Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-48219

Cannot create pipelines using BlueOcean as a non-Admin user

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Unresolved
    • Icon: Major Major
    • blueocean-plugin
    • None
    • Blue Ocean 1.4 - beta 3, Blue Ocean 1.4 - beta 5

      Attachments:

      1. Manage Roles Screen - shows Roles configuration which will replicate the issue
      2. Assign Roles Screen - shows user role assignments which will replicated the issue
      3. Error Screen - BlueOcean error screen showing non-admin user being unable to create pipeline even though they have been assigned all the Job persmissions via their role assignment.

      Problem:

      I have come across an issue Using Role Strategy plugin and Blueocean Plugin. I found I cannot create pipelines using BlueOcean when using a user who does not have the Overall Global Administer permission granted in "Manage Roles".

      Only Administrative users can create and edit pipelines. Other Users cannot create pipelines even though they have been assigned the permission in project roles in "Manage Roles" and "Assign Roles".

      When non-administrative users try the Jenkins logs show the following:

      INFO: While serving http://<HOST>/blue/rest/organizations/jenkins/pipelines/<PROJECT>/scm/content: hudson.security.AccessDeniedException2: <USER> is missing the N/A/GenericRead permission

       

      This remains true even if the regular expression is set to allow all projects. As long as the Administer permission is not granted to the user they cannot create pipelines.

      Temporary Fix:

      **1. Go to jenkins home directory.
      If using docker: docker exec -u root -it [container_id] bash
      Then Navigate to: /var/jenkins_home
      2. Edit the file config.xml
      3. Add following permission to your required role name in projectRoles:
      <permission>hudson.security.Permission.GenericRead</permission>

      4. Save file
      5. Restart Jenkins or use "Reload Configuration from Disk" at "Manage Jenkins" page
      6. The affected user will now be able to create and edit pipelines.

      This is a temporary fix as the issue resurfaces when further additions or edits are made to Manage Roles. The added permission is deleted and we have to manually perform the steps again for each created project role.

      Example:

      <useSecurity>true</useSecurity>
        <authorizationStrategy class="com.michelin.cio.hudson.plugins.rolestrategy.RoleBasedAuthorizationStrategy">
              <roleMap type="projectRoles">
                    <role name="m<REMOVED TO MATCH PIC>s" pattern="<REMOVED TO MATCH PIC>.*">
                      <permissions>
                        <permission>com.cloudbees.plugins.credentials.CredentialsProvider.Update</permission>
                        <permission>hudson.model.Item.Create</permission>
                        <permission>hudson.model.Run.Delete</permission>
                        <permission>hudson.model.Item.Workspace</permission>
                        <permission>com.cloudbees.plugins.credentials.CredentialsProvider.Delete</permission>
                        <permission>com.cloudbees.plugins.credentials.CredentialsProvider.ManageDomains</permission>
                        <permission>hudson.model.Run.Replay</permission>
                        <permission>hudson.model.Item.Configure</permission>
                        <permission>hudson.model.Item.Cancel</permission>
                        <permission>hudson.model.Item.Delete</permission>
                        <permission>hudson.model.Item.Read</permission>                  
                        <permission>com.cloudbees.plugins.credentials.CredentialsProvider.View</permission>
                        <permission>com.cloudbees.plugins.credentials.CredentialsProvider.Create</permission>
                        <permission>hudson.model.Item.Build</permission>
                        <permission>hudson.scm.SCM.Tag</permission>
                        <permission>hudson.model.Item.Move</permission>
                        <permission>hudson.model.Item.Discover</permission>
                        <permission>hudson.model.Run.Update</permission>
                        <permission>hudson.security.Permission.GenericRead</permission> <!-- THIS IS WHERE YOU ADD. JENKINS SORTS ON RESTART -->
                      </permissions>
                      <assignedSIDs>
                        <sid>d<REMOVED TO MATCH PIC>1</sid>
                        <sid>k<REMOVED TO MATCH PIC>1</sid>
                      </assignedSIDs>
                    </role>
                  </roleMap>

       

      Suggestion:
      Have the Role Strategy plugin assign the hudson.security.Permission.GenericRead permission. This will allow the Job permissions under Project Roles to work as desired without the need of manual intervention.

      The makers of the plugin can decide whether it is best to place this in the Project role or in the Global Roles. As Project Roles can be defined in absence of a Global role it might be wise to explicitly add it in the Project Roles.

      This may have to be checked for the Slave Node roles as well. I did not do so.

      It is interesting to note that users created under "Manage Users" do no have this permission granted.

       

       

        1. Assign_Roles.png
          Assign_Roles.png
          185 kB
        2. assigned_roles.png
          assigned_roles.png
          520 kB
        3. Error.png
          Error.png
          150 kB
        4. ManageRoles.png
          ManageRoles.png
          147 kB
        5. roles.png
          roles.png
          590 kB

            vivek Vivek Pandey
            xaviercaddle Xavier Caddle
            Votes:
            0 Vote for this issue
            Watchers:
            8 Start watching this issue

              Created:
              Updated: