[OpenStack-Infra] JJB's use of inspect plugin info requires administrator permissions

Andrew Grimberg agrimberg at linuxfoundation.org
Tue Jun 14 19:44:44 UTC 2016 

On 06/14/2016 12:18 PM, Zaro wrote:
> ahh, jenkins.io page confused me since it says latest LTS is 1.651.3
> 
> 
> On Tue, Jun 14, 2016 at 12:13 PM, Darragh Bailey
> <daragh.bailey at gmail.com> wrote:
>> The 1.652.x series is an lts  release, so fixes were backported to it  that
>> are not in subsequent dev releases.
>>
>> Darragh Bailey
>> "Nothing is foolproof to a sufficiently talented fool" - unknown
>>
>> On 14 Jun 2016 20:02, "Zaro" <zaro0508 at gmail.com> wrote:
>>>
>>> ----- [ snippet ] ------------
>>>>
>>>> The behavior changed between 1.651.1 and 1.652.2.
>>>>
>>>> Specifically this was a security fix that came in with 1.652.2. See the
>>>> security fixes [0] that came with the release notes. Search for
>>>> SECURITY-250 or CVE-2016-3723.
>>>>
>>>> -Andy-
>>>>
>>>> [0]
>>>>
>>>> https://wiki.jenkins-ci.org/display/SECURITY/Jenkins+Security+Advisory+2016-05-11
>>>
>>> Hmm.  I just tested with Jenkins ver 1.653 and was still able to
>>> access plugin info using REST api as an anonymous user.
>>> I enabled security with following settings:
>>>  * jenkins own db
>>>  * logged-in user can do anything
>>>  * prevent cross site request
>>>
>>> While not logged in I can get plugin info using
>>> '<jenkins-baseurl>/pluginManager/api/json?depth=1'
>>>
>>> Maybe this there's some setting you have enabled that's causing your
>>> jenkins to require admin to access plugin info?

LTS is 1.651.x. My missive about the change being between 1.651.1 and
1.652.2 is incorrect. It's 1.651.1 and 1.651.2 that the security lock
down occurred.

As for what we have enabled in the security system. We use the matrix
security setup.

Our JJB user is granted rights inside the job category. To be specific:

Job: Configure, Create, Delete, Discover, Read, Workspace
Overall: Read

There is no configuration option for listing the plugins. You only get
access to it if you have Overall: Administer with the changes that came
in with 1.651.2 unless there's a permission knob under the covers we
haven't managed to figure out yet.

-Andy-

-- 
Andrew J Grimberg
Systems Administrator
Release Engineering Team Lead
The Linux Foundation

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 473 bytes
Desc: OpenPGP digital signature
URL: <http://lists.openstack.org/pipermail/openstack-infra/attachments/20160614/9c77a48c/attachment.pgp>

More information about the OpenStack-Infra mailing list