Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-24767

Role-based Authorization Strategy not working with sub-folders

    Details

    • Similar Issues:

      Description

      Using the folder structure below, trying to give a user access to ONLY the contents of FolderA. I'd expect

      .*FolderA.*

      to do that.

      To Reproduce:
      Create this folder structure:
      Folder1/
      Folder1/FolderA/
      Folder1/FolderA/JobA
      Folder1/FolderB/
      Folder1/FolderB/JobB
      Folder1/Job1

      Try these search expressions:

       -> ".*Folder1.*" Works
       -> ".*FolderA.*" Does NOT work
       -> ".*JobA.*" Does NOT work
       -> ".*FolderB.*" Does NOT work
       -> ".*JobB.*" Does NOT work
       -> ".*Job1.*" Does NOT work
      

        Attachments

          Activity

          Hide
          akrysko Alexander Krysko added a comment -

          Daniel Beck, after several tries I got what I needed, thank you.

          Show
          akrysko Alexander Krysko added a comment - Daniel Beck , after several tries I got what I needed, thank you.
          Hide
          danielbeck Daniel Beck added a comment -

          The second comment on this issue explains what you need to do.

          Show
          danielbeck Daniel Beck added a comment - The second comment on this issue explains what you need to do.
          Hide
          akrysko Alexander Krysko added a comment -

          I'm using Jenkins 2.134 with Role-based Authorization Strategy ver. 2.8.1 + Folders Plugin of ver. 6.5.1.
          Structure of Jenkins projects with sub-folder structure:
          Platform1/Project1/Job-1 .. Job-n
          Platform2/Project2/Job-1 .. Job-n
          Platform3/Project3/Job-1 .. Job-n
           
          I'm struggling with granting Build/Configure access to an Active Directory group only for Platform1/Project1/Job-1 .. Job-n
          without exposing read access to 
          Platform2/Project2/Job-1 .. Job-n and others?
           
          So that when user from AD group logs into Jenkins he see only the project he was given access to.
           
          When I remove Overall read access in Global Role for group 'users' which assigned to AD - users do not see what's matched by regexp under Project Roles.
           
          I'm using the following regular expressions to grant read/edit permissions:
          Platform1/Project1/.*
          Platform2/Project2/.***
          Platform3/Project3/.***
           
          Platform and Project are case sensitive.

          Show
          akrysko Alexander Krysko added a comment - I'm using Jenkins 2.134 with Role-based Authorization Strategy ver. 2.8.1 + Folders Plugin of ver. 6.5.1. Structure of Jenkins projects with sub-folder structure: Platform1/Project1/Job-1 .. Job-n Platform2/Project2/Job-1 .. Job-n Platform3/Project3/Job-1 .. Job-n   I'm struggling with granting Build/Configure access to an Active Directory group only for  Platform1/Project1/Job-1 .. Job-n without exposing read access to  Platform2/Project2/Job-1 .. Job-n and others?   So that when user from AD group logs into Jenkins he see only the project he was given access to.   When I remove Overall read access in Global Role for group 'users' which assigned to AD - users do not see what's matched by regexp under Project Roles.   I'm using the following regular expressions to grant read/edit permissions: Platform1/Project1/. * Platform2/Project2/. *** Platform3/Project3/. ***   Platform and Project are case sensitive.
          Hide
          oleg_nenashev Oleg Nenashev added a comment -

          I am closing it as "Not a defect" though the plugin documentation would benefit from more examples

          Show
          oleg_nenashev Oleg Nenashev added a comment - I am closing it as "Not a defect" though the plugin documentation would benefit from more examples
          Hide
          oleg_nenashev Oleg Nenashev added a comment -

          > So it appears impossible to restrein the access to nested folders as we have to put at least a READ right to the root folder, then this READ right inherits to all nested folders and jobs, even the ones we don't want to give a READ right.

          It is possible, but the permission regexp should be properly defined to prevent exposure of the permissions to lower levels

           

          > So, do I have to create an issue on this point ? Or is it possible to really "give a user access to ONLY the contents of FolderA" without giving READ access to other folders ?

          It is. Just write a regular expression which checks there is only one slash in the patch after the folder. Not an ideal solution, of course

           

          Show
          oleg_nenashev Oleg Nenashev added a comment - > So it appears impossible to restrein the access to nested folders as we have to put at least a READ right to the root folder, then this READ right inherits to all nested folders and jobs, even the ones we don't want to give a READ right. It is possible, but the permission regexp should be properly defined to prevent exposure of the permissions to lower levels   > So, do I have to create an issue on this point ? Or is it possible to really "give a user access to ONLY the contents of FolderA" without giving READ access to other folders ? It is. Just write a regular expression which checks there is only one slash in the patch after the folder. Not an ideal solution, of course  

            People

            • Assignee:
              oleg_nenashev Oleg Nenashev
              Reporter:
              bobtheshrew Eric Anker
            • Votes:
              0 Vote for this issue
              Watchers:
              4 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved: