"The authenticated build user anonymous has no Job.BUILD permission" with downstream builds

[Daniel Lo Nigro]

Hi!

I have a job that has the "Trigger builds remotely (e.g., from scripts)" option enabled. Within that job, I use "Trigger parameterized build on other projects" to kick off some other jobs. This used to work fine. Now, the initial job works fine, but I'm getting these errors at the end:

Warning: this build has no associated authentication, so build permissions may be lacking, and downstream projects which cannot even be seen by an anonymous user will be silently skipped

ERROR: Cannot schedule the build of FirstOtherJob from InitialJob #25. The authenticated build user anonymous has no Job.BUILD permission

ERROR: Cannot schedule the build of SecondOtherJob from InitialJob #25. The authenticated build user anonymous has no Job.BUILD permission

The configuration I want is:

• Authenticated users can build any of the jobs
• Anonymous users can view the job status but can not build the jobs
• Scripts that trigger the build remotely can build the initial job and as a result, build the other jobs too

The first two points are working fine, it's the third point that I'm having difficulties with.

Any suggestions?

Thanks!

[Daniel Lo Nigro]

I guess this is due to SECURITY-201 (https://jenkins.io/security/advisory/2017-07-10/) but now I'm not quite sure how to accomplish what I want. How can I allow the projects to be triggered as downstream builds of a remotely-triggered build, without allowing anonymous users to trigger them directly?

--
Regards,
Daniel Lo Nigro
http://dan.cx/ | http://twitter.com/Daniel15

--
You received this message because you are subscribed to a topic in the Google Groups "Jenkins Users" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/jenkinsci-users/SQkXNQ2zO7s/unsubscribe.
To unsubscribe from this group and all its topics, send an email to jenkinsci-users+unsubscribe@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-users/d066a8e6-3eda-4b5a-830c-f49328918f7e%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[Daniel Beck]

> On 7. Sep 2017, at 18:53, Daniel Lo Nigro <dan...@d15.biz> wrote:
>
> I guess this is due to SECURITY-201 (https://jenkins.io/security/advisory/2017-07-10/) but now I'm not quite sure how to accomplish what I want. How can I allow the projects to be triggered as downstream builds of a remotely-triggered build, without allowing anonymous users to trigger them directly?

It looks like you have Authorize Plugin (or another plugin providing build authorization) installed, but are not using it -- change that.

[Daniel Lo Nigro]

Ah, good point! I needed to install the Authorize plugin in order to make the Job DSL plugin work:

> All Job DSL methods are whitelisted by default, but Jenkins access control checks are applied. These checks prevent users from gaining elevated permissions through Job DSL scripts. For this to work, the DSL job needs to run as a particular user. This is generally accomplished by installing and configuring the Authorize Project plugin.

(https://github.com/jenkinsci/job-dsl-plugin/wiki/Script-Security)

I guess I might just need to play around with the config a bit.

Thanks,