[JIRA] (JENKINS-42509) authenticated team members should have read/build permissions when using Github Committer Authorization Strategy

7 views
Skip to first unread message

andrew.george.hammond@gmail.com (JIRA)

unread,
Mar 6, 2017, 12:27:01 PM3/6/17
to jenkinsc...@googlegroups.com
Andrew Hammond created an issue
 
Jenkins / Bug JENKINS-42509
authenticated team members should have read/build permissions when using Github Committer Authorization Strategy
Issue Type: Bug Bug
Assignee: Sam Gleske
Components: github-oauth-plugin
Created: 2017/Mar/06 5:26 PM
Environment: Jenkins v 2.32.3 via jenkins:alpine docker container
Github Authentication Plugin v 0.25
Priority: Major Major
Reporter: Andrew Hammond

I have github oauth plugin connected to a team at github. I have GitHub Committer Authorization Strategy enabled. Admin users work correctly, but non-admin users receive a "Access Denied foo is missing the Overall/Read permission"

I do not want to enable Read to All Authenticated Users. I want members of the organization to be able to READ and BUILD, exactly like Github Committer Authorization Strategy describes.
Add Comment Add Comment
 
This message was sent by Atlassian JIRA (v7.3.0#73011-sha1:3c73d0e)
Atlassian logo

andrew.george.hammond@gmail.com (JIRA)

unread,
Mar 6, 2017, 1:27:03 PM3/6/17
to jenkinsc...@googlegroups.com
Andrew Hammond commented on Bug JENKINS-42509
 
Re: authenticated team members should have read/build permissions when using Github Committer Authorization Strategy

I found the following snippet of docs related to matrix based authentication:

"organization - give permissions to every user that belongs to a specific GitHub organization. You have to be a public member of the organization for the authorization to work correctly."

Does this mean that team members will have to be public members of the organization in order to have access?

andrew.george.hammond@gmail.com (JIRA)

unread,
Mar 8, 2017, 9:04:01 PM3/8/17
to jenkinsc...@googlegroups.com

Nope, switching a user between public and private has no effect.

sam.mxracer@gmail.com (JIRA)

unread,
Mar 9, 2017, 6:31:02 PM3/9/17
to jenkinsc...@googlegroups.com

Hi Andrew, the GitHub committer authorization strategy is not very good.  I personally don't use it at all.  I use matrix authentication based strategies instead (I updated the wiki to document them).  Other than that, there's a definite need to overhaul the GitHub committer based authorization strategy.

You're welcome to contribute a fix.  I'm currently looking to the matrix authorization plugin to possibly support authorization akin to it.  I'd prefer a user to define what permissions a Jenkins user would have via a matrix based on their role in the repository and organization.

andrew.george.hammond@gmail.com (JIRA)

unread,
Mar 12, 2017, 4:47:02 PM3/12/17
to jenkinsc...@googlegroups.com

Sounds like a reasonable solution. Maybe you want to remove the github committer authorization strategy from the code since it is "not very good" and point people at the matrix, which looks like it might be a better all around solution.

andrew.george.hammond@gmail.com (JIRA)

unread,
Mar 13, 2017, 11:49:01 AM3/13/17
to jenkinsc...@googlegroups.com

Ok, I added matrix-auth plugin and now have a working, maybe even elegant solution. Thanks for the pointer!!!

scm_issue_link@java.net (JIRA)

unread,
Feb 18, 2018, 1:06:02 AM2/18/18
to jenkinsc...@googlegroups.com

Code changed in jenkins
User: Christopher Williams
Path:
src/main/java/org/jenkinsci/plugins/GithubAuthenticationToken.java
src/main/java/org/jenkinsci/plugins/GithubRequireOrganizationMembershipACL.java
src/main/java/org/jenkinsci/plugins/GithubSecurityRealm.java
src/test/java/org/jenkinsci/plugins/GithubRequireOrganizationMembershipACLTest.java
src/test/java/org/jenkinsci/plugins/GithubSecurityRealmTest.java
http://jenkins-ci.org/commit/github-oauth-plugin/7a4539f8c6f245b83c78b61acb3c94bfe43652b5
Log:
JENKINS-42509 authenticated team members should have read/build (#91)

  • JENKINS-42509 authenticated team members should have read/build permissions when using Github Committer Authorization Strategy
    On private repositories of which the user is not an owner, not a member of the owning organization - check for admin/push/pull permissions on the repository to determine permissions on the Jenkisn item.
  • - Use a cache for loading repositories.- Guard against even trying to load repositories unless we have either the "repo" or "public_repo" oauth scopes.
  • Add "repo" to the default set of oauth scopes requested.
  • Add a wrapper POJO for storing GHRepository rights per-user in our cache. Make the repo cache an instance cache since it's specific to a user. Remove a coupel unnecessary final designations on method paramters.

sam.mxracer@gmail.com (JIRA)

unread,
Feb 18, 2018, 3:12:02 PM2/18/18
to jenkinsc...@googlegroups.com

This has been merged and will be available in the next release.

ojacques2@gmail.com (JIRA)

unread,
Mar 14, 2018, 5:37:02 AM3/14/18
to jenkinsc...@googlegroups.com

Thanks Sam Gleske. Do we have an ETA on the next release? 

julien.staub@schneider-electric.com (JIRA)

unread,
Aug 26, 2019, 4:18:02 AM8/26/19
to jenkinsc...@googlegroups.com

Will this issue be fixed in future ? 

From description the GitHub Committer Authorization Strategy is easiest to use and could cover needs for many users if working correctly.
This message was sent by Atlassian Jira (v7.11.2#711002-sha1:fdc329d)

sam.mxracer@gmail.com (JIRA)

unread,
Aug 26, 2019, 3:34:03 PM8/26/19
to jenkinsc...@googlegroups.com
Sam Gleske closed an issue as Duplicate
 

Closing again since this a duplicate. Please contribute in JENKINS-27844 which should track any rewriting of this feature. The GitHub authorization strategy needs to be redesigned completely.
Change By: Sam Gleske
Status: Reopened Closed
Resolution: Duplicate
Reply all
Reply to author
Forward
0 new messages