screwdriver icon indicating copy to clipboard operation
screwdriver copied to clipboard

Published 20 hours ago verified publisher icon screwdriver-cd

Unauthorized users can not run child pipelines started by "start all" from parent pipeline.

Open ibu1224 opened this issue 2 years ago • 2 comments

What happened: If the parent pipeline has permission, it can start the child pipeline with start all. スクリーンショット 2022-06-08 9 30 45

I found that the following permissions do not allow child pipelines to run.

Pipeline Admin User
Parent A, B
Child A

At this time, User B has the permission of the parent pipeline, so it can start the child pipeline with start all. However, it is not possible to Restart an event created in the child pipeline.

What you expected to happen: Allow user B to run events started by start all or disallow pipelines that do not have permissions to run.

How to reproduce it: Use External config. Authorize only the parent pipeline.

ibu1224 avatar Jun 08 '22 00:06 ibu1224

This issue is probably related to changes made for read-only SCM: https://github.com/screwdriver-cd/screwdriver/pull/2460/files#diff-850c2f4b6c61fb8f711cf7522a7ca817e477b0c3a0866967e222e0a7f0be164b

tkyi avatar Jun 08 '22 17:06 tkyi

It seems that the pipeline permissions are checked here when start all. https://github.com/screwdriver-cd/screwdriver/blob/bc08d7081de21d72a8f1aa141f0479d3acc25bbb/plugins/pipelines/startAll.js#L33-L35

It may be fixed by checking the permissions of the child pipeline before creating the event. https://github.com/screwdriver-cd/screwdriver/blob/bc08d7081de21d72a8f1aa141f0479d3acc25bbb/plugins/pipelines/startAll.js#L53-L61

ibu1224 avatar Jun 09 '22 00:06 ibu1224