-
Bug
-
Resolution: Unresolved
-
Minor
-
None
-
Jenkins version: 2.414.2, Role-based plugin version: 689.v731678c3e0eb_, SSH Build Agents plugin version: 2.948.vb_8050d697fec
I'm in the process of setting up agent roles with the role-based authorization strategy plugin.
I set up the agent role below and assigned it to a user:
A user given this role should be able to configure agents matching the specified pattern. The user is also given the following through global roles:
The user is able to modify the jk-stg-stba-01 agent's configuration, but if the "Launch agents via SSH" launch method is selected, an access denied message is shown:
Even though this message is displayed, the user's still able to modify the agent's configuration.
This message is not displayed for admin users.
I've replicated this bug in a fresh Jenkins instance, only installing the recommended plugins + role-based authorization and SSH Build Agents.
Would it be possible for someone to look into this?
Cheers
Looks like a bug in https://github.com/jenkinsci/ssh-agents-plugin/blob/7185b2291ee4a2ca3302d1e4d310e61f78efff2a/src/main/java/hudson/plugins/sshslaves/SSHLauncher.java#L1320 (and probably elsewhere): This checks the permission globally, rather than the specific agent being configured.
Although IIRC, agent creation may not have an agent context for the initial configuration. In that case, it's probably best to return FormValidation.ok() rather than a permission error. So this needs to handle a null @AncestorInPath Node (or Computer, unsure).
Or, given the triviality of the form validation (at least this one), no permission check is needed.