Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-52015

Empty credentials dropdown when creating new agent

    XMLWordPrintable

    Details

    • Type: Bug
    • Status: Resolved (View Workflow)
    • Priority: Minor
    • Resolution: Fixed
    • Component/s: ssh-slaves-plugin
    • Labels:
      None
    • Environment:
      Jenkins 2.107.3
      matrix-auth 2.2
    • Similar Issues:
    • Released As:
      ssh-slave-1.29.0

      Description

      I want my users to create their own agents which should be fine granting the Agent/Create permission. Unfortunately the credentials dropdown (e.g. for SSH username/password) only works when the user has the global Agent/Configure permission (node-based security doesn't work) which would lead my users to be able to configure every agent in my installation.

      I may use node-based security without inheriting global permissions but that's no approach I would like to adopt.

        Attachments

          Issue Links

            Activity

            Hide
            danielbeck Daniel Beck added a comment -

            node-based security doesn't work

            Could you clarify what you mean?

            Show
            danielbeck Daniel Beck added a comment - node-based security doesn't work Could you clarify what you mean?
            Hide
            marcelbrueckner Marcel Brückner added a comment -

            On the node's configuration page one can "Enable node-based security". Even when an user is granted Agent/Configure permission during agent creation, the credentials dropdown stays empty after saving. User has global Credentials/Create and Credentials/View permission.

            Show
            marcelbrueckner Marcel Brückner added a comment - On the node's configuration page one can "Enable node-based security". Even when an user is granted Agent/Configure permission during agent creation, the credentials dropdown stays empty after saving. User has global Credentials/Create and Credentials/View permission.
            Hide
            danielbeck Daniel Beck added a comment -

            This is a bug in the SSH Slaves Plugin, it does not consider that non-ItemGroup contexts for permissions exist.

            https://github.com/jenkinsci/ssh-slaves-plugin/blob/8ba96d91dcf6f471a6faff5f9c4f37469e3d91c1/src/main/java/hudson/plugins/sshslaves/SSHLauncher.java#L1576

            Testing notes: Needs core 2.78 or newer so that Computer is a DescriptorByNameOwner.

            Show
            danielbeck Daniel Beck added a comment - This is a bug in the SSH Slaves Plugin, it does not consider that non-ItemGroup contexts for permissions exist. https://github.com/jenkinsci/ssh-slaves-plugin/blob/8ba96d91dcf6f471a6faff5f9c4f37469e3d91c1/src/main/java/hudson/plugins/sshslaves/SSHLauncher.java#L1576 Testing notes: Needs core 2.78 or newer so that Computer is a DescriptorByNameOwner .
            Hide
            danielbeck Daniel Beck added a comment -
            Show
            danielbeck Daniel Beck added a comment - PR attempting to fix this at https://github.com/jenkinsci/ssh-slaves-plugin/pull/88
            Hide
            ace Adrian Vlad added a comment - - edited

            Is this PR going to fix "node-based security doesn't work"?

            I have the same problem: Jenkins version 2.121.3, SSH Slaves 1.28.1, Matrix Auth 2.3. I use Project-based Matrix Authorization Strategy and my configuration has no Agent permission set for any user. But a simple authenticated user can build just fine jobs on any node. I also tried to activate "Enable node-based security" in Node Properties, set it to "Do not inherit ..." and leave all the boxes unchecked. Again, an authenticated user can build jobs for that particular node without any problem.

            Show
            ace Adrian Vlad added a comment - - edited Is this PR going to fix "node-based security doesn't work"? I have the same problem: Jenkins version 2.121.3, SSH Slaves 1.28.1, Matrix Auth 2.3. I use Project-based Matrix Authorization Strategy and my configuration has no Agent permission set for any user. But a simple authenticated user can build just fine jobs on any node. I also tried to activate "Enable node-based security" in Node Properties, set it to "Do not inherit ..." and leave all the boxes unchecked. Again, an authenticated user can build jobs for that particular node without any problem.
            Hide
            danielbeck Daniel Beck added a comment -

            Again, an authenticated user can build jobs for that particular node without any problem.

            Agent/Build permission is checked on the queue item, not the user triggering the build (like Job/Build is).

            This means you need https://plugins.jenkins.io/authorize-project (or another implementation of QueueItemAuthenticator) to associate a user identity with a build, and then the permissions will be checked. By default, builds run as SYSTEM with full internal permissions.

            It might be more convenient to use something like Job Restrictions Plugin to implement this

            Show
            danielbeck Daniel Beck added a comment - Again, an authenticated user can build jobs for that particular node without any problem. Agent/Build permission is checked on the queue item, not the user triggering the build (like Job/Build is). This means you need https://plugins.jenkins.io/authorize-project (or another implementation of  QueueItemAuthenticator ) to associate a user identity with a build, and then the permissions will be checked. By default, builds run as SYSTEM with full internal permissions. It might be more convenient to use something like Job Restrictions Plugin to implement this

              People

              Assignee:
              ifernandezcalvo Ivan Fernandez Calvo
              Reporter:
              marcelbrueckner Marcel Brückner
              Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

                Dates

                Created:
                Updated:
                Resolved: