[JIRA] (JENKINS-41684) Plugin.postInitialize can be run as anonymous during dynamic load

[jglick@cloudbees.com (JIRA)]

Jesse Glick created an issue

Jenkins / JENKINS-41684 Plugin.postInitialize can be run as anonymous during dynamic load Issue Type: Bug Assignee: Jesse Glick Components: core Created: 2017/Feb/02 10:53 PM Labels: support-core authentication restart dynamic Priority: Major Reporter: Jesse Glick While running 2.32.2 (I think), I logged in as the initial admin user, then dynamically loaded support-core, and got ... hudson.ExtensionFinder$GuiceFinder$FaultTolerantScope$1 error WARNING: Failed to instantiate Key[type=com.cloudbees.jenkins.support.impl.JenkinsLogs, annotation=[none]]; skipping this component com.google.inject.ProvisionException: Unable to provision, see the following errors: 1) Error injecting constructor, hudson.security.AccessDeniedException2: anonymous is missing the Overall/Administer permission at com.cloudbees.jenkins.support.impl.JenkinsLogs.<init>(JenkinsLogs.java:45) 1 error at com.google.inject.internal.ProviderToInternalFactoryAdapter.get(ProviderToInternalFactoryAdapter.java:52) at ... at hudson.ExtensionList.iterator(ExtensionList.java:157) at com.cloudbees.jenkins.support.SupportPlugin.postInitialize(SupportPlugin.java:476) at hudson.PluginManager.dynamicLoad(PluginManager.java:868) at hudson.PluginManager.dynamicLoad(PluginManager.java:813) at hudson.model.UpdateCenter$InstallationJob._run(UpdateCenter.java:1891) at hudson.model.UpdateCenter$DownloadJob.run(UpdateCenter.java:1652) at ... Caused by: hudson.security.AccessDeniedException2: anonymous is missing the Overall/Administer permission at hudson.security.ACL.checkPermission(ACL.java:65) at hudson.model.Node.checkPermission(Node.java:464) at jenkins.model.Jenkins.getLog(Jenkins.java:2449) at com.cloudbees.jenkins.support.impl.JenkinsLogs.<init>(JenkinsLogs.java:49) at com.cloudbees.jenkins.support.impl.JenkinsLogs$$FastClassByGuice$$adeef6a3.newInstance(<generated>) at ... The Master Log Recorders component was not available until after I restarted Jenkins. It seems that InstallationJob runs in a fresh thread as Jenkins.ANONYMOUS and this "authentication" is carried over to plugin code, which rightly expects its initializers to be run as SYSTEM. Add Comment

This message was sent by Atlassian JIRA (v7.1.7#71011-sha1:2526d7c)

[jglick@cloudbees.com (JIRA)]

Jesse Glick started work on JENKINS-41684

Change By: Jesse Glick Status: Open In Progress

Add Comment

[jglick@cloudbees.com (JIRA)]

Jesse Glick updated JENKINS-41684

Jenkins / JENKINS-41684 Plugin.postInitialize can be run as anonymous during dynamic load

Change By: Jesse Glick Status: In Progress Review

Add Comment

[scm_issue_link@java.net (JIRA)]

SCM/JIRA link daemon commented on JENKINS-41684

Re: Plugin.postInitialize can be run as anonymous during dynamic load Code changed in jenkins User: Jesse Glick Path: core/src/main/java/hudson/PluginManager.java test/src/test/java/hudson/PluginManagerTest.java test/src/test/resources/plugins/require-system-during-load.hpi http://jenkins-ci.org/commit/jenkins/6fb9e91b63521eb8cdcd072cec6610d856aabf34 Log: JENKINS-41684 Ensure that PluginManager.dynamicLoad runs as SYSTEM (#2732) [FIXED JENKINS-41684] Ensure that PluginManager.dynamicLoad runs as SYSTEM. Test plugin source: package test; import hudson.Plugin; import jenkins.model.Jenkins; public class ThePlugin extends Plugin { @Override public void postInitialize() throws Exception { Jenkins.getInstance().checkPermission(Jenkins.ADMINISTER); } } @daniel-beck wants this all reindented.

Add Comment

[jglick@cloudbees.com (JIRA)]

Jesse Glick updated JENKINS-41684

Jenkins / JENKINS-41684

Plugin.postInitialize can be run as anonymous during dynamic load

Change By: Jesse Glick Status: In Review Resolved Resolution: Fixed

Add Comment