Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-7265

Tag this build not working with Authorization set to "Logged-in users can do anything"

    XMLWordPrintable

    Details

    • Type: Bug
    • Status: Resolved (View Workflow)
    • Priority: Major
    • Resolution: Fixed
    • Component/s: cvs-plugin
    • Labels:
      None
    • Environment:
      1.372 on Linux
    • Similar Issues:

      Description

      When Authorization is set to "Logged-in users can do anything", and I am logged in, attempts to "Tag this build" result in the browser immediately displaying:

      Tagging is in progress:

      And, right below that, a button labeled:

      Clear error to retry

      There is no other output. Hudson is configured to use CVS, and the Security Realm is set to "Hudson's own user database". Windows IE used as browser.

      Please note that if I reset authorization to "Matrix-based security", and add all privs to my "build" user, I am able to tag normally.

      This was previously working, I believe, around Hudson build circa 1.364 or 1.367

      Expected result(s):
      1) To be able to tag with the Auth setting of "Logged in users..."
      2) To see error output if this isn't working

        Attachments

          Activity

          hypotechguy hypotechguy created issue -
          Hide
          bbrandt bbrandt added a comment - - edited

          Reproduced on Hudson 1.372 and 1.374 as Windows XP service using "Project-based Matrix Authorization Strategy". Could not find any log entries for this error.

          Show
          bbrandt bbrandt added a comment - - edited Reproduced on Hudson 1.372 and 1.374 as Windows XP service using "Project-based Matrix Authorization Strategy". Could not find any log entries for this error.
          Hide
          vladkravchenko vladkravchenko added a comment -

          I have debugged the problem with the version 1.383.

          The Hudson was configured as follows:

            <useSecurity>true</useSecurity>
            <authorizationStrategy class="hudson.security.GlobalMatrixAuthorizationStrategy">
              <permission>hudson.model.Computer.Configure:authenticated</permission>
              <permission>hudson.model.Computer.Delete:authenticated</permission>
              <permission>hudson.model.Hudson.Administer:authenticated</permission>
              <permission>hudson.model.Hudson.Read:anonymous</permission>
              <permission>hudson.model.Hudson.Read:authenticated</permission>
              <permission>hudson.model.Item.Build:authenticated</permission>
              <permission>hudson.model.Item.Configure:authenticated</permission>
              <permission>hudson.model.Item.Create:authenticated</permission>
              <permission>hudson.model.Item.Delete:authenticated</permission>
              <permission>hudson.model.Item.Read:anonymous</permission>
              <permission>hudson.model.Item.Read:authenticated</permission>
              <permission>hudson.model.Item.Workspace:authenticated</permission>
              <permission>hudson.model.Run.Delete:authenticated</permission>
              <permission>hudson.model.Run.Update:authenticated</permission>
              <permission>hudson.model.View.Configure:authenticated</permission>
              <permission>hudson.model.View.Create:authenticated</permission>
              <permission>hudson.model.View.Delete:authenticated</permission>
              <permission>hudson.scm.SCM.Tag:authenticated</permission>
            </authorizationStrategy>
            <securityRealm class="hudson.security.HudsonPrivateSecurityRealm">
              <disableSignup>false</disableSignup>
            </securityRealm>
          

          I have logged in, that means I am in the"authenticated" group. The CVS Tag action has caused the following exception, that gets lost when the page is reloaded, but if you in debug, you can catch it.

          Tagging is in progress:
          
          Markiere ("tagge") test-cvs-tag #2 als test-hudson-tagging-2
          hudson.security.AccessDeniedException2: anonymous fehlt das Recht {1} 
          	at hudson.security.ACL.checkPermission(ACL.java:53)
          	at hudson.model.Run.checkPermission(Run.java:1102)
          	at hudson.model.Run.keepLog(Run.java:1649)
          	at hudson.model.Run.keepLog(Run.java:1645)
          	at hudson.scm.CVSSCM$TagWorkerThread.perform(CVSSCM.java:1638)
          	at hudson.model.TaskThread.run(TaskThread.java:126)
          

          As workaround, you should give an anonymous role/user right to update "Run":
          <permission>hudson.model.Run.Update:anonymous</permission>

          In my opinion this issue should address two problems:
          1. why the AccessDeniedException2 is thrown, if the "authenticated" group has the Update permission?
          2. the error log gets lost on page reload.

          Show
          vladkravchenko vladkravchenko added a comment - I have debugged the problem with the version 1.383. The Hudson was configured as follows: <useSecurity> true </useSecurity> <authorizationStrategy class= "hudson.security.GlobalMatrixAuthorizationStrategy" > <permission> hudson.model.Computer.Configure:authenticated </permission> <permission> hudson.model.Computer.Delete:authenticated </permission> <permission> hudson.model.Hudson.Administer:authenticated </permission> <permission> hudson.model.Hudson.Read:anonymous </permission> <permission> hudson.model.Hudson.Read:authenticated </permission> <permission> hudson.model.Item.Build:authenticated </permission> <permission> hudson.model.Item.Configure:authenticated </permission> <permission> hudson.model.Item.Create:authenticated </permission> <permission> hudson.model.Item.Delete:authenticated </permission> <permission> hudson.model.Item.Read:anonymous </permission> <permission> hudson.model.Item.Read:authenticated </permission> <permission> hudson.model.Item.Workspace:authenticated </permission> <permission> hudson.model.Run.Delete:authenticated </permission> <permission> hudson.model.Run.Update:authenticated </permission> <permission> hudson.model.View.Configure:authenticated </permission> <permission> hudson.model.View.Create:authenticated </permission> <permission> hudson.model.View.Delete:authenticated </permission> <permission> hudson.scm.SCM.Tag:authenticated </permission> </authorizationStrategy> <securityRealm class= "hudson.security.HudsonPrivateSecurityRealm" > <disableSignup> false </disableSignup> </securityRealm> I have logged in, that means I am in the"authenticated" group. The CVS Tag action has caused the following exception, that gets lost when the page is reloaded, but if you in debug, you can catch it. Tagging is in progress: Markiere ("tagge") test-cvs-tag #2 als test-hudson-tagging-2 hudson.security.AccessDeniedException2: anonymous fehlt das Recht {1} at hudson.security.ACL.checkPermission(ACL.java:53) at hudson.model.Run.checkPermission(Run.java:1102) at hudson.model.Run.keepLog(Run.java:1649) at hudson.model.Run.keepLog(Run.java:1645) at hudson.scm.CVSSCM$TagWorkerThread.perform(CVSSCM.java:1638) at hudson.model.TaskThread.run(TaskThread.java:126) As workaround, you should give an anonymous role/user right to update "Run": <permission>hudson.model.Run.Update:anonymous</permission> In my opinion this issue should address two problems: 1. why the AccessDeniedException2 is thrown, if the "authenticated" group has the Update permission? 2. the error log gets lost on page reload.
          Hide
          vladkravchenko vladkravchenko added a comment - - edited

          Security configuration that causes the problem (see JENKINS-7265.JPG).

          Show
          vladkravchenko vladkravchenko added a comment - - edited Security configuration that causes the problem (see JENKINS-7265 .JPG).
          vladkravchenko vladkravchenko made changes -
          Field Original Value New Value
          Attachment JENKINS-7265.JPG [ 19941 ]
          Hide
          kcbaltz kcbaltz added a comment -

          I just ran into this problem today. I tried to grant everyone in the system the authority to tag a build by granting Tag permission to one of our LDAP groups that everyone is a member of. Now, even though I am an admin and could previously tag a build, I'm getting the error described in this bug. I tried reversing my change and it didn't fix the problem. I also tried explicitly granting every permission there is to my personal user, but that didn't help either.

          I'm not sure how to perform the workaround described by vladkravchenko from the Config interface. Is it something that can only be done from the file system?

          We're running v1.381.

          Show
          kcbaltz kcbaltz added a comment - I just ran into this problem today. I tried to grant everyone in the system the authority to tag a build by granting Tag permission to one of our LDAP groups that everyone is a member of. Now, even though I am an admin and could previously tag a build, I'm getting the error described in this bug. I tried reversing my change and it didn't fix the problem. I also tried explicitly granting every permission there is to my personal user, but that didn't help either. I'm not sure how to perform the workaround described by vladkravchenko from the Config interface. Is it something that can only be done from the file system? We're running v1.381.
          Hide
          vladkravchenko vladkravchenko added a comment -

          You have to grant a "Run / update" permission to "anonymous". The CVS Task fails on checking this permission, even if your actual user / role has it. Why? May be due to the check is being performed in an another thread and your security context is not propagated correctly to this thread...

          Show
          vladkravchenko vladkravchenko added a comment - You have to grant a "Run / update" permission to "anonymous". The CVS Task fails on checking this permission, even if your actual user / role has it. Why? May be due to the check is being performed in an another thread and your security context is not propagated correctly to this thread...
          Hide
          vladkravchenko vladkravchenko added a comment - - edited

          Security configuration that works (see JENKINS-7265-fix.JPG).

          Show
          vladkravchenko vladkravchenko added a comment - - edited Security configuration that works (see JENKINS-7265 -fix.JPG).
          vladkravchenko vladkravchenko made changes -
          Attachment JENKINS-7265-fix.JPG [ 20088 ]
          Hide
          kcbaltz kcbaltz added a comment -

          That configuration fixed it for me. Thanks!

          Show
          kcbaltz kcbaltz added a comment - That configuration fixed it for me. Thanks!
          Hide
          sogabe sogabe added a comment -

          It seems to be fixed.

          Show
          sogabe sogabe added a comment - It seems to be fixed.
          sogabe sogabe made changes -
          Status Open [ 1 ] Resolved [ 5 ]
          Resolution Fixed [ 1 ]
          rtyler R. Tyler Croy made changes -
          Workflow JNJira [ 137364 ] JNJira + In-Review [ 187471 ]

            People

            • Assignee:
              Unassigned
              Reporter:
              hypotechguy hypotechguy
            • Votes:
              2 Vote for this issue
              Watchers:
              3 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved: