Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-17081

Permission "hudson.model.Item.Read:anonymous" coming from nowhere

    Details

    • Similar Issues:

      Description

      Steps to reproduce:
      1. Go to the Configure Global Security screen (http://server/jenkins/configureSecurity/) and choose "enable security"
      2. Select "Jenkins's own user database" as the security realm
      3. Select "Project-based Matrix Authorization Strategy" as the authorization
      4. Give anonymous user the read access to overall
      5. In the text box below the table, type in your user name and click "add"
      6. Give yourself a full access by checking the entire row for your user name
      7. Scroll all the way to the bottom, click "save"

      Now, you have access to all projects and anonymous users have access to specific projects, the config.xml will have:

      <authorizationStrategy class="hudson.security.ProjectMatrixAuthorizationStrategy">
      <permission>hudson.model.Computer.Configure:jose.rob.jr</permission>
      <permission>hudson.model.Computer.Connect:jose.rob.jr</permission>
      <permission>hudson.model.Computer.Create:jose.rob.jr</permission>
      <permission>hudson.model.Computer.Delete:jose.rob.jr</permission>
      <permission>hudson.model.Computer.Disconnect:jose.rob.jr</permission>
      <permission>hudson.model.Hudson.Administer:jose.rob.jr</permission>
      <permission>hudson.model.Hudson.ConfigureUpdateCenter:jose.rob.jr</permission>
      <permission>hudson.model.Hudson.Read:anonymous</permission>
      <permission>hudson.model.Hudson.Read:jose.rob.jr</permission>
      <permission>hudson.model.Hudson.RunScripts:jose.rob.jr</permission>
      <permission>hudson.model.Hudson.UploadPlugins:jose.rob.jr</permission>
      <permission>hudson.model.Item.Build:jose.rob.jr</permission>
      <permission>hudson.model.Item.Cancel:jose.rob.jr</permission>
      <permission>hudson.model.Item.Configure:jose.rob.jr</permission>
      <permission>hudson.model.Item.Create:jose.rob.jr</permission>
      <permission>hudson.model.Item.Delete:jose.rob.jr</permission>
      <permission>hudson.model.Item.Discover:jose.rob.jr</permission>
      <permission>hudson.model.Item.Read:jose.rob.jr</permission>
      <permission>hudson.model.Item.Workspace:jose.rob.jr</permission>
      <permission>hudson.model.Run.Delete:jose.rob.jr</permission>
      <permission>hudson.model.Run.Update:jose.rob.jr</permission>
      <permission>hudson.model.View.Configure:jose.rob.jr</permission>
      <permission>hudson.model.View.Create:jose.rob.jr</permission>
      <permission>hudson.model.View.Delete:jose.rob.jr</permission>
      <permission>hudson.model.View.Read:jose.rob.jr</permission>
      <permission>hudson.scm.SCM.Tag:jose.rob.jr</permission>
      </authorizationStrategy>

      Go to jenkin management screen (http://server/jenkins/manage) and click "Reload configs from disk"

      After it finishes anonymous users can now access all projects, if you go to the Configure Global Security screen you'll see that anonymous task read is checked

      If you save again without changing anything, the config.xml will have:

      <authorizationStrategy class="hudson.security.ProjectMatrixAuthorizationStrategy">
      <permission>hudson.model.Computer.Configure:jose.rob.jr</permission>
      <permission>hudson.model.Computer.Connect:jose.rob.jr</permission>
      <permission>hudson.model.Computer.Create:jose.rob.jr</permission>
      <permission>hudson.model.Computer.Delete:jose.rob.jr</permission>
      <permission>hudson.model.Computer.Disconnect:jose.rob.jr</permission>
      <permission>hudson.model.Hudson.Administer:jose.rob.jr</permission>
      <permission>hudson.model.Hudson.ConfigureUpdateCenter:jose.rob.jr</permission>
      <permission>hudson.model.Hudson.Read:anonymous</permission>
      <permission>hudson.model.Hudson.Read:jose.rob.jr</permission>
      <permission>hudson.model.Hudson.RunScripts:jose.rob.jr</permission>
      <permission>hudson.model.Hudson.UploadPlugins:jose.rob.jr</permission>
      <permission>hudson.model.Item.Build:jose.rob.jr</permission>
      <permission>hudson.model.Item.Cancel:jose.rob.jr</permission>
      <permission>hudson.model.Item.Configure:jose.rob.jr</permission>
      <permission>hudson.model.Item.Create:jose.rob.jr</permission>
      <permission>hudson.model.Item.Delete:jose.rob.jr</permission>
      <permission>hudson.model.Item.Discover:jose.rob.jr</permission>
      <permission>hudson.model.Item.Read:anonymous</permission>
      <permission>hudson.model.Item.Read:jose.rob.jr</permission>
      <permission>hudson.model.Item.Workspace:jose.rob.jr</permission>
      <permission>hudson.model.Run.Delete:jose.rob.jr</permission>
      <permission>hudson.model.Run.Update:jose.rob.jr</permission>
      <permission>hudson.model.View.Configure:jose.rob.jr</permission>
      <permission>hudson.model.View.Create:jose.rob.jr</permission>
      <permission>hudson.model.View.Delete:jose.rob.jr</permission>
      <permission>hudson.model.View.Read:jose.rob.jr</permission>
      <permission>hudson.scm.SCM.Tag:jose.rob.jr</permission>
      </authorizationStrategy>

      that line is being injected when jenkin load the config.xml:
      <permission>hudson.model.Item.Read:anonymous</permission>

        Attachments

        1. 1-after-save.png
          1-after-save.png
          494 kB
        2. 2-click-reload.png
          2-click-reload.png
          114 kB
        3. 3-after-reload.png
          3-after-reload.png
          527 kB

          Issue Links

            Activity

            Hide
            evernat evernat added a comment -

            Is it reproduced with a recent Jenkins version?

            Show
            evernat evernat added a comment - Is it reproduced with a recent Jenkins version?
            Hide
            tcnghia Nghia Tran added a comment -

            I can confirm that I can reproduce in versions as recent as 1.557

            Show
            tcnghia Nghia Tran added a comment - I can confirm that I can reproduce in versions as recent as 1.557
            Hide
            tcnghia Nghia Tran added a comment -
            Show
            tcnghia Nghia Tran added a comment - Seems this is done for backward compatibility https://github.com/jenkinsci/matrix-auth-plugin/blob/master/src/main/java/hudson/security/GlobalMatrixAuthorizationStrategy.java#L130 How do we turn off this feature? Thanks
            Hide
            amuniz Antonio Muñiz added a comment -

            Call to

            Jenkins.getInstance().isUpgradedFromBefore(new VersionNumber("1.300.*")) 

            is not working as expected. I have a fresh Jenkins installation (1.554.1 LTS) and that method is returning "true", that's why the Item.READ permission is added (while it shouldn't).

            Show
            amuniz Antonio Muñiz added a comment - Call to Jenkins.getInstance().isUpgradedFromBefore( new VersionNumber( "1.300.*" )) is not working as expected. I have a fresh Jenkins installation (1.554.1 LTS) and that method is returning "true", that's why the Item.READ permission is added (while it shouldn't).
            Hide
            tcnghia Nghia Tran added a comment -

            I fixed this by including Jenkins version in my config.xml.

            Show
            tcnghia Nghia Tran added a comment - I fixed this by including Jenkins version in my config.xml.
            Hide
            danielbeck Daniel Beck added a comment -

            Duplicates JENKINS-42577 (which is much more recent, but has a core fix in the works, so resolving this one instead).

            Show
            danielbeck Daniel Beck added a comment - Duplicates JENKINS-42577 (which is much more recent, but has a core fix in the works, so resolving this one instead).

              People

              • Assignee:
                Unassigned
                Reporter:
                joserobjr José Roberto A. JR.
              • Votes:
                2 Vote for this issue
                Watchers:
                6 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved: