Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-3824

Per-project matrix authorization strategy isn't accurate for newly created projects

XMLWordPrintable

    • Icon: New Feature New Feature
    • Resolution: Fixed
    • Icon: Critical Critical
    • matrix-auth-plugin
    • None
    • Platform: All, OS: All

      Context:
      I'm trying to use per-project authorization matrixes, in order to allow users to
      add custom jobs for branches they may have to create into the SVN repository,
      without letting them tweak the others jobs – and especially the main job,
      which surveys the repository's trunk and shall ONLY be carefully configured by
      the Hudson server's admins.

      Problem:
      -> If I don't give a standard (non-admin) user the authorization to globally
      configure projects, he/she won't be able to configure/manage his new-made
      project without requiring admin's intervention.
      -> And if I give standard users the global job-configuration power, they will be
      able to tamper with the main (trunk-related) job, which is unacceptable!

      To see the problem "live", follow this procedure:

      • Ensure Hudson is configured to use per-project matrix-based authorization
        strategy.
      • If it isn't already the case, create at least 2 users on your Hudson
        config.: one with full powers ("administrator" who sould already exist anyway),
        and a standard user (only able to read, see workspaces and build jobs).
      • If it's not already the case, create a job (named "main"), which should only
        be configured by admin(s).
      • Give the standard user the right to create jobs.
      • Exit Hudson, then log in as your standard user. "Enter" the main job: you
        can't configure it (OK). Try to create a new "branch1" job. PROBLEM (1): you get
        an error ("xxx user is missing the configure permission"); the job is however
        created, but you can't configure it (nor delete it)!
      • Exit Hudson, then log back as an administrator, then configure Hudson to
        allow the standard user to globally configure jobs.
      • Exit Hudson, then log in as your standard user. Create a new "branch2" job,
        then "enter" it: you can now configure it (OK). Exit this job, then enter the
        "main" job. PROBLEM (2): you can also configure it!

      Enhancement proposed:
      It would be desirable to automatically give an user the full powers over a job
      he/she has just created (he/she will of course have the responsibility to tune
      the authorizations on his/her new job accurately).

      Hudson server configuration:
      Hudson 1.309, running standalone (with its embedded Winstone app. server, and
      its own user database) on Linux Debian 5.0.

            Unassigned Unassigned
            kroussel kroussel
            Votes:
            2 Vote for this issue
            Watchers:
            2 Start watching this issue

              Created:
              Updated:
              Resolved: