Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-2324

Feature - Set read permission by project for project-based security

    Details

    • Type: Patch
    • Status: Resolved
    • Priority: Critical
    • Resolution: Fixed
    • Component/s: security
    • Labels:
      None
    • Environment:
      Platform: All, OS: All

      Description

      We'd like to use hudson for different projects with different team members,
      which only should see the projects in which they work, not all projects.

      We use the user directory from hudson itself and the "Project-based Matrix
      Authorization Strategy"...

      1. read-perm.patch
        10 kB
        adphillips
      2. read-perm-v2.patch
        9 kB
        adphillips

        Issue Links

          Activity

          Hide
          scm_issue_link SCM/JIRA link daemon added a comment -

          Code changed in hudson
          User: : kohsuke
          Path:
          branches/rc/core/src/main/java/hudson/model/Hudson.java
          branches/rc/core/src/main/java/hudson/util/VersionNumber.java
          branches/rc/core/src/test/java/hudson/util/VersionNumberTest.java
          http://fisheye4.cenqua.com/changelog/hudson/?cs=17437
          Log:
          bug fix for the auto upgrade handling for JENKINS-2324.

          Show
          scm_issue_link SCM/JIRA link daemon added a comment - Code changed in hudson User: : kohsuke Path: branches/rc/core/src/main/java/hudson/model/Hudson.java branches/rc/core/src/main/java/hudson/util/VersionNumber.java branches/rc/core/src/test/java/hudson/util/VersionNumberTest.java http://fisheye4.cenqua.com/changelog/hudson/?cs=17437 Log: bug fix for the auto upgrade handling for JENKINS-2324 .
          Hide
          mdonohue mdonohue added a comment -

          See issue 3630 for a different opinion on sending 404 when the user does not
          have read permission

          Show
          mdonohue mdonohue added a comment - See issue 3630 for a different opinion on sending 404 when the user does not have read permission
          Hide
          quickshiftin nathan nobbe added a comment -

          Hi, is there any reason this wouldn't work in conjunction with LDAP? In global configuration 'Project-based Matrix Authorization Strategy' is selected. With an entry ROLE_PROJECT_ACCESS that maps to an LDAP posix group (projectAccess) authorization works as expected, but the users can see all jobs.

          In the job configuration 'Enable project-based security' is checked and going with ROLE_PROJECT_ACCESS (trying to map to same LDAP group that worked on global level). Removing the global entry and leaving just the job level configuration users cannot login anymore and get the error '... is missing the read permission'.

          Maybe the job level configuration isn't aware of the LDAP nomenclature? Running Jenkins 1.446 on Ubuntu / Jetty.

          Show
          quickshiftin nathan nobbe added a comment - Hi, is there any reason this wouldn't work in conjunction with LDAP? In global configuration 'Project-based Matrix Authorization Strategy' is selected. With an entry ROLE_PROJECT_ACCESS that maps to an LDAP posix group (projectAccess) authorization works as expected, but the users can see all jobs. In the job configuration 'Enable project-based security' is checked and going with ROLE_PROJECT_ACCESS (trying to map to same LDAP group that worked on global level). Removing the global entry and leaving just the job level configuration users cannot login anymore and get the error '... is missing the read permission'. Maybe the job level configuration isn't aware of the LDAP nomenclature? Running Jenkins 1.446 on Ubuntu / Jetty.
          Hide
          danielbeck Daniel Beck added a comment -

          Nathan Nobbe: Permissions cannot be removed on a per-project basis. You need to give everyone 'Overall/Read' globally, and then give them project-specific 'Job/Read' on every project they should have access to.

          Show
          danielbeck Daniel Beck added a comment - Nathan Nobbe: Permissions cannot be removed on a per-project basis. You need to give everyone 'Overall/Read' globally, and then give them project-specific 'Job/Read' on every project they should have access to.
          Hide
          rameshpaul Paul P added a comment -

          Just a trivial question ,where would i be putting this patch. Am not sure where to put this patch.please help

          Show
          rameshpaul Paul P added a comment - Just a trivial question ,where would i be putting this patch. Am not sure where to put this patch.please help

            People

            • Assignee:
              adphillips adphillips
              Reporter:
              klattenhoff klattenhoff
            • Votes:
              0 Vote for this issue
              Watchers:
              3 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved: