Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-52181

Use jenkins-cli to get console of a project requires user has Job/Build permission

    XMLWordPrintable

    Details

    • Type: Bug
    • Status: In Review (View Workflow)
    • Priority: Minor
    • Resolution: Unresolved
    • Component/s: cli
    • Environment:
      Jenkins ver. 2.107.3 on 4.1.12-112.14.13.el6uek.x86_64
    • Similar Issues:

      Description

      I have user emreporter which doesn't have build permission for job "EM Ops - OMS - MIGDC2 EM OMS Patch (Real Run)" but can read the build history of the job. So, from Jenkins UI, the user can check the job execution history and go into a execution for example #16 to get its information in console.

      However, when I am using CLI to get the console for latest job execution result, it reported error about the user is missing build permission.

      That is to say, the behavior of CLI is not same to UI.

      Here is the command result:
      + java -jar jenkins-cli.jar -s
      http://MyJenkinsServer:8080
      -http -auth emreporter:******** console 'EM Ops - OMS - MIGDC2 EM OMS Patch (Real Run)' -f

      ERROR: emreporter is missing the Job/Build permission
       

      Please see attached screenshot for the comparison result on both UI and CLI.

        Attachments

          Activity

          Hide
          oleg_nenashev Oleg Nenashev added a comment -

          It looks like a real defect/RFE. Item.READ should be enough in the current permission model.
          Generally a patch needed here: https://github.com/jenkinsci/jenkins/blob/master/core/src/main/java/hudson/cli/ConsoleCommand.java#L44
          This change was introduced in 2012 by the original commit (https://github.com/jenkinsci/jenkins/commit/63b6e0bc89c1a5885dd132329e3f149d58ad76bc), so it's not a regression.

          Eric Yu It seems to be an easy patch. Would you be interested to propose a pull request for review?

          Show
          oleg_nenashev Oleg Nenashev added a comment - It looks like a real defect/RFE. Item.READ should be enough in the current permission model. Generally a patch needed here: https://github.com/jenkinsci/jenkins/blob/master/core/src/main/java/hudson/cli/ConsoleCommand.java#L44 This change was introduced in 2012 by the original commit ( https://github.com/jenkinsci/jenkins/commit/63b6e0bc89c1a5885dd132329e3f149d58ad76bc ), so it's not a regression. Eric Yu It seems to be an easy patch. Would you be interested to propose a pull request for review?
          Hide
          ericyu2018 Eric Yu added a comment -

          Hi Oleg Nenashev,

          Thanks for the guidance of issue fixing. I created PR: Fix JENKINS-52181 about permission issue when using cli to get console #3527. Could you please help to review?

          Thanks,

          Eric

          Show
          ericyu2018 Eric Yu added a comment - Hi  Oleg Nenashev , Thanks for the guidance of issue fixing. I created PR: Fix JENKINS-52181 about permission issue when using cli to get console #3527. Could you please help to review? Thanks, Eric
          Hide
          ericyu2018 Eric Yu added a comment -

          I see test case https://ci.jenkins.io/blue/organizations/jenkins/Core%2Fjenkins/detail/PR-3527/1/tests failed.

          Hi Oleg Nenashev

          Could you please help to advise if the following test case in  test\src\test\java\hudson\cli\ConsoleCommandTest.java should be removed?

          @Test public void consoleShouldFailWithoutItemBuildPermission() throws Exception

          { j.createFreeStyleProject("aProject"); final CLICommandInvoker.Result result = command .authorizedTo(Jenkins.READ, Job.READ) .invokeWithArgs("aProject"); assertThat(result, failedWith(6)); assertThat(result, hasNoStandardOutput()); assertThat(result.stderr(), containsString("ERROR: user is missing the Job/Build permission")); }

          Thanks,

          Eric

          Show
          ericyu2018 Eric Yu added a comment - I see test case https://ci.jenkins.io/blue/organizations/jenkins/Core%2Fjenkins/detail/PR-3527/1/tests  failed. Hi  Oleg Nenashev ,  Could you please help to advise if the following test case in  test\src\test\java\hudson\cli\ConsoleCommandTest.java should be removed? @Test public void consoleShouldFailWithoutItemBuildPermission() throws Exception { j.createFreeStyleProject("aProject"); final CLICommandInvoker.Result result = command .authorizedTo(Jenkins.READ, Job.READ) .invokeWithArgs("aProject"); assertThat(result, failedWith(6)); assertThat(result, hasNoStandardOutput()); assertThat(result.stderr(), containsString("ERROR: user is missing the Job/Build permission")); } Thanks, Eric
          Hide
          oleg_nenashev Oleg Nenashev added a comment -

          Removed - unlikely. But they could be somehow adjusted to verify the permissions
          I would recommend to get feedback from the reviewers first. Maybe there is a reason to keep it restricted which I am missing

          Show
          oleg_nenashev Oleg Nenashev added a comment - Removed - unlikely. But they could be somehow adjusted to verify the permissions I would recommend to get feedback from the reviewers first. Maybe there is a reason to keep it restricted which I am missing
          Hide
          ericyu2018 Eric Yu added a comment -

          I am new to this project. Could you please help to advise who to be added as reviewer and how to add it? In Jira or github?

          Thanks,

          Eric

           

          Show
          ericyu2018 Eric Yu added a comment - I am new to this project. Could you please help to advise who to be added as reviewer and how to add it? In Jira or github? Thanks, Eric  
          Hide
          oleg_nenashev Oleg Nenashev added a comment -

          Eric Yu the pull request is fine, it may take few days to get a response. But no additional actions are required, thanks!

          Show
          oleg_nenashev Oleg Nenashev added a comment - Eric Yu the pull request is fine, it may take few days to get a response. But no additional actions are required, thanks!
          Hide
          ericyu2018 Eric Yu added a comment -

          Thanks for your confirmation, Oleg Nenashev.

          Show
          ericyu2018 Eric Yu added a comment - Thanks for your confirmation, Oleg Nenashev .

            People

            • Assignee:
              ericyu2018 Eric Yu
              Reporter:
              ericyu2018 Eric Yu
            • Votes:
              0 Vote for this issue
              Watchers:
              3 Start watching this issue

              Dates

              • Created:
                Updated: