Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-42707

ReverseBuildTrigger can throw AccessDeniedException

    XMLWordPrintable

    Details

    • Type: Bug
    • Status: Resolved (View Workflow)
    • Priority: Major
    • Resolution: Fixed
    • Component/s: core
    • Labels:
    • Environment:
      Jenkins 2.32.3
    • Similar Issues:

      Description

      Noticed in a console logs of an upstream job:

      Notifying upstream projects of job completion 
      FATAL: Please login to access job upstream 
      org.acegisecurity.AccessDeniedException: Please login to access job upstream 
      at jenkins.model.Jenkins.getItem(Jenkins.java:2724) 
      at jenkins.model.Jenkins.getItem(Jenkins.java:324) 
      at jenkins.model.Jenkins.getItemByFullName(Jenkins.java:2830) 
      at jenkins.model.Jenkins.getItemByFullName(Jenkins.java:2849) 
      at jenkins.triggers.ReverseBuildTrigger.shouldTrigger(ReverseBuildTrigger.java:116) 
      at jenkins.triggers.ReverseBuildTrigger.access$000(ReverseBuildTrigger.java:89) 
      at jenkins.triggers.ReverseBuildTrigger$1.shouldTriggerBuild(ReverseBuildTrigger.java:146) 
      at hudson.tasks.BuildTrigger.execute(BuildTrigger.java:247) 
      at hudson.model.AbstractBuild$AbstractBuildExecution.cleanUp(AbstractBuild.java:681) 
      at hudson.model.Build$BuildExecution.cleanUp(Build.java:200) 
      at hudson.model.Run.execute(Run.java:1775) 
      at hudson.model.FreeStyleBuild.run(FreeStyleBuild.java:43) 
      at hudson.model.ResourceController.execute(ResourceController.java:98) 
      at hudson.model.Executor.run(Executor.java:404) 
      Notifying upstream projects of job completion 
      FATAL: Please login to access job <foldername> 
      org.acegisecurity.AccessDeniedException: Please login to access job upstream 
      at jenkins.model.Jenkins.getItem(Jenkins.java:2724) 
      at jenkins.model.Jenkins.getItem(Jenkins.java:324) 
      at jenkins.model.Jenkins.getItemByFullName(Jenkins.java:2830) 
      at jenkins.model.Jenkins.getItemByFullName(Jenkins.java:2849) 
      at jenkins.triggers.ReverseBuildTrigger.shouldTrigger(ReverseBuildTrigger.java:116) 
      at jenkins.triggers.ReverseBuildTrigger.access$000(ReverseBuildTrigger.java:89) 
      at jenkins.triggers.ReverseBuildTrigger$1.shouldTriggerBuild(ReverseBuildTrigger.java:146) 
      at hudson.tasks.BuildTrigger.execute(BuildTrigger.java:247) 
      at hudson.model.AbstractBuild$AbstractBuildExecution.cleanUp(AbstractBuild.java:681) 
      at hudson.model.Build$BuildExecution.cleanUp(Build.java:200) 
      at hudson.model.Run.execute(Run.java:1775) 
      at hudson.model.FreeStyleBuild.run(FreeStyleBuild.java:43) 
      at hudson.model.ResourceController.execute(ResourceController.java:98) 
      at hudson.model.Executor.run(Executor.java:404)
      

      ReverseBuildTrigger.shouldTrigger should be impersonating SYSTEM.

      This seems to happen because the anonymous user has Overall/Read and Item/Discover permission. The workaround is to remove the Item/Discover permission for the anonymous user.

        Attachments

          Issue Links

            Activity

            Hide
            danielbeck Daniel Beck added a comment -

            Does the fix for JENKINS-42556 take care of this?

            Show
            danielbeck Daniel Beck added a comment - Does the fix for JENKINS-42556 take care of this?
            Hide
            jglick Jesse Glick added a comment -

            Doubtful. This is an Executor thread, which should not have been affected by that fix.

            Show
            jglick Jesse Glick added a comment - Doubtful. This is an Executor thread, which should not have been affected by that fix.
            Hide
            scm_issue_link SCM/JIRA link daemon added a comment -

            Code changed in jenkins
            User: Allan Burdajewicz
            Path:
            core/src/main/java/jenkins/triggers/ReverseBuildTrigger.java
            test/src/test/java/jenkins/triggers/ReverseBuildTriggerTest.java
            http://jenkins-ci.org/commit/jenkins/17eedcfde8043829b247e639ae985ddb97dd0571
            Log:
            JENKINS-42707 AccessDeniedException exception in ReverseBuildTrigger (#2846)

            • JENKINS-42707 AccessDeniedException vulnerability in ReverseBuildTrigger.
            • JENKINS-42707 Log message according to permission (DISCOVER/READ)
            Show
            scm_issue_link SCM/JIRA link daemon added a comment - Code changed in jenkins User: Allan Burdajewicz Path: core/src/main/java/jenkins/triggers/ReverseBuildTrigger.java test/src/test/java/jenkins/triggers/ReverseBuildTriggerTest.java http://jenkins-ci.org/commit/jenkins/17eedcfde8043829b247e639ae985ddb97dd0571 Log: JENKINS-42707 AccessDeniedException exception in ReverseBuildTrigger (#2846) JENKINS-42707 AccessDeniedException vulnerability in ReverseBuildTrigger. JENKINS-42707 Added tests to expose the issue JENKINS-42707 Log message according to permission (DISCOVER/READ) JENKINS-42707 Use MockAuthorizationStrategy JENKINS-42707 Remove internationalization for logger
            Hide
            scm_issue_link SCM/JIRA link daemon added a comment -

            Code changed in jenkins
            User: Allan Burdajewicz
            Path:
            core/src/main/java/jenkins/triggers/ReverseBuildTrigger.java
            test/src/test/java/jenkins/triggers/ReverseBuildTriggerTest.java
            http://jenkins-ci.org/commit/jenkins/7db9fe95669d426812dd4510b512fcd95ff1a64e
            Log:
            JENKINS-42707 AccessDeniedException exception in ReverseBuildTrigger (#2846)

            • JENKINS-42707 AccessDeniedException vulnerability in ReverseBuildTrigger.
            • JENKINS-42707 Log message according to permission (DISCOVER/READ)

            (cherry picked from commit 17eedcfde8043829b247e639ae985ddb97dd0571)

            Show
            scm_issue_link SCM/JIRA link daemon added a comment - Code changed in jenkins User: Allan Burdajewicz Path: core/src/main/java/jenkins/triggers/ReverseBuildTrigger.java test/src/test/java/jenkins/triggers/ReverseBuildTriggerTest.java http://jenkins-ci.org/commit/jenkins/7db9fe95669d426812dd4510b512fcd95ff1a64e Log: JENKINS-42707 AccessDeniedException exception in ReverseBuildTrigger (#2846) JENKINS-42707 AccessDeniedException vulnerability in ReverseBuildTrigger. JENKINS-42707 Added tests to expose the issue JENKINS-42707 Log message according to permission (DISCOVER/READ) JENKINS-42707 Use MockAuthorizationStrategy JENKINS-42707 Remove internationalization for logger (cherry picked from commit 17eedcfde8043829b247e639ae985ddb97dd0571)

              People

              • Assignee:
                allan_burdajewicz Allan BURDAJEWICZ
                Reporter:
                allan_burdajewicz Allan BURDAJEWICZ
              • Votes:
                2 Vote for this issue
                Watchers:
                5 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved: