Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-41632

workspaces are still visible to anyone with READ access

    Details

    • Similar Issues:

      Description

      Workspaces are essentially public to all users that have READ access (global READ access turned on).

      So, for example, when a job uses the git SCM plugin to clone the repository into the job workspace, ALL of the code is still visible to ANYONE that has READ access. Is it possible to only allow people of the org that the repo belongs to view that content? Or does global read access for authenticated users have to be turned off?

        Attachments

          Issue Links

            Activity

            Hide
            sag47 Sam Gleske added a comment - - edited

            The GitHub Committer Authorization strategy needs a complete overhaul in my opinion. I don't use it at all because of challenges I faced around it. I use a Matrix-based authorization strategy. The authorization options are documented in the wiki.

            Regarding your question, how I have configured Jenkins is to set up Jenkins much like GitHub. For instance, if you have an organization named jenkinsci in GitHub and a project named github-oauth, then in Jenkins the project is organized with jenkinsci/github-oauth. Use the project-based matrix authorization strategy and you can restrict the jenkinsci folder only to members of the jenkinsci organization.

            From there, I essentially created the following GitHub teams:

            • jenkins-owners (highest privilege) - permission to delete the entire GitHub organization folder and delete any job in the folder. Inherits perms from jenkins-admins and jenkins-developers
            • jenkins-admins - Update builds with additional information and add/delete views. Fully manage credentials and delete builds from jobs.
            • jenkins-developers - Execute/Cancel builds. View job configuration (read only). View credentials (read only).

            Here's how I set up the permissions for the GitHub organization folder (assuming your organization is jenkinsci with the above described teams):

            • jenkinsci permissions - Item.Read
            • jenkinsci*jenkins-owners permissions - Item.Read, Item.Cancel, Item.Delete, Item.Build, Item.ExtendedRead, CredentialsProvider.View, CredentialsProvider.Create, Run.Update
            • jenkinsci*jenkins-admins permissions - Item.Read, Item.Cancel, Item.Build, Item.ExtendedRead, CredentialsProvider.View, CredentialsProvider.Create, Run.Update
            • jenkinsci*jenkins-developers permissions - Item.Read, Item.Cancel, Item.Build, Item.ExtendedRead, CredentialsProvider.View, Run.Update
            • anonymous - Item.Discover, Item.ViewStatus

            I don't give any user the ability to create jobs. That's offloaded to the Job DSL plugin. Folders and permissions are created per organization using Job DSL scripts as well in my install.

            Show
            sag47 Sam Gleske added a comment - - edited The GitHub Committer Authorization strategy needs a complete overhaul in my opinion. I don't use it at all because of challenges I faced around it. I use a Matrix-based authorization strategy. The authorization options are documented in the wiki . Regarding your question, how I have configured Jenkins is to set up Jenkins much like GitHub. For instance, if you have an organization named jenkinsci in GitHub and a project named github-oauth , then in Jenkins the project is organized with jenkinsci/github-oauth . Use the project-based matrix authorization strategy and you can restrict the jenkinsci folder only to members of the jenkinsci organization. From there, I essentially created the following GitHub teams: jenkins-owners (highest privilege) - permission to delete the entire GitHub organization folder and delete any job in the folder. Inherits perms from jenkins-admins and jenkins-developers jenkins-admins - Update builds with additional information and add/delete views. Fully manage credentials and delete builds from jobs. jenkins-developers - Execute/Cancel builds. View job configuration (read only). View credentials (read only). Here's how I set up the permissions for the GitHub organization folder (assuming your organization is jenkinsci with the above described teams): jenkinsci permissions - Item.Read jenkinsci*jenkins-owners permissions - Item.Read, Item.Cancel, Item.Delete, Item.Build, Item.ExtendedRead, CredentialsProvider.View, CredentialsProvider.Create, Run.Update jenkinsci*jenkins-admins permissions - Item.Read, Item.Cancel, Item.Build, Item.ExtendedRead, CredentialsProvider.View, CredentialsProvider.Create, Run.Update jenkinsci*jenkins-developers permissions - Item.Read, Item.Cancel, Item.Build, Item.ExtendedRead, CredentialsProvider.View, Run.Update anonymous - Item.Discover, Item.ViewStatus I don't give any user the ability to create jobs. That's offloaded to the Job DSL plugin. Folders and permissions are created per organization using Job DSL scripts as well in my install.
            Hide
            chr0n1x Kevin R. added a comment -

            Sam Gleske thanks for the detailed response, I really appreciate it!

            Actually I resolved the issue by adding the REPO OAuth permission. I only wanted collaborators of private repos to view the job in its entirety (workspace is ok in this case).

            The issue now is that the plugin seems to be caching requests. So when OAuth scopes change, we had to wait a while before jobs were showing up.
            Is there any way to disable that cache so that we can see the changes immediately? We're using enterprise so rate limits aren't an issue.
            I tried setting cache size to 0MB in the global Github config...but that didn't seem to work.

            Show
            chr0n1x Kevin R. added a comment - Sam Gleske thanks for the detailed response, I really appreciate it! Actually I resolved the issue by adding the REPO OAuth permission. I only wanted collaborators of private repos to view the job in its entirety (workspace is ok in this case). The issue now is that the plugin seems to be caching requests. So when OAuth scopes change, we had to wait a while before jobs were showing up. Is there any way to disable that cache so that we can see the changes immediately? We're using enterprise so rate limits aren't an issue. I tried setting cache size to 0MB in the global Github config...but that didn't seem to work.
            Hide
            sag47 Sam Gleske added a comment -

            Kevin R. I recommend closing this issue and opening a new issue for disabling caching as an enhancement.  Caching in this plugin should probably be only disabled via JVM property and not an option in the web UI.

            Show
            sag47 Sam Gleske added a comment - Kevin R. I recommend closing this issue and opening a new issue for disabling caching as an enhancement.  Caching in this plugin should probably be only disabled via JVM property and not an option in the web UI.
            Hide
            sag47 Sam Gleske added a comment -

            Closing this issue in favor of JENKINS-27844 to completely overhaul the GitHub committer authorization strategy.  Subscribe and vote there so we can track it all in one place.

            Show
            sag47 Sam Gleske added a comment - Closing this issue in favor of  JENKINS-27844  to completely overhaul the GitHub committer authorization strategy.  Subscribe and vote there so we can track it all in one place.

              People

              • Assignee:
                sag47 Sam Gleske
                Reporter:
                chr0n1x Kevin R.
              • Votes:
                0 Vote for this issue
                Watchers:
                2 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved: