• Icon: Bug Bug
    • Resolution: Unresolved
    • Icon: Minor Minor
    • credentials-plugin
    • None
    • Jenkins version: 2.414.2, Role-based plugin version: 689.v731678c3e0eb_, SSH Build Agents plugin version: 2.948.vb_8050d697fec

      I'm in the process of setting up agent roles with the role-based authorization strategy plugin.

      I set up the agent role below and assigned it to a user:

      A user given this role should be able to configure agents matching the specified pattern. The user is also given the following through global roles:

      The user is able to modify the jk-stg-stba-01 agent's configuration, but if the "Launch agents via SSH" launch method is selected, an access denied message is shown:

      Even though this message is displayed, the user's still able to modify the agent's configuration.

      This message is not displayed for admin users.

      I've replicated this bug in a fresh Jenkins instance, only installing the recommended plugins + role-based authorization and SSH Build Agents.

      Would it be possible for someone to look into this?

      Cheers

          [JENKINS-72727] Odd Interaction with SSH Build Agents plugin

          Daniel Beck added a comment -

          Looks like a bug in https://github.com/jenkinsci/ssh-agents-plugin/blob/7185b2291ee4a2ca3302d1e4d310e61f78efff2a/src/main/java/hudson/plugins/sshslaves/SSHLauncher.java#L1320 (and probably elsewhere): This checks the permission globally, rather than the specific agent being configured.

          Although IIRC, agent creation may not have an agent context for the initial configuration. In that case, it's probably best to return FormValidation.ok() rather than a permission error. So this needs to handle a null @AncestorInPath Node (or Computer, unsure).

          Or, given the triviality of the form validation (at least this one), no permission check is needed.

          Daniel Beck added a comment - Looks like a bug in https://github.com/jenkinsci/ssh-agents-plugin/blob/7185b2291ee4a2ca3302d1e4d310e61f78efff2a/src/main/java/hudson/plugins/sshslaves/SSHLauncher.java#L1320 (and probably elsewhere): This checks the permission globally, rather than the specific agent being configured. Although IIRC, agent creation may not have an agent context for the initial configuration. In that case, it's probably best to return FormValidation.ok() rather than a permission error. So this needs to handle a null @AncestorInPath Node (or Computer , unsure). Or, given the triviality of the form validation (at least this one), no permission check is needed.

          Markus Winter added a comment - - edited

          Thats a bug in the ssh build agents plugin.

          In the check methods for valid input data they only check if the agent configure permission is set on the controller and not on the agent itself (Here https://github.com/jenkinsci/ssh-agents-plugin/blob/7185b2291ee4a2ca3302d1e4d310e61f78efff2a/src/main/java/hudson/plugins/sshslaves/SSHLauncher.java#L1300 but also in lines 1320 and 1330)

          Also https://github.com/jenkinsci/ssh-agents-plugin/blob/7185b2291ee4a2ca3302d1e4d310e61f78efff2a/src/main/java/hudson/plugins/sshslaves/verifiers/ManuallyProvidedKeyVerificationStrategy.java#L124

           

          That same behaviour should be visible when using matrix auth and setting there the permissions on an agent only

           

          Markus Winter added a comment - - edited Thats a bug in the ssh build agents plugin. In the check methods for valid input data they only check if the agent configure permission is set on the controller and not on the agent itself (Here https://github.com/jenkinsci/ssh-agents-plugin/blob/7185b2291ee4a2ca3302d1e4d310e61f78efff2a/src/main/java/hudson/plugins/sshslaves/SSHLauncher.java#L1300 but also in lines 1320 and 1330) Also https://github.com/jenkinsci/ssh-agents-plugin/blob/7185b2291ee4a2ca3302d1e4d310e61f78efff2a/src/main/java/hudson/plugins/sshslaves/verifiers/ManuallyProvidedKeyVerificationStrategy.java#L124   That same behaviour should be visible when using matrix auth and setting there the permissions on an agent only  

            Unassigned Unassigned
            jsdemers JS
            Votes:
            0 Vote for this issue
            Watchers:
            3 Start watching this issue

              Created:
              Updated: