Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-27134

Permission for input approval, or choice of Jenkins-specific group as submitter

    Details

    • Similar Issues:

      Description

      Currently the input step allows you to specify a submitter, which may be a user ID or an external group ("granted authority"). This does not work well with authorization strategies, especially those that allow you to group together users inside Jenkins, such as (but not limited to) nectar-rbac in Jenkins Enterprise by CloudBees.

      Arguably the more natural approach would be for InputStep to define a new permission, "approve flow", which would be checked on the WorkflowRun (can use PermissionScope.RUN). Thus rather than specifying a submitter for a particular step you would just ensure there was an RBAC group defined on the flow job (or its folder, etc.) which granted that permission and included the people you want. Then no reference need be made to any particular AuthorizationStrategy at all; this behavior would just follow from the Jenkins authorization model.

      If defined, submitter would still be consulted in case the approving user lacked the new permission. There is a potential compatibility issue in case submitter was not defined; today that means that any user (even anonymous) can approve the flow, whereas we would want the new permission to be enforced. Unfortunately Jenkins offers no way to mark a newly introduced Permission as "granted until explicitly denied", except via system property hacks; see comment in JENKINS-17200. Lacking that, the only option is to break compatibility and say that existing input steps without submitter will now reject random users from approving. The new permission could be implied by, for example, Item.CONFIGURE to minimize the impact—approval by the person who wrote the flow would still be guaranteed to work.

        Attachments

          Issue Links

            Activity

            jglick Jesse Glick created issue -
            jglick Jesse Glick made changes -
            Field Original Value New Value
            Link This issue is related to JENKINS-17200 [ JENKINS-17200 ]
            jglick Jesse Glick made changes -
            Link This issue is related to JENKINS-29346 [ JENKINS-29346 ]
            jglick Jesse Glick made changes -
            Link This issue is duplicated by JENKINS-31425 [ JENKINS-31425 ]
            jglick Jesse Glick made changes -
            Link This issue is related to JENKINS-31425 [ JENKINS-31425 ]
            jglick Jesse Glick made changes -
            Link This issue is duplicated by JENKINS-31425 [ JENKINS-31425 ]
            jglick Jesse Glick made changes -
            Labels permissions api permissions
            jglick Jesse Glick made changes -
            Summary Permission for input approval Permission for input approval, or choice of Jenkins-specific group as submitter
            hrmpw Patrick Wolf made changes -
            Labels api permissions api followup permissions
            rtyler R. Tyler Croy made changes -
            Workflow JNJira [ 161330 ] JNJira + In-Review [ 180657 ]
            danielbeck Daniel Beck made changes -
            Labels api followup permissions api followup new-permission permissions
            abayer Andrew Bayer made changes -
            Component/s pipeline-general [ 21692 ]
            abayer Andrew Bayer made changes -
            Component/s workflow-plugin [ 18820 ]
            jglick Jesse Glick made changes -
            Component/s pipeline-input-step-plugin [ 21708 ]
            Component/s pipeline [ 21692 ]
            kshultz Karl Shultz made changes -
            Attachment screenshot-1.png [ 37563 ]
            kshultz Karl Shultz made changes -
            Attachment inputStepVideo.webm [ 37564 ]
            jamesdumay James Dumay made changes -
            Labels api followup new-permission permissions api blueocean followup new-permission permissions
            michaelneale Michael Neale made changes -
            Priority Minor [ 4 ] Major [ 3 ]
            cloudbees CloudBees Inc. made changes -
            Remote Link This issue links to "CloudBees Internal CD-73 (Web Link)" [ 18976 ]

              People

              • Assignee:
                jglick Jesse Glick
                Reporter:
                jglick Jesse Glick
              • Votes:
                13 Vote for this issue
                Watchers:
                23 Start watching this issue

                Dates

                • Created:
                  Updated: