems: hudson.security.AccessDeniedException2: user is missing the Job/Build permission
          amidar Amit Dar made changes -
          Environment gitlab server 12.10.0-ee

          jenkins server 2.222.3
          folders plugin 6.12
          matrix authorization plugin 2.6.1
          matrix project plugin 1.14
          gitlab branch source plugin 1.5.1
          multiple scms plugin 0.6



          gitlab server (www.gitlab.com)

          jenkins docker official image 2.222.4

          plugins and configuration attached as files.
          amidar Amit Dar made changes -
          Assignee Parichay Barpanda [ baymac ] Rick [ surenpi ]
          Hide
          amidar Amit Dar added a comment -

          Rick, please take a look at this issue, it includes simple reconstruction instructions, and is causing us a lot of pain...

          Show
          amidar Amit Dar added a comment - Rick , please take a look at this issue, it includes simple reconstruction instructions, and is causing us a lot of pain...
          amidar Amit Dar made changes -
          Environment gitlab server (www.gitlab.com)

          jenkins docker official image 2.222.4

          plugins and configuration attached as files.
          gitlab server (www.gitlab.com)

          jenkins docker official image 2.222.4 (occurs in 2.163.1 as well)

          plugins and configuration attached as files.
          amidar Amit Dar made changes -
          Environment gitlab server (www.gitlab.com)

          jenkins docker official image 2.222.4 (occurs in 2.163.1 as well)

          plugins and configuration attached as files.
          gitlab server (www.gitlab.com)

          jenkins docker official image 2.222.4 (occurs in 2.263.1 as well)

          plugins and configuration attached as files.

            People

            Assignee:
            surenpi Rick
            Reporter:
            amidar Amit Dar
            Votes:
            0 Vote for this issue
            Watchers:
            2 Start watching this issue

              Dates

              Created:
              Updated: