[JIRA] (JENKINS-56007) Can't copy source files from slave to master if security is enabled

[ullrich.hafner@gmail.com (JIRA)]

Ulli Hafner updated an issue

Jenkins / JENKINS-56007 Can't copy source files from slave to master if security is enabled See https://wiki.jenkins.io/display/JENKINS/Slave+To+Master+Access+Control. Change By: Ulli Hafner Summary: warnings-ng does not create file-with-issues folder when running on a Can't copy source files from slave to master if security is enabled Add Comment

This message was sent by Atlassian Jira (v7.11.2#711002-sha1:fdc329d)

[andreas.ringlstetter@gmail.com (JIRA)]

Andreas Ringlstetter commented on JENKINS-56007

Re: Can't copy source files from slave to master if security is enabled "Slave to Master Access Control" only has an effect on creating the target directory, not on the copy. (And it should not have either. Please fix that.) The logic around AffectedFilesResolver::copy is plain wrong, it always tries to perform a local copy. That only works under the assumption that the Jenkins archive is on a shared drive which both master and slave can see identically. For the generalized case, where the slave does not have direct access to the archive, it still fails regardless. You must use `RemoteInputStream` or `RemoteWriter` to copy files from the workspace.

Add Comment

[andreas.ringlstetter@gmail.com (JIRA)]

Andreas Ringlstetter edited a comment on JENKINS-56007

Re: Can't copy source files from slave to master if security is enabled

"Slave to Master Access Control" only has an effect on *creating the target directory*, not on the copy. (And it should not have either. Please fix that.) The logic around AffectedFilesResolver::copy is plain wrong, it *always* tries to perform a local copy. That only works under the assumption that the Jenkins archive is on a shared drive which both master and slave can see and access identically. Specifically, this requires the slave to have *full write access* to the archive, which is not advisable in any setup. For the generalized case, where the slave does *not* have direct access to the archive, it still fails regardless. You must use `RemoteInputStream` or `RemoteWriter` to copy files from the workspace.

Add Comment

[ullrich.hafner@gmail.com (JIRA)]

Ulli Hafner commented on JENKINS-56007

Re: Can't copy source files from slave to master if security is enabled

[~ext3] Your comment is wrong. AffectedFilesResolver::copy always does a remote copy. It works perfectly in a master-agent setup without security. The problem is that it copies from agent to master. It should be from master to slave. Otherwise we have the security problem.

Add Comment

[andreas.ringlstetter@gmail.com (JIRA)]

Andreas Ringlstetter updated an issue

Jenkins / JENKINS-56007

Can't copy source files from slave to master if security is enabled

Change By: Andreas Ringlstetter Comment:

"Slave to Master Access Control" only has an effect on *creating the target directory*, not on the copy. (And it should not have either. Please fix that.) The logic around AffectedFilesResolver::copy is plain wrong, it *always* tries to perform a local copy. That only works under the assumption that the Jenkins archive is on a shared drive which both master and slave can see and access identically. Specifically, this requires the slave to have *full write access* to the archive, which is not advisable in any setup. For the generalized case, where the slave does *not* have direct access to the archive, it still fails regardless. You must use `RemoteInputStream` or `RemoteWriter` to copy files from the workspace.

Add Comment

[ullrich.hafner@gmail.com (JIRA)]

Ulli Hafner commented on JENKINS-56007

Re: Can't copy source files from slave to master if security is enabled A temporary fix would be to add the following line to the whitelist whitelisted-callables.d, see wiki article. io.jenkins.plugins.analysis.core.steps.IssuesScanner.ReportPostProcessor

Add Comment

[roman@pickl.eu (JIRA)]

Roman Pickl commented on JENKINS-56007

Re: Can't copy source files from slave to master if security is enabled

Ulli Hafner thanks for pointing me to this ticket in gitter. I tried to whitelist it, but it did not work for me. I also tried io.jenkins.plugins.analysis.core.steps.IssuesScanner$ReportPostProcessor (note the $) but this did not work either.

Add Comment

[ullrich.hafner@gmail.com (JIRA)]

Ulli Hafner commented on JENKINS-56007

Re: Can't copy source files from slave to master if security is enabled

We created a test for this issue now: https://github.com/jenkinsci/warnings-ng-plugin/pull/90 Seems that we still miss something in your setup since the test passes. We currently enable the master-agent security and try to start a build on a slave. Are we missing something obvious in the test? How do you connect master and agent? Which other kind of security settings did you enable? What Authorization did you enable?

Add Comment

[roman@pickl.eu (JIRA)]

Roman Pickl commented on JENKINS-56007

Re: Can't copy source files from slave to master if security is enabled

Thanks for the update. Not sure whether you address Mark or me but I guess we experience the same problem.   I'm nt sure what you are implying though. do you mean that everything should work out of the box (with master-agent security enabled) or it should only work if the command is whitelisted? So I updated the plugin to the latest version 5.0.0 (from 4.0.0) and activated master-agent security again. i'll come back to you with the results.

Add Comment

[roman@pickl.eu (JIRA)]

Roman Pickl edited a comment on JENKINS-56007

Re: Can't copy source files from slave to master if security is enabled

Thanks for the update. Not sure whether you address Mark or me but I guess we experience the same problem.

I'm nt not sure what you are implying though. do you mean that everything should work out of the box (with master-agent security enabled) or it should only work if the command is whitelisted? So I 've updated the plugin to the latest version 5.0.0 (from 4.0.0) and activated master-agent security again. i'll come back to you with the results.

Add Comment

[ullrich.hafner@gmail.com (JIRA)]

Ulli Hafner edited a comment on JENKINS-56007

Re: Can't copy source files from slave to master if security is enabled

Before writing a fix I wanted to expose the bug via a test. So I can see afterwards if a fix is successfully or not. But the problem is that I cannot expose the bug (neither in a test or nor in a running Jenkins instance).

Add Comment

[ullrich.hafner@gmail.com (JIRA)]

Ulli Hafner commented on JENKINS-56007

Re: Can't copy source files from slave to master if security is enabled

Before writing a fix I wanted to expose the bug via a test. So I can see afterwards if a fix is successfully or not. But the problem is that I cannot expose the bug (neither in a test or in a running Jenkins instance).

Add Comment

[roman@pickl.eu (JIRA)]

Roman Pickl commented on JENKINS-56007

Re: Can't copy source files from slave to master if security is enabled

I'm still running into 09:49:28 [Clang-Tidy] [-ERROR-] Can't copy some affected workspace files to Jenkins build folder:

Add Comment

[roman@pickl.eu (JIRA)]

Roman Pickl commented on JENKINS-56007

Re: Can't copy source files from slave to master if security is enabled

we are using the https://wiki.jenkins.io/display/JENKINS/Swarm+Plugin to run slaves and run some builds inside docker on a separate machine then the one the jenkins master runs on (windows 7) security settings Security is enabled Access Control works via LDAP Logged-in users can do everything, anonymous read access is permitted tcp port for jnlp agents is set to 7777

Add Comment

[roman@pickl.eu (JIRA)]

Roman Pickl commented on JENKINS-56007

Re: Can't copy source files from slave to master if security is enabled

i thought the issue is that copying files from the slave to master does not work (as mentioned in https://issues.jenkins-ci.org/browse/JENKINS-56007?focusedCommentId=363080&page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#comment-363080) , to me it seems as if the test does the opposite (copying a file to the slave).

Add Comment

[roman@pickl.eu (JIRA)]

Roman Pickl edited a comment on JENKINS-56007

Re: Can't copy source files from slave to master if security is enabled

i thought the issue is that copying files from the slave to master does not work (as mentioned in https://issues.jenkins-ci.org/browse/JENKINS-56007?focusedCommentId=363080&page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#comment-363080) , to me it seems as if the test does the opposite (copying a file to the slave) , but of course I'm lacking context .

Add Comment

[ullrich.hafner@gmail.com (JIRA)]

Ulli Hafner commented on JENKINS-56007

Re: Can't copy source files from slave to master if security is enabled

Which Jenkins version are you using? Is it possible, that you did deny Jenkins to create the default permissions file `secrets/filepath-filters.d/30-default.conf` in the folder

Add Comment

[ullrich.hafner@gmail.com (JIRA)]

Ulli Hafner edited a comment on JENKINS-56007

Re: Can't copy source files from slave to master if security is enabled

Which Jenkins version are you using? Is it possible, that you did deny Jenkins to create the default permissions file `secrets/filepath-filters.d/30-default.conf` in the folder ?

Add Comment

[roman@pickl.eu (JIRA)]

Roman Pickl commented on JENKINS-56007

Re: Can't copy source files from slave to master if security is enabled

we are using Jenkins ver. 2.164.3 (latest lts release) \secrets\filepath-filters.d\30-default.conf exists and has a timestamp from the last restart of jenkins yesterday (i think) i have added a warningsng.conf file in \secrets\whitelisted-callables.d with one line: io.jenkins.plugins.analysis.core.steps.IssuesScanner$ReportPostProcessor

Add Comment

[ullrich.hafner@gmail.com (JIRA)]

Ulli Hafner commented on JENKINS-56007

Re: Can't copy source files from slave to master if security is enabled

I finally managed it to reproduced it by clearing the contents of the file 30-default.conf. (See https://github.com/jenkinsci/warnings-ng-plugin/commit/d597cbdb6ad5d9709208debc2acecbe66cd6589a)

Add Comment

[ullrich.hafner@gmail.com (JIRA)]

Ulli Hafner updated JENKINS-56007

Jenkins / JENKINS-56007

Can't copy source files from slave to master if security is enabled

Change By: Ulli Hafner Status: Open Fixed but Unreleased Resolution: Fixed

Add Comment

[roman@pickl.eu (JIRA)]

Roman Pickl commented on JENKINS-56007

Re: Can't copy source files from slave to master if security is enabled Great! Thanks for the update. Is whitelisting still needed after this change?

Add Comment

[ullrich.hafner@gmail.com (JIRA)]

Ulli Hafner commented on JENKINS-56007

Re: Can't copy source files from slave to master if security is enabled

No, it is not required anymore. (I thought, whitelisting did not work as advertised?)

Add Comment

[roman@pickl.eu (JIRA)]

Roman Pickl commented on JENKINS-56007

Re: Can't copy source files from slave to master if security is enabled

Ok thanks. No it did not.

Add Comment

[ullrich.hafner@gmail.com (JIRA)]

Ulli Hafner updated JENKINS-56007

Jenkins / JENKINS-56007

Can't copy source files from slave to master if security is enabled

Change By: Ulli Hafner Status: Fixed but Unreleased Resolved Released As: 5.2.0

Add Comment