Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-27055

Slave To Master Access Control needs updating for JENKINS_HOME layout change

    Details

    • Similar Issues:

      Description

      If you look on the wiki describing the Slave To Master Access Control, there is a section on File access rules, where it says:

      <BUILDDIR> can be used as a prefix to match your build record directory, such as /var/lib/jenkins/job/foo/builds/2014-10-17_12-34-56

      However, Jenkins versions after 1.597 have a different home directory structure (see JENKINS-24380). The wiki page for Slave To Master Access Control reflects the old layout.

      Can someone confirm (or otherwise) that the <BUILDDIR> token works in Jenkins both before and after 1.597, and update the wiki accordingly?

        Attachments

          Issue Links

            Activity

            Hide
            dogfood dogfood added a comment -

            Integrated in jenkins_main_trunk #4030
            [FiXED JENKINS-27055] <BUILDID> should now also match numeric build IDs. (Revision 20c458d9933b5d25fc472f84ba8dbbf4eae5edee)

            Result = SUCCESS
            jesse glick : 20c458d9933b5d25fc472f84ba8dbbf4eae5edee
            Files :

            • test/src/test/java/jenkins/security/DefaultFilePathFilterTest.java
            • core/src/main/java/jenkins/security/s2m/FilePathRuleConfig.java
            Show
            dogfood dogfood added a comment - Integrated in jenkins_main_trunk #4030 [FiXED JENKINS-27055] <BUILDID> should now also match numeric build IDs. (Revision 20c458d9933b5d25fc472f84ba8dbbf4eae5edee) Result = SUCCESS jesse glick : 20c458d9933b5d25fc472f84ba8dbbf4eae5edee Files : test/src/test/java/jenkins/security/DefaultFilePathFilterTest.java core/src/main/java/jenkins/security/s2m/FilePathRuleConfig.java
            Hide
            scm_issue_link SCM/JIRA link daemon added a comment -

            Code changed in jenkins
            User: Jesse Glick
            Path:
            changelog.html
            core/src/main/java/jenkins/security/s2m/FilePathRuleConfig.java
            test/src/test/java/jenkins/security/DefaultFilePathFilterTest.java
            http://jenkins-ci.org/commit/jenkins/e54b19d872317e135c46a415df80651d0de8dbfa
            Log:
            JENKINS-27055 Noting merge of #1621.

            Compare: https://github.com/jenkinsci/jenkins/compare/cfa4b100be1b...e54b19d87231

            Show
            scm_issue_link SCM/JIRA link daemon added a comment - Code changed in jenkins User: Jesse Glick Path: changelog.html core/src/main/java/jenkins/security/s2m/FilePathRuleConfig.java test/src/test/java/jenkins/security/DefaultFilePathFilterTest.java http://jenkins-ci.org/commit/jenkins/e54b19d872317e135c46a415df80651d0de8dbfa Log: JENKINS-27055 Noting merge of #1621. Compare: https://github.com/jenkinsci/jenkins/compare/cfa4b100be1b...e54b19d87231
            Hide
            scm_issue_link SCM/JIRA link daemon added a comment -

            Code changed in jenkins
            User: Jesse Glick
            Path:
            core/src/main/java/jenkins/security/s2m/FilePathRuleConfig.java
            test/src/test/java/jenkins/security/DefaultFilePathFilterTest.java
            http://jenkins-ci.org/commit/jenkins/20c458d9933b5d25fc472f84ba8dbbf4eae5edee
            Log:
            [FiXED JENKINS-27055] <BUILDID> should now also match numeric build IDs.

            Show
            scm_issue_link SCM/JIRA link daemon added a comment - Code changed in jenkins User: Jesse Glick Path: core/src/main/java/jenkins/security/s2m/FilePathRuleConfig.java test/src/test/java/jenkins/security/DefaultFilePathFilterTest.java http://jenkins-ci.org/commit/jenkins/20c458d9933b5d25fc472f84ba8dbbf4eae5edee Log: [FiXED JENKINS-27055] <BUILDID> should now also match numeric build IDs.
            Hide
            danielbeck Daniel Beck added a comment -

            Jesse Glick This needs fixing, the pattern for build ID is definitely wrong since the layout change:

            https://github.com/jenkinsci/jenkins/blob/master/core/src/main/java/jenkins/security/s2m/FilePathRuleConfig.java#L43

            Show
            danielbeck Daniel Beck added a comment - Jesse Glick This needs fixing, the pattern for build ID is definitely wrong since the layout change: https://github.com/jenkinsci/jenkins/blob/master/core/src/main/java/jenkins/security/s2m/FilePathRuleConfig.java#L43
            Hide
            mwebber Matthew Webber added a comment -

            Askign Jesse to comment, since it's related to his original change.

            Show
            mwebber Matthew Webber added a comment - Askign Jesse to comment, since it's related to his original change.
            Hide
            mwebber Matthew Webber added a comment -

            The reason I think that there is an issue here, is that ${JENKINS_HOME}/secrets/filepath-filters.d/30-default.conf contains the following:

            # Various plugins read/write files under build directories, so allow them all.
            # - git 1.x writes changelog.xml from the slave (2.x writes from the master so need not be listed)
            # - analysis-core and plugins based on it write reports to workspace-files/
            # - cobertura writes coverage.xml
            # - violations writes violations.xml and other content under violations/
            # - dependency-check writes archive/artifacts.txt
            # But not allowing deletion to prevent data loss and symlink to prevent jailbreaking.
            allow create,mkdirs,read,stat,write <BUILDDIR>/.+
            

            But, it's not working for me in Jenkins 1.597+ (see JENKINS-27053) - I get
            slave may not mkdirs /exports/jenkins_home/jobs/Controls_TopUp_unittests/builds/439/violations

            Is <BUILDDIR>/.+ correct in newer Jenkins?

            I got the violations plugin to work by adding file secrets/filepath-filters.d/50-gui.conf containing this:

            allow create,mkdirs,read,stat,write <JENKINS_HOME>/jobs/.*
            
            Show
            mwebber Matthew Webber added a comment - The reason I think that there is an issue here, is that ${JENKINS_HOME}/secrets/filepath-filters.d/30-default.conf contains the following: # Various plugins read/write files under build directories, so allow them all. # - git 1.x writes changelog.xml from the slave (2.x writes from the master so need not be listed) # - analysis-core and plugins based on it write reports to workspace-files/ # - cobertura writes coverage.xml # - violations writes violations.xml and other content under violations/ # - dependency-check writes archive/artifacts.txt # But not allowing deletion to prevent data loss and symlink to prevent jailbreaking. allow create,mkdirs,read,stat,write <BUILDDIR>/.+ But, it's not working for me in Jenkins 1.597+ (see JENKINS-27053 ) - I get slave may not mkdirs /exports/jenkins_home/jobs/Controls_TopUp_unittests/builds/439/violations Is <BUILDDIR>/.+ correct in newer Jenkins? I got the violations plugin to work by adding file secrets/filepath-filters.d/50-gui.conf containing this: allow create,mkdirs,read,stat,write <JENKINS_HOME>/jobs/.*

              People

              • Assignee:
                jglick Jesse Glick
                Reporter:
                mwebber Matthew Webber
              • Votes:
                0 Vote for this issue
                Watchers:
                3 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved: