Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-21331

GitHub teams should be available groups for matrix based security when using GitHub OAuth plugin

    Details

    • Similar Issues:

      Description

      Permissions granularity when using the plugin is extremely limited when using the plugin. It would be nice if the plugin could also provide some kind of matrix to set permissions to individual users or github teams (ideally).

      Also it would be extremely useful if you could link any job to a github project and map github permissions to job permissions. Users with pull access should only see the results, users with push access should also be able to execute the job and users with admin access should be able to edit the job's configuration.

        Attachments

          Issue Links

            Activity

            lucasocio Leandro Lucarella created issue -
            sag47 Sam Gleske made changes -
            Field Original Value New Value
            Link This issue is duplicated by JENKINS-28575 [ JENKINS-28575 ]
            sag47 Sam Gleske made changes -
            Summary Improve usage of github permissions to be able to assign individual permissions to users or teams GitHub teams should be an option for matrix based security when using GitHub OAuth plugin
            Hide
            sag47 Sam Gleske added a comment - - edited

            It's not as limited as you speak. One can use the Project-based Matrix Authorization Strategy or Matrix-based security to call out organizations and individual users.

            However, GitHub teams are not accessible as groups so this is still a sorely needed feature.

            Show
            sag47 Sam Gleske added a comment - - edited It's not as limited as you speak. One can use the Project-based Matrix Authorization Strategy or Matrix-based security to call out organizations and individual users. However, GitHub teams are not accessible as groups so this is still a sorely needed feature.
            Hide
            sag47 Sam Gleske added a comment -

            It would be preferable for the teams to be accessed via Org/Team. I've attached a screenshot.

            • samrocketman is a GitHub user.
            • s2disk is a GitHub org.
            • s2disk/Owners is a GitHub team.
            Show
            sag47 Sam Gleske added a comment - It would be preferable for the teams to be accessed via Org/Team. I've attached a screenshot. samrocketman is a GitHub user. s2disk is a GitHub org. s2disk/Owners is a GitHub team.
            sag47 Sam Gleske made changes -
            Attachment jenkins_github_teams.png [ 29908 ]
            sag47 Sam Gleske made changes -
            Summary GitHub teams should be an option for matrix based security when using GitHub OAuth plugin GitHub teams should be groups for matrix based security when using GitHub OAuth plugin
            sag47 Sam Gleske made changes -
            Summary GitHub teams should be groups for matrix based security when using GitHub OAuth plugin GitHub teams should be available groups for matrix based security when using GitHub OAuth plugin
            Hide
            sag47 Sam Gleske added a comment -

            I updated the subject of the issue to make the problem more obvious to a developer.

            Show
            sag47 Sam Gleske added a comment - I updated the subject of the issue to make the problem more obvious to a developer.
            Hide
            jcarsique Julien Carsique added a comment - - edited

            As explained in JENKINS-28575:

            Your suggestion is exactly what I've done in the pull-request, except that I couldn't use the slash ("/") as a separator between Org and Team: that generates browsing issues on Jenkins side. So I choose to use an asterisk ("*" ; see https://github.com/jcarsique/github-oauth-plugin/commit/74f0e9eecea5f3777e7935d9e7c762f4f5f51b70#diff-8524b26b72d1d1cd6ddf1048e92b23a1R19 ): any character filtered out by GitHub would be convenient.

            Do you want me to resubmit https://github.com/jenkinsci/github-oauth-plugin/pull/36 with the right JIRA issue?
            With or without the first "format & cleanup" commit ( https://github.com/jcarsique/github-oauth-plugin/commit/a310a6f0690b17d72f193827ae8f84f1ba7960da )?
            I'm using the suggested PR for two weeks in my company, with no issue.

            Note this can be seen as a major security fix since the current behavior actually gives access to GitHub organizations named "Owners", "Developers", "Administrators"... when someone wants to grants its organization teams.

            Show
            jcarsique Julien Carsique added a comment - - edited As explained in JENKINS-28575 : Your suggestion is exactly what I've done in the pull-request, except that I couldn't use the slash ("/") as a separator between Org and Team: that generates browsing issues on Jenkins side. So I choose to use an asterisk ("*" ; see https://github.com/jcarsique/github-oauth-plugin/commit/74f0e9eecea5f3777e7935d9e7c762f4f5f51b70#diff-8524b26b72d1d1cd6ddf1048e92b23a1R19 ): any character filtered out by GitHub would be convenient. Do you want me to resubmit https://github.com/jenkinsci/github-oauth-plugin/pull/36 with the right JIRA issue? With or without the first "format & cleanup" commit ( https://github.com/jcarsique/github-oauth-plugin/commit/a310a6f0690b17d72f193827ae8f84f1ba7960da )? I'm using the suggested PR for two weeks in my company, with no issue. Note this can be seen as a major security fix since the current behavior actually gives access to GitHub organizations named "Owners", "Developers", "Administrators"... when someone wants to grants its organization teams.
            Hide
            sag47 Sam Gleske added a comment -

            I think amending the commit messages to include JENKINS-21331 instead would be a good idea. If "/" is not technically an option then I guess I'm okay with it. Can you elaborate on "browsing issues"? Perhaps there's a workaround to the issues you encountered if I learned more.

            Show
            sag47 Sam Gleske added a comment - I think amending the commit messages to include JENKINS-21331 instead would be a good idea. If "/" is not technically an option then I guess I'm okay with it. Can you elaborate on "browsing issues"? Perhaps there's a workaround to the issues you encountered if I learned more.
            Hide
            jcarsique Julien Carsique added a comment -

            Amending, yes of course. I'll do it today.
            Browsing issues in URL referencing a group, like "jenkins/externalGroups/Org/Team" displayed in "jenkins/groups" (I'm using the Role Based Access Control Plugin - http://jenkins-enterprise.cloudbees.com/docs/user-guide-docs/rbac.html). Of course it works with "jenkins/externalGroups/Org*Team". I'm giving a try with "%2F" you suggested but I expect automated translations leading to the breaking slash in URL... we'll see.

            Show
            jcarsique Julien Carsique added a comment - Amending, yes of course. I'll do it today. Browsing issues in URL referencing a group, like "jenkins/externalGroups/Org/Team" displayed in "jenkins/groups" (I'm using the Role Based Access Control Plugin - http://jenkins-enterprise.cloudbees.com/docs/user-guide-docs/rbac.html ). Of course it works with "jenkins/externalGroups/Org*Team". I'm giving a try with "%2F" you suggested but I expect automated translations leading to the breaking slash in URL... we'll see.
            Hide
            jcarsique Julien Carsique added a comment -

            PR updated with the right JIRA ref on the last commit.
            I tested "%2F" and it does not work: auto-completion on group definition waits for "%2F" which is ugly. I guess "*" is fine even if "/" would be better.

            Show
            jcarsique Julien Carsique added a comment - PR updated with the right JIRA ref on the last commit. I tested "%2F" and it does not work: auto-completion on group definition waits for "%2F" which is ugly. I guess "*" is fine even if "/" would be better.
            Hide
            sag47 Sam Gleske added a comment - - edited

            Yes, I'm okay with using * instead if that's the case. What I originally meant is in the UI the user types org/team but the backend translates that to %2F. But for now * simplifies the issue I think.

            Show
            sag47 Sam Gleske added a comment - - edited Yes, I'm okay with using * instead if that's the case. What I originally meant is in the UI the user types org/team but the backend translates that to %2F. But for now * simplifies the issue I think.
            sag47 Sam Gleske made changes -
            Status Open [ 1 ] Closed [ 6 ]
            Assignee Sam Kottler [ skottler ] Sam Gleske [ sag47 ]
            Resolution Duplicate [ 3 ]
            Hide
            jcarsique Julien Carsique added a comment -

            Sam Gleske you've closed both issues (JENKINS-21331 and JENKINS-28575) as duplicate. The pull request (https://github.com/jenkinsci/github-oauth-plugin/pull/36) is not yet merged.

            Show
            jcarsique Julien Carsique added a comment - Sam Gleske you've closed both issues ( JENKINS-21331 and JENKINS-28575 ) as duplicate. The pull request ( https://github.com/jenkinsci/github-oauth-plugin/pull/36 ) is not yet merged.
            sag47 Sam Gleske made changes -
            Resolution Duplicate [ 3 ]
            Status Closed [ 6 ] Reopened [ 4 ]
            Hide
            sag47 Sam Gleske added a comment -

            Sorry, that was a mistake. I must have misread.

            Show
            sag47 Sam Gleske added a comment - Sorry, that was a mistake. I must have misread.
            Hide
            scm_issue_link SCM/JIRA link daemon added a comment -

            Code changed in jenkins
            User: Julien Carsique
            Path:
            pom.xml
            src/main/java/org/jenkinsci/plugins/GithubAuthenticationToken.java
            src/main/java/org/jenkinsci/plugins/GithubOAuthGroupDetails.java
            src/main/java/org/jenkinsci/plugins/GithubOAuthUserDetails.java
            src/main/java/org/jenkinsci/plugins/GithubSecurityRealm.java
            http://jenkins-ci.org/commit/github-oauth-plugin/7fea11475da28861ddf1f1e09add6a93a1bbfc6a
            Log:
            JENKINS-21331: include teams as groups

            duplicate: JENKINS-28575

            Conflicts:
            src/main/java/org/jenkinsci/plugins/GithubAuthenticationToken.java
            src/main/java/org/jenkinsci/plugins/GithubSecurityRealm.java

            Show
            scm_issue_link SCM/JIRA link daemon added a comment - Code changed in jenkins User: Julien Carsique Path: pom.xml src/main/java/org/jenkinsci/plugins/GithubAuthenticationToken.java src/main/java/org/jenkinsci/plugins/GithubOAuthGroupDetails.java src/main/java/org/jenkinsci/plugins/GithubOAuthUserDetails.java src/main/java/org/jenkinsci/plugins/GithubSecurityRealm.java http://jenkins-ci.org/commit/github-oauth-plugin/7fea11475da28861ddf1f1e09add6a93a1bbfc6a Log: JENKINS-21331 : include teams as groups duplicate: JENKINS-28575 Conflicts: src/main/java/org/jenkinsci/plugins/GithubAuthenticationToken.java src/main/java/org/jenkinsci/plugins/GithubSecurityRealm.java
            Hide
            sag47 Sam Gleske added a comment -

            Latest release fixes it.

            Show
            sag47 Sam Gleske added a comment - Latest release fixes it.
            sag47 Sam Gleske made changes -
            Status Reopened [ 4 ] Resolved [ 5 ]
            Resolution Fixed [ 1 ]
            Hide
            sag47 Sam Gleske added a comment -

            Fixed in release 0.21.

            Show
            sag47 Sam Gleske added a comment - Fixed in release 0.21.
            rtyler R. Tyler Croy made changes -
            Workflow JNJira [ 153195 ] JNJira + In-Review [ 194503 ]

              People

              • Assignee:
                sag47 Sam Gleske
                Reporter:
                lucasocio Leandro Lucarella
              • Votes:
                2 Vote for this issue
                Watchers:
                4 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved: