-
Notifications
You must be signed in to change notification settings - Fork 85
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Allow users without global Job/Build permission configure multibranch jobs #156
Conversation
@LinuxSuRen @jetersen @MarkEWaite this seems to look good but I wonder if someone in the security SIG should give it a once-over? |
@LinuxSuRen , can you speed up the merge of this PR? |
@baymac Hi! maybe you can help us with review this PR? |
I don't think baymac is relevant... he doesn't respond to anything for the
past couple of years...
if any, I think we can ask the updaters in the jira issue to review it and
tell if it is working for them.
I simply installed it on a test environment and checked the flow I reported
in the jira issue.
…On Thu, Aug 26, 2021 at 11:12 AM Mikhail Marchenko ***@***.***> wrote:
@baymac <https://github.com/baymac> Hi! maybe you can help to us with
review this PR?
—
You are receiving this because you commented.
Reply to this email directly, view it on GitHub
<#156 (comment)>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/ABEIBU5VAIC37UX4LDVEBKTT6XZOLANCNFSM5CCGHFMA>
.
Triage notifications on the go with GitHub Mobile for iOS
<https://apps.apple.com/app/apple-store/id1477376905?ct=notification-email&mt=8&pt=524675>
or Android
<https://play.google.com/store/apps/details?id=com.github.android&utm_campaign=notification-email>
.
|
If folks are interested in helping to maintain the plugin and its tests, you might consider becoming a maintainer. I personally don't have enough time to dedicate here (and I also don't really use GitLab), unfortunately, and it seems @baymac (who did great work here) doesn't have enough time these days either. Hope you are all well. |
@LinuxSuRen Hi! Could you please merge this PR if you are fine with the changes? |
Hello, I'm also having this problem, it would be nice if the PR is accepted :) |
@shelene31400 one of the most persuasive arguments to a plugin maintainer is when a user says, "I'm using this in production and it works the way I expected". You can provide that persuasion by installing the 'hpi' file into your Jenkins controller from https://ci.jenkins.io/job/Plugins/job/gitlab-branch-source-plugin/job/PR-156/ . Look for the most recent successful artifacts and find the '.hpi' file. Install that using the "Advanced" settings in the plugin manager. If you're using a 'plugins.txt' file to manage your plugin versions as code, then you can use the 'incrementals' syntax to use that version. See https://github.com/MarkEWaite/docker-lfs/blob/4b0981a8e6689cca50f2cdfd8723e30f8d4fcaec/plugins.txt#L49 for one example. |
@MarkEWaite by following this, our jenkins admin installed the plugin on this PR. Then I tested it and now I can confirm that now I can configure a multibranch pipeline without global permissions, which I couldn't before. |
Can also verify this PR works, LGTM!! |
Hello, I confirm that the PR solve the problem. Our Admin installed it and we tested the plugin. |
Hi @mymarche, I would more explanation of this PR. But my comprehension of the plugin is that we have to give a credential to access to the Gitlab API when we create the Gitlab server instance in the administration panel. The GitlabServer class. So the jenkins level should be enough and with system scope's too. But the issue seems to be a problem with the permission of the user who create the multi branch pipeline. Could you help me to understand? Kind regards, |
Hi, @Turiok! Yes, you absolutly right. Line 237 in 7ec1f98
Line 246 in 7ec1f98
Line 253 in 7ec1f98
we need to use Jenkins.getAuthentication() , but then we cant find any credentials.
Like in this issue: JENKINS-58902 |
fromUri(defaultIfBlank(serverUrl, GITLAB_SERVER_URL)).build() | ||
), withId(credentialsId)); | ||
} else { | ||
context.checkPermission(CredentialsProvider.USE_OWN); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Hi, @mymarche ,
Sorry to bothering you again.
I read your comment and read again the source code.
What I understand, This is this specific line which correct the problem right?
At this line Jenkins, or in your case the context of security, check if the user can configure the pipeline or not?
Strange the permission needed is the Job/Build permission and not Job/Configure but it's another problem.
But I don't understand the if else after. The personal access token(PAT) is stocked at the global level, during the creation of the gitlab server in the administration panel, so the old code should be working to find this PAT. Instead, do you try to change the code to find the PAT at folder level too?
It'll be great I think. The possibility to define the gitlab server instance during the creation of the multi branch pipeline.
But is it not another feature? And only with this change it can't work right? Because the creation of a gitlab server instance is only defined in the administration panel and not during the job creation. And to be perfect, regarding the gitlab project isolation easily. It should be Project access token and not Personnal access token.
Am I wrong on the last part or not?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Hi, @Turiok !
At this line Jenkins, or in your case the context of security, check if the user can configure the pipeline or not?
Yes
Am I wrong on the last part or not?
No, you are right.
I created fix only for searching PAT in this case.
I think, define PAT for gitlab server per folder or per job is correct.
But i don't know how to implement it correctly.
Hello @LinuxSuRen @justinharringa @baymac @markyjackson-taulia, If you have a little time, it would be nice to watch this PR. This is really a crucial feature for the plugin. We tested this PR on our side and it works. We have also analyzed the code modification and it does not bring any security issue. Thanks in advance :) |
@mymarche would you be able to fix the conflicts and ping me once the PR is ready for review 😄 |
@jetersen ping :) |
I suspect this changes require to move token from System to Global Scope. At least it started working when i did it migrating from 1.5.9. |
Just to ensure we are on the same page. |
this implementation is very problematic since it exposes the token of the entire gitlab server to all the jobs. this poses a great security breach. |
Hello!
If somebody install gitlab-branch-source-plugin with authorization plugin (like Folder Authorization Plugin or Role-based Authorization Strategy), they might grant permission Job/Build on certain jobs without granting global permission Job/Build.
In this case, user with this permissions will get error:
This caused by check permission onli on Jenkins singleton in this line:
gitlab-branch-source-plugin/src/main/java/io/jenkins/plugins/gitlabserverconfig/servers/GitLabServer.java
Line 229 in ae2e6e7
Documetation said:
In this PR I try to fix AccessDeniedException by:
Fixes:
JENKINS-62478