Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-42556

PlaceholderTask.runForDisplay vulnerable to AccessDeniedException

    XMLWordPrintable

    Details

    • Similar Issues:

      Description

      Resuming build at ... after Jenkins restart
      [Pipeline] End of Pipeline
      java.io.IOException: Failed to load build state
      	at org.jenkinsci.plugins.workflow.cps.CpsFlowExecution$3.onSuccess(CpsFlowExecution.java:610)
      	at org.jenkinsci.plugins.workflow.cps.CpsFlowExecution$3.onSuccess(CpsFlowExecution.java:608)
      	at org.jenkinsci.plugins.workflow.cps.CpsFlowExecution$4$1.run(CpsFlowExecution.java:651)
      	at org.jenkinsci.plugins.workflow.cps.CpsVmExecutorService$1.run(CpsVmExecutorService.java:35)
      	at ...
      Caused by: org.acegisecurity.AccessDeniedException: Please login to access job ...
      	at jenkins.model.Jenkins.getItem(Jenkins.java:2724)
      	at jenkins.model.Jenkins.getItem(Jenkins.java:324)
      	at jenkins.model.Jenkins.getItemByFullName(Jenkins.java:2830)
      	at hudson.model.Run.fromExternalizableId(Run.java:2314)
      	at org.jenkinsci.plugins.workflow.support.steps.ExecutorStepExecution$PlaceholderTask.runForDisplay(ExecutorStepExecution.java:385)
      	at org.jenkinsci.plugins.workflow.support.steps.ExecutorStepExecution$PlaceholderTask.getDisplayName(ExecutorStepExecution.java:398)
      	at org.jenkinsci.plugins.workflow.support.steps.ExecutorStepExecution$PlaceholderTask.getFullDisplayName(ExecutorStepExecution.java:407)
      	at org.jenkinsci.plugins.workflow.support.pickles.ExecutorPickle$1.printWaitingMessage(ExecutorPickle.java:116)
      	at org.jenkinsci.plugins.workflow.support.pickles.TryRepeatedly$1.run(TryRepeatedly.java:95)
      	at ...
      

      Presumably there is no anonymous read access, and the Timer thread used by TryRepeatedly neglected to impersonate SYSTEM.

        Attachments

          Issue Links

            Activity

            jglick Jesse Glick created issue -
            jglick Jesse Glick made changes -
            Field Original Value New Value
            Epic Link JENKINS-35399 [ 171192 ]
            Hide
            jglick Jesse Glick added a comment - - edited

            Or rather anonymous DISCOVER access but not READ, an unusual configuration. Reproducible, though see JENKINS-42577 for why reproducing can be tricky.

            Perhaps core should impersonate SYSTEM in Timer threads automatically, since this is hardly the first time such a bug has occurred.

            Show
            jglick Jesse Glick added a comment - - edited Or rather anonymous DISCOVER access but not READ , an unusual configuration. Reproducible, though see JENKINS-42577 for why reproducing can be tricky. Perhaps core should impersonate SYSTEM in Timer threads automatically, since this is hardly the first time such a bug has occurred.
            jglick Jesse Glick made changes -
            Link This issue relates to JENKINS-42577 [ JENKINS-42577 ]
            jglick Jesse Glick made changes -
            Link This issue relates to JENKINS-42586 [ JENKINS-42586 ]
            jglick Jesse Glick made changes -
            Assignee Jesse Glick [ jglick ]
            jglick Jesse Glick made changes -
            Status Open [ 1 ] In Progress [ 3 ]
            Hide
            jglick Jesse Glick added a comment -

            After some back and forth I have decided that while TryRepeatedly shares some blame, a fix there does not necessarily suffice, because Queue.Task.getFullDisplayName can be called from other threads.

            Show
            jglick Jesse Glick added a comment - After some back and forth I have decided that while TryRepeatedly shares some blame, a fix there does not necessarily suffice, because Queue.Task.getFullDisplayName can be called from other threads.
            jglick Jesse Glick made changes -
            Summary TryRepeatedly fails to run as ACL.SYSTEM PlaceholderTask.runForDisplay vulnerable to AccessDeniedException
            Component/s workflow-durable-task-step-plugin [ 21715 ]
            Component/s workflow-support-plugin [ 21719 ]
            jglick Jesse Glick made changes -
            Remote Link This issue links to "jenkins-test-harness PR 52 (Web Link)" [ 15649 ]
            jglick Jesse Glick made changes -
            Remote Link This issue links to "core PR 2790 (Web Link)" [ 15650 ]
            jglick Jesse Glick made changes -
            Remote Link This issue links to "core PR 2791 (Web Link)" [ 15651 ]
            jglick Jesse Glick made changes -
            Remote Link This issue links to "core PR 2792 (Web Link)" [ 15652 ]
            jglick Jesse Glick made changes -
            Remote Link This issue links to "workflow-support PR 32 (Web Link)" [ 15653 ]
            jglick Jesse Glick made changes -
            Remote Link This issue links to "workflow-durable-task-step PR 34 (Web Link)" [ 15654 ]
            jglick Jesse Glick made changes -
            Status In Progress [ 3 ] In Review [ 10005 ]
            jglick Jesse Glick made changes -
            Status In Review [ 10005 ] Resolved [ 5 ]
            Resolution Fixed [ 1 ]
            Hide
            scm_issue_link SCM/JIRA link daemon added a comment -

            Code changed in jenkins
            User: Jesse Glick
            Path:
            core/src/main/java/hudson/model/Queue.java
            http://jenkins-ci.org/commit/jenkins/0bb69952f715ea80b92285b3a810fb938561e594
            Log:
            JENKINS-42556 Improved logging for Queue.

            Show
            scm_issue_link SCM/JIRA link daemon added a comment - Code changed in jenkins User: Jesse Glick Path: core/src/main/java/hudson/model/Queue.java http://jenkins-ci.org/commit/jenkins/0bb69952f715ea80b92285b3a810fb938561e594 Log: JENKINS-42556 Improved logging for Queue.
            Hide
            scm_issue_link SCM/JIRA link daemon added a comment -

            Code changed in jenkins
            User: Daniel Beck
            Path:
            core/src/main/java/hudson/model/Queue.java
            http://jenkins-ci.org/commit/jenkins/13d85fb805161a94e45d4ac485fb3a84d2c72e1a
            Log:
            Merge pull request #2791 from jglick/Queue-logging-JENKINS-42556

            JENKINS-42556 Improved logging for Queue

            Compare: https://github.com/jenkinsci/jenkins/compare/ea724ab13dd3...13d85fb80516

            Show
            scm_issue_link SCM/JIRA link daemon added a comment - Code changed in jenkins User: Daniel Beck Path: core/src/main/java/hudson/model/Queue.java http://jenkins-ci.org/commit/jenkins/13d85fb805161a94e45d4ac485fb3a84d2c72e1a Log: Merge pull request #2791 from jglick/Queue-logging- JENKINS-42556 JENKINS-42556 Improved logging for Queue Compare: https://github.com/jenkinsci/jenkins/compare/ea724ab13dd3...13d85fb80516
            allan_burdajewicz Allan BURDAJEWICZ made changes -
            Link This issue is related to JENKINS-42707 [ JENKINS-42707 ]
            Hide
            scm_issue_link SCM/JIRA link daemon added a comment -

            Code changed in jenkins
            User: Jesse Glick
            Path:
            src/main/java/org/jenkinsci/plugins/workflow/support/pickles/TryRepeatedly.java
            http://jenkins-ci.org/commit/workflow-support-plugin/3c076a7c93717ee7d819eeda82dd91f1be099bde
            Log:
            JENKINS-42556 Handle runtime exceptions from printWaitingMessage.

            Show
            scm_issue_link SCM/JIRA link daemon added a comment - Code changed in jenkins User: Jesse Glick Path: src/main/java/org/jenkinsci/plugins/workflow/support/pickles/TryRepeatedly.java http://jenkins-ci.org/commit/workflow-support-plugin/3c076a7c93717ee7d819eeda82dd91f1be099bde Log: JENKINS-42556 Handle runtime exceptions from printWaitingMessage.
            Hide
            scm_issue_link SCM/JIRA link daemon added a comment -

            Code changed in jenkins
            User: Jesse Glick
            Path:
            src/main/java/org/jenkinsci/plugins/workflow/support/pickles/TryRepeatedly.java
            http://jenkins-ci.org/commit/workflow-support-plugin/494446bf5962ff41726818224312079876c2cc70
            Log:
            Merge pull request #32 from jglick/TryRepeatedly-anonDiscover-JENKINS-42556

            JENKINS-42556 Handle runtime exceptions from printWaitingMessage

            Compare: https://github.com/jenkinsci/workflow-support-plugin/compare/6fce277ac978...494446bf5962

            Show
            scm_issue_link SCM/JIRA link daemon added a comment - Code changed in jenkins User: Jesse Glick Path: src/main/java/org/jenkinsci/plugins/workflow/support/pickles/TryRepeatedly.java http://jenkins-ci.org/commit/workflow-support-plugin/494446bf5962ff41726818224312079876c2cc70 Log: Merge pull request #32 from jglick/TryRepeatedly-anonDiscover- JENKINS-42556 JENKINS-42556 Handle runtime exceptions from printWaitingMessage Compare: https://github.com/jenkinsci/workflow-support-plugin/compare/6fce277ac978...494446bf5962
            Hide
            scm_issue_link SCM/JIRA link daemon added a comment -

            Code changed in jenkins
            User: Jesse Glick
            Path:
            core/src/main/java/jenkins/security/ImpersonatingExecutorService.java
            core/src/main/java/jenkins/security/ImpersonatingScheduledExecutorService.java
            core/src/main/java/jenkins/util/AtmostOneTaskExecutor.java
            core/src/main/java/jenkins/util/InterceptingScheduledExecutorService.java
            core/src/main/java/jenkins/util/Timer.java
            http://jenkins-ci.org/commit/jenkins/3f41d563b2d619d892e483055cc3d8f511d11dc1
            Log:
            JENKINS-42556 Run more system threads as SYSTEM.

            Show
            scm_issue_link SCM/JIRA link daemon added a comment - Code changed in jenkins User: Jesse Glick Path: core/src/main/java/jenkins/security/ImpersonatingExecutorService.java core/src/main/java/jenkins/security/ImpersonatingScheduledExecutorService.java core/src/main/java/jenkins/util/AtmostOneTaskExecutor.java core/src/main/java/jenkins/util/InterceptingScheduledExecutorService.java core/src/main/java/jenkins/util/Timer.java http://jenkins-ci.org/commit/jenkins/3f41d563b2d619d892e483055cc3d8f511d11dc1 Log: JENKINS-42556 Run more system threads as SYSTEM.
            Hide
            scm_issue_link SCM/JIRA link daemon added a comment -

            Code changed in jenkins
            User: Jesse Glick
            Path:
            core/src/main/java/jenkins/security/ImpersonatingExecutorService.java
            core/src/main/java/jenkins/security/ImpersonatingScheduledExecutorService.java
            core/src/main/java/jenkins/util/AtmostOneTaskExecutor.java
            core/src/main/java/jenkins/util/InterceptingScheduledExecutorService.java
            core/src/main/java/jenkins/util/Timer.java
            http://jenkins-ci.org/commit/jenkins/dd0d578cb07084366ab4d1a1efdeb1fe39d14688
            Log:
            Merge pull request #2792 from jglick/SYSTEM-JENKINS-42556

            JENKINS-42556 Run more system threads as SYSTEM

            Compare: https://github.com/jenkinsci/jenkins/compare/12a4177af17f...dd0d578cb070

            Show
            scm_issue_link SCM/JIRA link daemon added a comment - Code changed in jenkins User: Jesse Glick Path: core/src/main/java/jenkins/security/ImpersonatingExecutorService.java core/src/main/java/jenkins/security/ImpersonatingScheduledExecutorService.java core/src/main/java/jenkins/util/AtmostOneTaskExecutor.java core/src/main/java/jenkins/util/InterceptingScheduledExecutorService.java core/src/main/java/jenkins/util/Timer.java http://jenkins-ci.org/commit/jenkins/dd0d578cb07084366ab4d1a1efdeb1fe39d14688 Log: Merge pull request #2792 from jglick/SYSTEM- JENKINS-42556 JENKINS-42556 Run more system threads as SYSTEM Compare: https://github.com/jenkinsci/jenkins/compare/12a4177af17f...dd0d578cb070
            Hide
            scm_issue_link SCM/JIRA link daemon added a comment -

            Code changed in jenkins
            User: Jesse Glick
            Path:
            core/src/main/java/jenkins/security/ImpersonatingExecutorService.java
            core/src/main/java/jenkins/security/ImpersonatingScheduledExecutorService.java
            core/src/main/java/jenkins/util/InterceptingScheduledExecutorService.java
            http://jenkins-ci.org/commit/jenkins/98bb78ff1891bb85471a089977066c4b4a11b261
            Log:
            JENKINS-42556 Updating since tags for #2792.

            Show
            scm_issue_link SCM/JIRA link daemon added a comment - Code changed in jenkins User: Jesse Glick Path: core/src/main/java/jenkins/security/ImpersonatingExecutorService.java core/src/main/java/jenkins/security/ImpersonatingScheduledExecutorService.java core/src/main/java/jenkins/util/InterceptingScheduledExecutorService.java http://jenkins-ci.org/commit/jenkins/98bb78ff1891bb85471a089977066c4b4a11b261 Log: JENKINS-42556 Updating since tags for #2792.
            Hide
            danielbeck Daniel Beck added a comment -

            Jesse Glick Is this a useful LTS candidate?

            Show
            danielbeck Daniel Beck added a comment - Jesse Glick Is this a useful LTS candidate?
            danielbeck Daniel Beck made changes -
            Labels lts-candidate
            oleg_nenashev Oleg Nenashev made changes -
            Component/s core [ 15593 ]
            Hide
            jglick Jesse Glick added a comment -

            Well…it is relatively risky, and this particular bug symptom has an independent workaround, so I am not sure I would recommend it for backport.

            Show
            jglick Jesse Glick added a comment - Well…it is relatively risky, and this particular bug symptom has an independent workaround, so I am not sure I would recommend it for backport.
            danielbeck Daniel Beck made changes -
            Labels lts-candidate
            Hide
            danielbeck Daniel Beck added a comment -

            Not an LTS candidate then.

            Show
            danielbeck Daniel Beck added a comment - Not an LTS candidate then.
            jglick Jesse Glick made changes -
            Link This issue is duplicated by JENKINS-42504 [ JENKINS-42504 ]
            jglick Jesse Glick made changes -
            Link This issue relates to JENKINS-45553 [ JENKINS-45553 ]
            Hide
            jglick Jesse Glick added a comment -

            Found another effect of this. On 2.46.x (prior to this fix), a Pipeline virtual thread dump like /job/…/…/threadDump/ will show, e.g.,

            Thread #…
            	at DSL.node(node block appears to be neither running nor scheduled)
            	at WorkflowScript.run(WorkflowScript:…)
            

            when there is a node block waiting in queue but the system has no anonymous read access. This is because ExecutorStepExecution.getStatus checks Queue.getItems, which as of SECURITY-186 is a permission-controlled call, which would in fact work if called under the authentication of the user looking at the thread dump (who presumably has READ on that job); yet StepExecution.getStatusBounded runs inside Timer, thus as anonymous.

            Show
            jglick Jesse Glick added a comment - Found another effect of this. On 2.46.x (prior to this fix), a Pipeline virtual thread dump like /job/…/…/threadDump/ will show, e.g., Thread #… at DSL.node(node block appears to be neither running nor scheduled) at WorkflowScript.run(WorkflowScript:…) when there is a node block waiting in queue but the system has no anonymous read access. This is because ExecutorStepExecution.getStatus checks Queue.getItems , which as of SECURITY-186 is a permission-controlled call, which would in fact work if called under the authentication of the user looking at the thread dump (who presumably has READ on that job); yet StepExecution.getStatusBounded runs inside Timer , thus as anonymous.
            jamesdumay James Dumay made changes -
            Remote Link This issue links to "CloudBees Internal OSS-2089 (Web Link)" [ 18425 ]
            agentgonzo Steve Arch made changes -
            Link This issue is related to JENKINS-50296 [ JENKINS-50296 ]

              People

              • Assignee:
                jglick Jesse Glick
                Reporter:
                jglick Jesse Glick
              • Votes:
                0 Vote for this issue
                Watchers:
                3 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved: