Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-24767

Role-based Authorization Strategy not working with sub-folders

    Details

    • Similar Issues:

      Description

      Using the folder structure below, trying to give a user access to ONLY the contents of FolderA. I'd expect

      .*FolderA.*

      to do that.

      To Reproduce:
      Create this folder structure:
      Folder1/
      Folder1/FolderA/
      Folder1/FolderA/JobA
      Folder1/FolderB/
      Folder1/FolderB/JobB
      Folder1/Job1

      Try these search expressions:

       -> ".*Folder1.*" Works
       -> ".*FolderA.*" Does NOT work
       -> ".*JobA.*" Does NOT work
       -> ".*FolderB.*" Does NOT work
       -> ".*JobB.*" Does NOT work
       -> ".*Job1.*" Does NOT work
      

        Attachments

          Activity

          bobtheshrew Eric Anker created issue -
          Hide
          danielbeck Daniel Beck added a comment -

          Similar to a file system, you need to provide access to every item in the hierarchy. So Item/Read on Folder1 and any relevant permissions on Folder1/FolderA should do it.

          Show
          danielbeck Daniel Beck added a comment - Similar to a file system, you need to provide access to every item in the hierarchy. So Item/Read on Folder1 and any relevant permissions on Folder1/FolderA should do it.
          danielbeck Daniel Beck made changes -
          Field Original Value New Value
          Assignee Jesse Glick [ jglick ] Oleg Nenashev [ oleg_nenashev ]
          Component/s cloudbees-folder [ 18137 ]
          Hide
          bobtheshrew Eric Anker added a comment -

          Thank you for the speedy response.

          I got what I needed by making 2 roles.
          Folder1View with RegEx: "Folder1" and Job/Read ticked
          Folder1FolderA with RegEx: "Folder1/FolderA.*" and Job/Read + Job/Build ticked

          Show
          bobtheshrew Eric Anker added a comment - Thank you for the speedy response. I got what I needed by making 2 roles. Folder1View with RegEx: "Folder1" and Job/Read ticked Folder1FolderA with RegEx: "Folder1/FolderA.*" and Job/Read + Job/Build ticked
          bobtheshrew Eric Anker made changes -
          Description Using the folder structure below, trying to give a user access to ONLY the contents of FolderA. I'd expect .*FolderA.* to do that.

          To Reproduce:
          Create this folder structure:
          Folder1/
          Folder1/FolderA/
          Folder1/FolderA/JobA
          Folder1/FolderB/
          Folder1/FolderB/JobB
          Folder1/Job1

          Try these search expressions:
           -> .*Folder1.* Works
           -> .*FolderA.* Does NOT work
           -> .*JobA.* Does NOT work
           -> .*FolderB.* Does NOT work
           -> .*JobB.* Does NOT work
           -> .*Job1.* Does NOT work
          Using the folder structure below, trying to give a user access to ONLY the contents of FolderA. I'd expect {noformat}.*FolderA.*{noformat} to do that.

          To Reproduce:
          Create this folder structure:
          Folder1/
          Folder1/FolderA/
          Folder1/FolderA/JobA
          Folder1/FolderB/
          Folder1/FolderB/JobB
          Folder1/Job1

          Try these search expressions:
          {noformat} -> ".*Folder1.*" Works
           -> ".*FolderA.*" Does NOT work
           -> ".*JobA.*" Does NOT work
           -> ".*FolderB.*" Does NOT work
           -> ".*JobB.*" Does NOT work
           -> ".*Job1.*" Does NOT work
          {noformat}
          Hide
          bobtheshrew Eric Anker added a comment -

          Some additional help text somewhere would be welcome. Thanks for your help!

          Show
          bobtheshrew Eric Anker added a comment - Some additional help text somewhere would be welcome. Thanks for your help!
          bobtheshrew Eric Anker made changes -
          Status Open [ 1 ] Closed [ 6 ]
          Resolution Not A Defect [ 7 ]
          Hide
          orenault Olivier Renault added a comment -

          Hi,
          I've got the same need: restrict acces to the nested Folders.

          But, if I apply the same, 2 roles : 1 role for the root folder (Folder1), 1 role for the nested Folder (FolderA), I have the following:

          • I can access to the Folder1/FolderA/JobA: I can build it
          • but I can also access to the Folder1/FolderB/JobB: I can't build it

          => Due to the first role "Folder1View with RegEx: "Folder1" and Job/Read ticked", all nested folders in Folder1 inherits the READ right.

          => so it is possible to read the content of all nested folders (aka FolderB) and all its content (JobB).

          => if we apply a 3rd role like "Folder1FolderB with RegEx: "Folder1/FolderB.*" and nothing ticked", then this not delete the READ rights on this FolderB.

          So it appears impossible to restrein the access to nested folders as we have to put at least a READ right to the root folder, then this READ right inherits to all nested folders and jobs, even the ones we don't want to give a READ right.
          So, do I have to create an issue on this point ? Or is it possible to really "give a user access to ONLY the contents of FolderA" without giving READ access to other folders ?
          Regards
          Olivier

          Show
          orenault Olivier Renault added a comment - Hi, I've got the same need: restrict acces to the nested Folders. But, if I apply the same, 2 roles : 1 role for the root folder (Folder1), 1 role for the nested Folder (FolderA), I have the following: I can access to the Folder1/FolderA/JobA: I can build it but I can also access to the Folder1/FolderB/JobB: I can't build it => Due to the first role "Folder1View with RegEx: "Folder1" and Job/Read ticked", all nested folders in Folder1 inherits the READ right. => so it is possible to read the content of all nested folders (aka FolderB) and all its content (JobB). => if we apply a 3rd role like "Folder1FolderB with RegEx: "Folder1/FolderB.*" and nothing ticked", then this not delete the READ rights on this FolderB. So it appears impossible to restrein the access to nested folders as we have to put at least a READ right to the root folder, then this READ right inherits to all nested folders and jobs, even the ones we don't want to give a READ right. So, do I have to create an issue on this point ? Or is it possible to really "give a user access to ONLY the contents of FolderA" without giving READ access to other folders ? Regards Olivier
          oleg_nenashev Oleg Nenashev made changes -
          Resolution Not A Defect [ 7 ]
          Status Closed [ 6 ] Reopened [ 4 ]
          Hide
          oleg_nenashev Oleg Nenashev added a comment -

          Reopened the issue in order to troubleshoot the report from Olivier Renault

          Show
          oleg_nenashev Oleg Nenashev added a comment - Reopened the issue in order to troubleshoot the report from Olivier Renault
          rtyler R. Tyler Croy made changes -
          Workflow JNJira [ 157805 ] JNJira + In-Review [ 186231 ]
          Hide
          oleg_nenashev Oleg Nenashev added a comment -

          > So it appears impossible to restrein the access to nested folders as we have to put at least a READ right to the root folder, then this READ right inherits to all nested folders and jobs, even the ones we don't want to give a READ right.

          It is possible, but the permission regexp should be properly defined to prevent exposure of the permissions to lower levels

           

          > So, do I have to create an issue on this point ? Or is it possible to really "give a user access to ONLY the contents of FolderA" without giving READ access to other folders ?

          It is. Just write a regular expression which checks there is only one slash in the patch after the folder. Not an ideal solution, of course

           

          Show
          oleg_nenashev Oleg Nenashev added a comment - > So it appears impossible to restrein the access to nested folders as we have to put at least a READ right to the root folder, then this READ right inherits to all nested folders and jobs, even the ones we don't want to give a READ right. It is possible, but the permission regexp should be properly defined to prevent exposure of the permissions to lower levels   > So, do I have to create an issue on this point ? Or is it possible to really "give a user access to ONLY the contents of FolderA" without giving READ access to other folders ? It is. Just write a regular expression which checks there is only one slash in the patch after the folder. Not an ideal solution, of course  
          Hide
          oleg_nenashev Oleg Nenashev added a comment -

          I am closing it as "Not a defect" though the plugin documentation would benefit from more examples

          Show
          oleg_nenashev Oleg Nenashev added a comment - I am closing it as "Not a defect" though the plugin documentation would benefit from more examples
          oleg_nenashev Oleg Nenashev made changes -
          Status Reopened [ 4 ] Resolved [ 5 ]
          Resolution Not A Defect [ 7 ]
          Hide
          akrysko Alexander Krysko added a comment -

          I'm using Jenkins 2.134 with Role-based Authorization Strategy ver. 2.8.1 + Folders Plugin of ver. 6.5.1.
          Structure of Jenkins projects with sub-folder structure:
          Platform1/Project1/Job-1 .. Job-n
          Platform2/Project2/Job-1 .. Job-n
          Platform3/Project3/Job-1 .. Job-n
           
          I'm struggling with granting Build/Configure access to an Active Directory group only for Platform1/Project1/Job-1 .. Job-n
          without exposing read access to 
          Platform2/Project2/Job-1 .. Job-n and others?
           
          So that when user from AD group logs into Jenkins he see only the project he was given access to.
           
          When I remove Overall read access in Global Role for group 'users' which assigned to AD - users do not see what's matched by regexp under Project Roles.
           
          I'm using the following regular expressions to grant read/edit permissions:
          Platform1/Project1/.*
          Platform2/Project2/.***
          Platform3/Project3/.***
           
          Platform and Project are case sensitive.

          Show
          akrysko Alexander Krysko added a comment - I'm using Jenkins 2.134 with Role-based Authorization Strategy ver. 2.8.1 + Folders Plugin of ver. 6.5.1. Structure of Jenkins projects with sub-folder structure: Platform1/Project1/Job-1 .. Job-n Platform2/Project2/Job-1 .. Job-n Platform3/Project3/Job-1 .. Job-n   I'm struggling with granting Build/Configure access to an Active Directory group only for  Platform1/Project1/Job-1 .. Job-n without exposing read access to  Platform2/Project2/Job-1 .. Job-n and others?   So that when user from AD group logs into Jenkins he see only the project he was given access to.   When I remove Overall read access in Global Role for group 'users' which assigned to AD - users do not see what's matched by regexp under Project Roles.   I'm using the following regular expressions to grant read/edit permissions: Platform1/Project1/. * Platform2/Project2/. *** Platform3/Project3/. ***   Platform and Project are case sensitive.
          akrysko Alexander Krysko made changes -
          Resolution Not A Defect [ 7 ]
          Status Resolved [ 5 ] Reopened [ 4 ]
          Hide
          danielbeck Daniel Beck added a comment -

          The second comment on this issue explains what you need to do.

          Show
          danielbeck Daniel Beck added a comment - The second comment on this issue explains what you need to do.
          akrysko Alexander Krysko made changes -
          Comment [ Second comment is not very specific. In plugin configuration there are Global and Project roles. So
           * should there be Overall Read checkbox in a Global role
           * should there be Job Read checkbox in a Global role

          May I ask someone who succeeded in described configuration to attach screenshots? ]
          Hide
          akrysko Alexander Krysko added a comment -

          Daniel Beck, after several tries I got what I needed, thank you.

          Show
          akrysko Alexander Krysko added a comment - Daniel Beck , after several tries I got what I needed, thank you.
          oleg_nenashev Oleg Nenashev made changes -
          Status Reopened [ 4 ] Fixed but Unreleased [ 10203 ]
          Resolution Not A Defect [ 7 ]

            People

            • Assignee:
              oleg_nenashev Oleg Nenashev
              Reporter:
              bobtheshrew Eric Anker
            • Votes:
              0 Vote for this issue
              Watchers:
              4 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved: