Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-2324

Feature - Set read permission by project for project-based security

    Details

    • Type: Patch
    • Status: Resolved
    • Priority: Critical
    • Resolution: Fixed
    • Component/s: security
    • Labels:
      None
    • Environment:
      Platform: All, OS: All
    • Similar Issues:
      Show 5 results

      Description

      We'd like to use hudson for different projects with different team members,
      which only should see the projects in which they work, not all projects.

      We use the user directory from hudson itself and the "Project-based Matrix
      Authorization Strategy"...

        Attachments

          Issue Links

            Activity

            Hide
            scm_issue_link SCM/JIRA link daemon added a comment -

            Code changed in hudson
            User: : kohsuke
            Path:
            branches/rc/core/src/main/java/hudson/model/Hudson.java
            branches/rc/core/src/main/java/hudson/util/VersionNumber.java
            branches/rc/core/src/test/java/hudson/util/VersionNumberTest.java
            http://fisheye4.cenqua.com/changelog/hudson/?cs=17437
            Log:
            bug fix for the auto upgrade handling for JENKINS-2324.

            Show
            scm_issue_link SCM/JIRA link daemon added a comment - Code changed in hudson User: : kohsuke Path: branches/rc/core/src/main/java/hudson/model/Hudson.java branches/rc/core/src/main/java/hudson/util/VersionNumber.java branches/rc/core/src/test/java/hudson/util/VersionNumberTest.java http://fisheye4.cenqua.com/changelog/hudson/?cs=17437 Log: bug fix for the auto upgrade handling for JENKINS-2324 .
            Hide
            mdonohue mdonohue added a comment -

            See issue 3630 for a different opinion on sending 404 when the user does not
            have read permission

            Show
            mdonohue mdonohue added a comment - See issue 3630 for a different opinion on sending 404 when the user does not have read permission
            Hide
            quickshiftin nathan nobbe added a comment -

            Hi, is there any reason this wouldn't work in conjunction with LDAP? In global configuration 'Project-based Matrix Authorization Strategy' is selected. With an entry ROLE_PROJECT_ACCESS that maps to an LDAP posix group (projectAccess) authorization works as expected, but the users can see all jobs.

            In the job configuration 'Enable project-based security' is checked and going with ROLE_PROJECT_ACCESS (trying to map to same LDAP group that worked on global level). Removing the global entry and leaving just the job level configuration users cannot login anymore and get the error '... is missing the read permission'.

            Maybe the job level configuration isn't aware of the LDAP nomenclature? Running Jenkins 1.446 on Ubuntu / Jetty.

            Show
            quickshiftin nathan nobbe added a comment - Hi, is there any reason this wouldn't work in conjunction with LDAP? In global configuration 'Project-based Matrix Authorization Strategy' is selected. With an entry ROLE_PROJECT_ACCESS that maps to an LDAP posix group (projectAccess) authorization works as expected, but the users can see all jobs. In the job configuration 'Enable project-based security' is checked and going with ROLE_PROJECT_ACCESS (trying to map to same LDAP group that worked on global level). Removing the global entry and leaving just the job level configuration users cannot login anymore and get the error '... is missing the read permission'. Maybe the job level configuration isn't aware of the LDAP nomenclature? Running Jenkins 1.446 on Ubuntu / Jetty.
            Hide
            danielbeck Daniel Beck added a comment -

            Nathan Nobbe: Permissions cannot be removed on a per-project basis. You need to give everyone 'Overall/Read' globally, and then give them project-specific 'Job/Read' on every project they should have access to.

            Show
            danielbeck Daniel Beck added a comment - Nathan Nobbe: Permissions cannot be removed on a per-project basis. You need to give everyone 'Overall/Read' globally, and then give them project-specific 'Job/Read' on every project they should have access to.
            Hide
            rameshpaul Paul P added a comment -

            Just a trivial question ,where would i be putting this patch. Am not sure where to put this patch.please help

            Show
            rameshpaul Paul P added a comment - Just a trivial question ,where would i be putting this patch. Am not sure where to put this patch.please help

              People

              • Assignee:
                adphillips adphillips
                Reporter:
                klattenhoff klattenhoff
              • Votes:
                0 Vote for this issue
                Watchers:
                3 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved: