[OpenStack-Infra] JJB's use of inspect plugin info requires administrator permissions
Thanh Ha
thanh.ha at linuxfoundation.org
Tue Jun 14 04:04:15 UTC 2016
On 8 June 2016 at 08:51, Darragh Bailey <daragh.bailey at gmail.com> wrote:
> On 7 June 2016 at 21:35, Thanh Ha <thanh.ha at linuxfoundation.org> wrote:
>
>> Taking a look at the code, I realized the test command allowed spoofing
>> of the plugins_info. I thought I'd try and see what happens if we allowed
>> spoofing with the update command too and submitted this patch:
>>
>> https://review.openstack.org/326722
>>
>> I'm wondering if this could be a possible solution to the Administrator
>> permissions issue assuming that providing the plugins_info yaml file causes
>> JJB to not query the live Jenkins system for the info.
>>
>
> Definitely worth looking at, though probably worth digging in first to
> understand why the information couldn't be retrieved in case some
> documentation is needed to help users.
>
As Andy mentioned it looks like it was introduced in Jenkins 1.652.2 which
we upgraded to this past weekend so now this problem is affecting us
although not completely just yet. Luckily we do not currently use any of
the features that need plugin_info for so we're able to take advantage of
the query_plugins_info=False setting to disable it but we should definitely
find a solution to this issue.
I updated my patch:
https://review.openstack.org/326722/
>From my testing this patch seems to work and I introduced a new command
called "generate-plugins-info" I'm not sure what the best name for it is
but it will generate a plugins_info.yaml file which can be stored somewhere
and shared with users who can then pull it in via the "update -p
plugins_info.yaml" parameter.
Regards,
Thanh
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-infra/attachments/20160614/93862b86/attachment.html>
More information about the OpenStack-Infra
mailing list