[JIRA] (JENKINS-61214) Permissions of authenticated users not added to project specific permissions

17 views
Skip to first unread message

in+jenkins@shoelzle.de (JIRA)

unread,
Feb 25, 2020, 3:16:03 AM2/25/20
to jenkinsc...@googlegroups.com
Stefan Hölzle updated an issue
 
Jenkins / Bug JENKINS-61214
Permissions of authenticated users not added to project specific permissions
Change By: Stefan Hölzle
Summary: Rights Permissions of authenticated users not added to project specific rights permissions
Add Comment Add Comment
 
This message was sent by Atlassian Jira (v7.13.6#713006-sha1:cc4451f)
Atlassian logo

in+jenkins@shoelzle.de (JIRA)

unread,
Feb 25, 2020, 3:17:07 AM2/25/20
to jenkinsc...@googlegroups.com
Stefan Hölzle updated an issue
Hello, the [plugin's documentation #1|https://jenkins.io/doc/book/managing/security/#authorization] says:
{quote}
The permissions granted in the matrix are additive. For example, if a user "kohsuke" is in the groups "developers" and "administrators", then the permissions granted to "kohsuke" will be a union of all those permissions granted to "kohsuke", "developers", "administrators", "authenticated", and "anonymous."
{quote}
The [documentation in the Jenkins UI (#2)|https://github.com/jenkinsci/matrix-auth-plugin/blob/9c859ed3ea932024e73f665400457cbf106b8dcf/src/main/resources/hudson/security/GlobalMatrixAuthorizationStrategy/help.html] says:
{quote}
  Permissions are additive. That is, if an user X is in group A, B, and C, then
  the permissions that this user actually has are the union of all permissions given to
  X, A, B, C, and anonymous.
{quote}
The difference is that the permissions of authenticated users are missing in #2, which is exactly the behavior that I observed.
However what I expected is the behavior described in #1.

Versions:
* Jenkins: 2.204.2
* Plugins:
{noformat}
# Authorization
matrix-auth:2.5
authorize-project:1.3.0

# Configuration
configuration-as-code:1.35
configuration-as-code-support:1.18
jobConfigHistory:2.24

# Monitoring
metrics:4.0.2.6

# Node management
swarm:3.17
#kubernetes:1.15.5

# Notification
mailer:1.30

# Pipeline
blueocean:1.22.0
http_request:1.8.24
pipeline-utility-steps:2.5.0
ssh-steps:2.0.0
webhook-step:1.4
workflow-aggregator:2.6

# Utils
cloudbees-folder:6.11.1
job-dsl:1.76
parameterized-trigger:2.36
thinBackup:1.9
ws-cleanup:0.38
{noformat}

dbeck@cloudbees.com (JIRA)

unread,
Feb 25, 2020, 6:58:03 AM2/25/20
to jenkinsc...@googlegroups.com
Daniel Beck commented on Bug JENKINS-61214
 
Re: Permissions of authenticated users not added to project specific permissions

Stefan Hölzle Could you please clarify what the actual behavior is your seeing? It is not clear to me whether you're reporting a behavior bug, or a docs bug for #2 (which doesn't mention the authenticated pseudo-group).

dbeck@cloudbees.com (JIRA)

unread,
Feb 25, 2020, 6:59:04 AM2/25/20
to jenkinsc...@googlegroups.com

The plugins list looks like there's no security realm plugin installed. Could you confirm your security realm is "Jenkins user database"? If not, what's the security realm?

in+jenkins@shoelzle.de (JIRA)

unread,
Feb 26, 2020, 3:19:06 AM2/26/20
to jenkinsc...@googlegroups.com

Thanks for the quick response Daniel Beck.

The actual behavior is #2.

About the security realm:
The security realm is not "Jenkins user database". The security realm is a slightly modified version of https://plugins.jenkins.io/cas-plugin/.

About the installed plugins:
My apologies, the plugin list in the description does not include the automatically installed dependencies. Here is the complete list of all installed installed plugins:

ace-editor:1.1
apache-httpcomponents-client-4-api:4.5.10-2.0
authentication-tokens:1.3
authorize-project:1.3.0
blueocean-autofavorite:1.2.4
blueocean-bitbucket-pipeline:1.22.0
blueocean-commons:1.22.0
blueocean-config:1.22.0
blueocean-core-js:1.22.0
blueocean-dashboard:1.22.0
blueocean-display-url:2.3.0
blueocean-events:1.22.0
blueocean-git-pipeline:1.22.0
blueocean-github-pipeline:1.22.0
blueocean-i18n:1.22.0
blueocean-jira:1.22.0
blueocean-jwt:1.22.0
blueocean-personalization:1.22.0
blueocean-pipeline-api-impl:1.22.0
blueocean-pipeline-editor:1.22.0
blueocean-pipeline-scm-api:1.22.0
blueocean-rest-impl:1.22.0
blueocean-rest:1.22.0
blueocean-web:1.22.0
blueocean:1.22.0
branch-api:2.5.5
cloudbees-bitbucket-branch-source:2.7.0
cloudbees-folder:6.11.1
conditional-buildstep:1.3.6
configuration-as-code-support:1.18
configuration-as-code:1.35
credentials-binding:1.20
credentials:2.3.1
display-url-api:2.3.2
docker-commons:1.16
docker-workflow:1.21
durable-task:1.33
favorite:2.3.2
git-client:3.1.1
git-server:1.9
git:4.1.1
github-api:1.106
github-branch-source:2.6.0
github:1.29.5
handlebars:1.1.1
handy-uri-templates-2-api:2.1.8-1.0
htmlpublisher:1.21
http_request:1.8.24
jackson2-api:2.10.2
javadoc:1.5
jenkins-design-language:1.22.0
jira:3.0.12
job-dsl:1.76
jobConfigHistory:2.24
jquery-detached:1.2.1
jsch:0.1.55.2
junit:1.28
lockable-resources:2.7
mailer:1.30
matrix-auth:2.5
matrix-project:1.14
maven-plugin:3.4
mercurial:2.8
metrics:4.0.2.6
momentjs:1.1.1
parameterized-trigger:2.36
pipeline-build-step:2.11
pipeline-graph-analysis:1.10
pipeline-input-step:2.11
pipeline-milestone-step:1.3.1
pipeline-model-api:1.5.1
pipeline-model-declarative-agent:1.1.1
pipeline-model-definition:1.5.1
pipeline-model-extensions:1.5.1
pipeline-rest-api:2.13
pipeline-stage-step:2.3
pipeline-stage-tags-metadata:1.5.1
pipeline-stage-view:2.13
pipeline-utility-steps:2.5.0
plain-credentials:1.7
prometheus:2.0.6
pubsub-light:1.13
resource-disposer:0.14
run-condition:1.2
scm-api:2.6.3
script-security:1.69
sse-gateway:1.20
ssh-credentials:1.18.1
ssh-steps:2.0.0
structs:1.20
swarm:3.17
thinBackup:1.9
token-macro:2.10
trilead-api:1.0.5
variant:1.3
webhook-step:1.4
workflow-aggregator:2.6
workflow-api:2.39
workflow-basic-steps:2.19
workflow-cps-global-lib:2.15
workflow-cps:2.78
workflow-durable-task-step:2.35
workflow-job:2.36
workflow-multibranch:2.21
workflow-scm-step:2.10
workflow-step-api:2.22
workflow-support:3.4
ws-cleanup:0.38
bouncycastle-api:2.16.0
command-launcher:1.2
jdk-tool:1.0
jaxb:2.3.0
cas-1and1-plugin:1.8.2
intranet-login-plugin:2.4

 

in+jenkins@shoelzle.de (JIRA)

unread,
Feb 26, 2020, 3:20:06 AM2/26/20
to jenkinsc...@googlegroups.com
Stefan Hölzle edited a comment on Bug JENKINS-61214
Thanks for the quick response [~danielbeck].

The *actual behavior* is #2.

*About the security realm*:
The security realm is not "Jenkins user database". The security realm is a slightly modified version of [https://plugins.jenkins.io/cas-plugin/].

*About the installed plugins*:

My apologies, the plugin list in the description does not include the automatically installed dependencies. Here is the complete list of all installed installed plugins:
{noformat}
cas- 1and1- plugin:1. 8 4 . 2 3
intranet-login-plugin:2.4
{noformat}
 

dbeck@cloudbees.com (JIRA)

unread,
Feb 26, 2020, 7:16:03 AM2/26/20
to jenkinsc...@googlegroups.com
Daniel Beck updated an issue
 
Change By: Daniel Beck
Component/s: cas-plugin
Component/s: matrix-auth-plugin

dbeck@cloudbees.com (JIRA)

unread,
Feb 26, 2020, 7:17:06 AM2/26/20
to jenkinsc...@googlegroups.com
Daniel Beck commented on Bug JENKINS-61214
 
Re: Permissions of authenticated users not added to project specific permissions

It is the security realm's responsibility to grant the authenticated authority/group membership to authenticated users.

dbeck@cloudbees.com (JIRA)

unread,
Feb 26, 2020, 7:17:09 AM2/26/20
to jenkinsc...@googlegroups.com
Daniel Beck assigned an issue to Unassigned
 
Change By: Daniel Beck
Assignee: Daniel Beck
Reply all
Reply to author
Forward
0 new messages