gitlab-plugin icon indicating copy to clipboard operation
gitlab-plugin copied to clipboard

Published 20 hours ago verified publisher icon jenkinsci

GitLab plugin checks only global roles, project role is not verified

Open frluo opened this issue 5 years ago • 5 comments

#issue
Per plugin instruction document, I try to use userid+token for Jenkins job authentication: https://github.com/jenkinsci/gitlab-plugin#gitlab-to-jenkins-authentication, and use Configuring global authentication.

First, I grant the user with job/Build permission to certain jobs, e.g. grant permission to a folder which has several jobs. Second, I grant the user permission in global level, i.e. all jobs that has been assigned with job/Build permission.

After setting up above webhook in GitLab, and trigger the Job via GitLab, in the first scenario, the authentication is failed with code 403. and the second scenario is successful.

It seems GitLab plugin do not verify the folder level job/Build permission, instead, it checks only towards global job/Build permission.

Context

  • Gitlab plugin version: 1.5.12
  • Gitlab version: 11.10.4
  • Jenkins version: 2.176.1
  • Job type: Pipeline

Logs & Traces

Error 403 xyz_user is missing the Job/Build permission

HTTP ERROR 403

Problem accessing /project/CTO/DevOps/sandbox/demo/test-global-role. Reason: 

    xyz_user is missing the Job/Build permission
Powered by Jetty:// 9.4.z-SNAPSHOT

in Jenkins log: Jul 18, 2019 3:36:30 AM FINEST com.dabsquared.gitlabjenkins.webhook.build.BuildWebHookAction Unauthorized (Did you forget to add API Token to the web hook ?)

Problem description

Describe your problem in a meaningful way:

  • what were you doing (simple push, merge request, MR with fork, ...) Configure a Jenkins job webhook in gitlab in use global authentication way, i.e. with userid+API token+Jenkins Job URL. And trigger a push event from GitLab. This userid has been assigned with Job/Build permission for certain folders in Jenkins.

  • what was expected The webhook is able to trigger Jenkins job.

  • what occurred finally The push event from GitLab is rejected with code 403, user is missing Job/Build permission. When user assigned with global Job/Build permission, the Jenkins job can be triggered successfully.

frluo avatar Jul 18 '19 05:07 frluo

+1 Facing the same problem. We manage all of our permissions on top level folders and don't want to set global permission Job/Build to all users.

I think the main problem is here in line 60 where the ACL is requested of the Jenkins instance only. https://github.com/jenkinsci/gitlab-plugin/blob/5b278e0613d14a96894570a58504a6acaba11687/src/main/java/com/dabsquared/gitlabjenkins/webhook/build/BuildWebHookAction.java#L58-L66

Fearxpc avatar Sep 19 '19 13:09 Fearxpc

+1 for this. I just run into this issue on a Jenkins 2.235.3 with Role-Based-Strategy. I have a user that has no global build rights but inside the folder.

tobias-richter avatar Aug 13 '20 09:08 tobias-richter

There seems to be a 1.5.17 sources release but no hpi? Is there any ETA on this?

Willem1987 avatar Nov 18 '20 09:11 Willem1987

There seems to be a 1.5.17 sources release but no hpi? Is there any ETA on this?

Please check this issue: https://github.com/jenkinsci/gitlab-plugin/issues/1027

Fearxpc avatar Nov 18 '20 10:11 Fearxpc

+1, I'm running Jenkins 2.303.3 and Gitlab Plugin 1.5.22 and I still have this issue. If people/groups don't have global Job/Build they are not able to build anything.

hudson.security.AccessDeniedException3: user.name is missing the Job/Build permission

ghost avatar Dec 02 '21 13:12 ghost