Jenkins.createProject - ACL

38 views
Skip to first unread message

Shaun Thompson

unread,
Oct 24, 2017, 12:35:15 PM10/24/17
to Jenkins Developers
Running into an issue where I'm programmatically creating a job when the user installs it's corresponding plugin.  The Jenkins instance has security enabled with either logged in users can do anything or matrix based security.

If those are set, it will fail with Anonymous does not have create access.  How do I allow the job to create the project using the logged in user's abilities.

Thanks

Jesse Glick

unread,
Oct 24, 2017, 12:59:55 PM10/24/17
to Jenkins Dev
On Tue, Oct 24, 2017 at 12:35 PM, Shaun Thompson <sth...@gmail.com> wrote:
> I'm programmatically creating a job when the
> user installs it's corresponding plugin.

This seems like a bad idea.

> How do I allow the job to create the project using the logged in user's
> abilities.

Who exactly is “the” logged-in user? The concept is meaningless unless
you are inside an HTTP request handling thread, or some rarer cases
like CLI commands—in which case `Jenkins.getAuthentication()` is set,
and so you can check `hasPermission(Item.CREATE)` and behave
accordingly.

Shaun Thompson

unread,
Oct 24, 2017, 1:23:15 PM10/24/17
to Jenkins Developers
By logged in user, I'm referring to the user that initiated the plugin installation.  If they are authorized to install the plugin,  by default I want to give that plugin rights to create a job on that CI server.

Jesse Glick

unread,
Oct 24, 2017, 2:11:08 PM10/24/17
to Jenkins Dev
On Tue, Oct 24, 2017 at 1:23 PM, Shaun Thompson <sth...@gmail.com> wrote:
> By logged in user, I'm referring to the user that initiated the plugin
> installation.

There is no information available to that effect, if such a concept
were even reliably meaningful, which it is not.

Clearly anyone able to install a plugin can do whatever they like—they
must be an administrator. So if your plugin wishes to create a job
during installation (again, a bad idea as a rule), just do so. You
should be running as `SYSTEM`, which can do anything.

Stephen Connolly

unread,
Oct 24, 2017, 2:20:36 PM10/24/17
to jenkin...@googlegroups.com
On 24 October 2017 at 19:11, Jesse Glick <jgl...@cloudbees.com> wrote:
On Tue, Oct 24, 2017 at 1:23 PM, Shaun Thompson <sth...@gmail.com> wrote:
> By logged in user, I'm referring to the user that initiated the plugin
> installation.

There is no information available to that effect, if such a concept
were even reliably meaningful, which it is not.

Clearly anyone able to install a plugin can do whatever they like—they
must be an administrator. So if your plugin wishes to create a job
during installation (again, a bad idea as a rule),

Just so that you are aware...

We have not told you that you are holding a fully armed rocket launcher with a hair trigger... you are pointing that rocket launcher at your foot... By all means if you want to pull the trigger... but I would not recommend it.
 
just do so. You
should be running as `SYSTEM`, which can do anything.

--
You received this message because you are subscribed to the Google Groups "Jenkins Developers" group.
To unsubscribe from this group and stop receiving emails from it, send an email to jenkinsci-dev+unsubscribe@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-dev/CANfRfr0c6gy19LuiN%2BOWiEAoNAeP369VMYM6at7dtD4um3dO%2Bg%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.

Shaun Thompson

unread,
Oct 24, 2017, 4:12:50 PM10/24/17
to Jenkins Developers
That doesn't line up with what I'm seeing.  Plugin fails to create the job so an ACL is in effect.  I guess I'll figure it out on my own.

Shaun Thompson

unread,
Oct 24, 2017, 4:14:37 PM10/24/17
to Jenkins Developers
I appreciate the warnings but this is a plugin used internally by our company for release automation.  Context always help :)

Jesse Glick

unread,
Oct 24, 2017, 5:19:26 PM10/24/17
to Jenkins Dev
On Tue, Oct 24, 2017 at 4:12 PM, Shaun Thompson <sth...@gmail.com> wrote:
> Plugin fails to create the job
> so an ACL is in effect.

If you are using Jenkins 2.45 or earlier, work around JENKINS-41684
using `ACL.as(ACL.SYSTEM)`.
Reply all
Reply to author
Forward
0 new messages