Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-17200

SCM.TAG permission not eagerly loaded

    Details

    • Similar Issues:

      Description

      In order to be included in Permission.getAll(), a Permission needs to be initialized in a static block inside an @Extension or otherwise definitely loaded during startup.

      The visible symptom is that you might configure an authorization strategy such as matrix with all permissions granted, then go back later and see SCM/Tag missing, because it was unknown earlier.

        Attachments

          Issue Links

            Activity

            jglick Jesse Glick created issue -
            Hide
            jglick Jesse Glick added a comment -

            Would be better to have some kind of declarative registration for permissions. Could handle default grant status for things like JENKINS-15484 as well. Some other messiness: hudson.security.WipeOutPermission=true; hudson.security.ArtifactsPermission=true; and of course https://wiki.jenkins-ci.org/display/JENKINS/Extended+Read+Permission+Plugin is well known.

            https://github.com/jenkinsci/embeddable-build-status-plugin/pull/4/files#r4421926 claims that at least for Project-based Matrix Authorization Strategy even loading the permission in an @Extension does not suffice—perhaps because it tries to load the matrix before extensions are loaded?

            Show
            jglick Jesse Glick added a comment - Would be better to have some kind of declarative registration for permissions. Could handle default grant status for things like JENKINS-15484 as well. Some other messiness: hudson.security.WipeOutPermission=true ; hudson.security.ArtifactsPermission=true ; and of course https://wiki.jenkins-ci.org/display/JENKINS/Extended+Read+Permission+Plugin is well known. https://github.com/jenkinsci/embeddable-build-status-plugin/pull/4/files#r4421926 claims that at least for Project-based Matrix Authorization Strategy even loading the permission in an @Extension does not suffice—perhaps because it tries to load the matrix before extensions are loaded?
            jglick Jesse Glick made changes -
            Field Original Value New Value
            Link This issue is related to JENKINS-15484 [ JENKINS-15484 ]
            jglick Jesse Glick made changes -
            Labels permissions api permissions
            Hide
            jglick Jesse Glick added a comment -

            Blocking JENKINS-16502, perhaps.

            Show
            jglick Jesse Glick added a comment - Blocking JENKINS-16502 , perhaps.
            jglick Jesse Glick made changes -
            Link This issue is blocking JENKINS-16502 [ JENKINS-16502 ]
            jglick Jesse Glick made changes -
            Link This issue is related to SECURITY-91 [ SECURITY-91 ]
            jglick Jesse Glick made changes -
            Link This issue is related to JENKINS-27134 [ JENKINS-27134 ]
            jglick Jesse Glick made changes -
            Labels api permissions 2.0 api permissions
            danielbeck Daniel Beck made changes -
            Labels 2.0 api permissions 2.0-rejected api permissions
            danielbeck Daniel Beck made changes -
            Link This issue is related to JENKINS-21336 [ JENKINS-21336 ]
            danielbeck Daniel Beck made changes -
            Remote Link This issue links to "Related discussion in PR 882 (Web Link)" [ 14640 ]
            rtyler R. Tyler Croy made changes -
            Workflow JNJira [ 148032 ] JNJira + In-Review [ 177067 ]
            jglick Jesse Glick made changes -
            Link This issue is related to JENKINS-37546 [ JENKINS-37546 ]
            Hide
            jvz Matt Sicker added a comment -

            What if we had a sort of PermissionProvider meta-inf service which, when invoked, returns a collection of permissions to register. Due to initialization ordering, this might not be the best class to use a whiteboard pattern on (which is essentially what the existing extension-based permission model is doing).

            Show
            jvz Matt Sicker added a comment - What if we had a sort of PermissionProvider meta-inf service which, when invoked, returns a collection of permissions to register. Due to initialization ordering, this might not be the best class to use a whiteboard pattern on (which is essentially what the existing extension-based permission model is doing).
            Hide
            jvz Matt Sicker added a comment -

            For this issue, right now I have a proposal to make permissions declarative and lazily load them. See here: https://github.com/jenkinsci/jenkins/pull/3696

            Show
            jvz Matt Sicker added a comment - For this issue, right now I have a proposal to make permissions declarative and lazily load them. See here: https://github.com/jenkinsci/jenkins/pull/3696
            jvz Matt Sicker made changes -
            Assignee Jesse Glick [ jglick ] Matt Sicker [ jvz ]
            jvz Matt Sicker made changes -
            Status Open [ 1 ] In Progress [ 3 ]
            jvz Matt Sicker made changes -
            Status In Progress [ 3 ] In Review [ 10005 ]
            Hide
            jvz Matt Sicker added a comment -

            Refactored that proposal into a standalone PR: https://github.com/jenkinsci/jenkins/pull/3713

            Show
            jvz Matt Sicker added a comment - Refactored that proposal into a standalone PR: https://github.com/jenkinsci/jenkins/pull/3713
            jvz Matt Sicker made changes -
            Remote Link This issue links to "PR-3713 (Web Link)" [ 21975 ]

              People

              • Assignee:
                jvz Matt Sicker
                Reporter:
                jglick Jesse Glick
              • Votes:
                2 Vote for this issue
                Watchers:
                5 Start watching this issue

                Dates

                • Created:
                  Updated: