Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-19934

Add "Job Create" permission to project roles

    XMLWordPrintable

    Details

    • Similar Issues:

      Description

      Currently, the "role strategy" plugin allows you to restrict access to jobs, based on a job-name pattern, using "Project roles". The following permissions are available:

      Delete Configure Read Discover Build Workspace Cancel

      However, I can't give a user permissions to create only jobs that match a certain job-name pattern. "Job Create" privilege is a "Global Role", not a "Project Role".
      Can this be fixed?

        Attachments

          Issue Links

            Activity

            Hide
            yaswanth07 yaswanth badam added a comment -

            Hi Team,

            We are also facing the same. 

            We have created testRole in Global Roles which have overall READ permission.

            We have created testProjectRole in projectRoles which have below permissions.

            JOB: BUILD,CANCEL,CREATE,CONFIGURE,READ with pattern "test.*"

             

            Observations:

             1) Initially we did not give JOB create option in GLOBAL roles so testUser not able to see the "NEW ITEM"

            2) Later we have given JOB create option in GLOBAL roles so testUser able to see the "NEW ITEM" and he will create the job using the pattern "testDev" successfully.

            3) So here is the issue the user can able to create job apart from pattern which is displaying 404 error, but in backend the job is creating when we logged with admin user. So i want the JOB will not create apart from Pattern in project Roles.

             

            Could you please advice on this request.

             

            Thanks

            Yaswanth

            Show
            yaswanth07 yaswanth badam added a comment - Hi Team, We are also facing the same.  We have created testRole in Global Roles which have overall READ permission. We have created testProjectRole in projectRoles which have below permissions. JOB: BUILD,CANCEL,CREATE,CONFIGURE,READ with pattern "test.*"   Observations:  1) Initially we did not give JOB create option in GLOBAL roles so testUser not able to see the "NEW ITEM" 2) Later we have given JOB create option in GLOBAL roles so testUser able to see the "NEW ITEM" and he will create the job using the pattern "testDev" successfully. 3) So here is the issue the user can able to create job apart from pattern which is displaying 404 error, but in backend the job is creating when we logged with admin user. So i want the JOB will not create apart from Pattern in project Roles.   Could you please advice on this request.   Thanks Yaswanth
            Hide
            oleg_nenashev Oleg Nenashev added a comment -

            I added it to the GSoC 2019 project idea as an UX improvement (better validation of what is being created). As Daniel Beck says, new APIs may be needed to make it possible. Also, "Allow creating a job to which the user has no permission in Role Strategy" is actually a valid use-case for some configurations of Ownership-based security when ownership is being automatically set upon creation. https://github.com/jenkinsci/ownership-plugin/blob/master/doc/OwnershipBasedSecurity.md

            Show
            oleg_nenashev Oleg Nenashev added a comment - I added it to the GSoC 2019 project idea as an UX improvement (better validation of what is being created). As Daniel Beck says, new APIs may be needed to make it possible. Also, "Allow creating a job to which the user has no permission in Role Strategy" is actually a valid use-case for some configurations of Ownership-based security when ownership is being automatically set upon creation. https://github.com/jenkinsci/ownership-plugin/blob/master/doc/OwnershipBasedSecurity.md
            Hide
            danielbeck Daniel Beck added a comment -

            ItemListener has checkBeforeCopy but of course no checkBeforeCreate, I hate these narrow API additions that make things a mess.

            Show
            danielbeck Daniel Beck added a comment - ItemListener has checkBeforeCopy but of course no checkBeforeCreate , I hate these narrow API additions that make things a mess.
            Hide
            oleg_nenashev Oleg Nenashev added a comment -
            Show
            oleg_nenashev Oleg Nenashev added a comment - Harpreet Nain agreed
            Hide
            hnain Harpreet Nain added a comment -

            ok thanks! Got it. The help text on the project name verifier config was a bit misleading. Noticed that even though it disables the user to configure or run that job that does to follow the pattern, the job still gets created. Would have been neat if it would give an error and not generate unnecessary jobs.

            Show
            hnain Harpreet Nain added a comment - ok thanks! Got it. The help text on the project name verifier config was a bit misleading. Noticed that even though it disables the user to configure or run that job that does to follow the pattern, the job still gets created. Would have been neat if it would give an error and not generate unnecessary jobs.

              People

              • Assignee:
                oleg_nenashev Oleg Nenashev
                Reporter:
                mwebber Matthew Webber
              • Votes:
                15 Vote for this issue
                Watchers:
                20 Start watching this issue

                Dates

                • Created:
                  Updated: