Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-41684

Plugin.postInitialize can be run as anonymous during dynamic load

    XMLWordPrintable

    Details

    • Similar Issues:

      Description

      While running 2.32.2 (I think), I logged in as the initial admin user, then dynamically loaded support-core, and got

      ... hudson.ExtensionFinder$GuiceFinder$FaultTolerantScope$1 error
      WARNING: Failed to instantiate Key[type=com.cloudbees.jenkins.support.impl.JenkinsLogs, annotation=[none]]; skipping this component
      com.google.inject.ProvisionException: Unable to provision, see the following errors:
      
      1) Error injecting constructor, hudson.security.AccessDeniedException2: anonymous is missing the Overall/Administer permission
        at com.cloudbees.jenkins.support.impl.JenkinsLogs.<init>(JenkinsLogs.java:45)
      
      1 error
      	at com.google.inject.internal.ProviderToInternalFactoryAdapter.get(ProviderToInternalFactoryAdapter.java:52)
      	at ...
      	at hudson.ExtensionList.iterator(ExtensionList.java:157)
      	at com.cloudbees.jenkins.support.SupportPlugin.postInitialize(SupportPlugin.java:476)
      	at hudson.PluginManager.dynamicLoad(PluginManager.java:868)
      	at hudson.PluginManager.dynamicLoad(PluginManager.java:813)
      	at hudson.model.UpdateCenter$InstallationJob._run(UpdateCenter.java:1891)
      	at hudson.model.UpdateCenter$DownloadJob.run(UpdateCenter.java:1652)
      	at ...
      Caused by: hudson.security.AccessDeniedException2: anonymous is missing the Overall/Administer permission
      	at hudson.security.ACL.checkPermission(ACL.java:65)
      	at hudson.model.Node.checkPermission(Node.java:464)
      	at jenkins.model.Jenkins.getLog(Jenkins.java:2449)
      	at com.cloudbees.jenkins.support.impl.JenkinsLogs.<init>(JenkinsLogs.java:49)
      	at com.cloudbees.jenkins.support.impl.JenkinsLogs$$FastClassByGuice$$adeef6a3.newInstance(<generated>)
      	at ...
      

      The Master Log Recorders component was not available until after I restarted Jenkins.

      It seems that InstallationJob runs in a fresh thread as Jenkins.ANONYMOUS and this "authentication" is carried over to plugin code, which rightly expects its initializers to be run as SYSTEM.

        Attachments

          Issue Links

            Activity

            Hide
            scm_issue_link SCM/JIRA link daemon added a comment -

            Code changed in jenkins
            User: Jesse Glick
            Path:
            core/src/main/java/hudson/PluginManager.java
            test/src/test/java/hudson/PluginManagerTest.java
            test/src/test/resources/plugins/require-system-during-load.hpi
            http://jenkins-ci.org/commit/jenkins/6fb9e91b63521eb8cdcd072cec6610d856aabf34
            Log:
            JENKINS-41684 Ensure that PluginManager.dynamicLoad runs as SYSTEM (#2732)

            • [FIXED JENKINS-41684] Ensure that PluginManager.dynamicLoad runs as SYSTEM.
              Test plugin source:
              package test;
              import hudson.Plugin;
              import jenkins.model.Jenkins;
              public class ThePlugin extends Plugin {
              @Override
              public void postInitialize() throws Exception { Jenkins.getInstance().checkPermission(Jenkins.ADMINISTER); }

              }

            • @daniel-beck wants this all reindented.
            Show
            scm_issue_link SCM/JIRA link daemon added a comment - Code changed in jenkins User: Jesse Glick Path: core/src/main/java/hudson/PluginManager.java test/src/test/java/hudson/PluginManagerTest.java test/src/test/resources/plugins/require-system-during-load.hpi http://jenkins-ci.org/commit/jenkins/6fb9e91b63521eb8cdcd072cec6610d856aabf34 Log: JENKINS-41684 Ensure that PluginManager.dynamicLoad runs as SYSTEM (#2732) [FIXED JENKINS-41684] Ensure that PluginManager.dynamicLoad runs as SYSTEM. Test plugin source: package test; import hudson.Plugin; import jenkins.model.Jenkins; public class ThePlugin extends Plugin { @Override public void postInitialize() throws Exception { Jenkins.getInstance().checkPermission(Jenkins.ADMINISTER); } } @daniel-beck wants this all reindented.

              People

              • Assignee:
                jglick Jesse Glick
                Reporter:
                jglick Jesse Glick
              • Votes:
                0 Vote for this issue
                Watchers:
                2 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved: