[OpenStack-Infra] JJB's use of inspect plugin info requires administrator permissions

Zaro zaro0508 at gmail.com
Wed Jun 15 00:11:34 UTC 2016


Thanks for the clarification Andrew.  I almost thought you guys knew
something that upstream Jenkins didn't ; )  I am able to repro with
ver 1.651.2.  I agree with Thanh, the correct fix is to add a new ACLs
to jenkins security plugin to allow retrieving plugin info.  I've
reviewed Thanh's workaround and it seems ok to me.  The other possible
workaround you might consider is to create a user with 'Read' and
'RunScripts' access which would allow running a groovy script [1] to
get the plugin info.

[1] https://python-jenkins.readthedocs.io/en/latest/api.html#jenkins.Jenkins.run_script


On Tue, Jun 14, 2016 at 12:44 PM, Andrew Grimberg
<agrimberg at linuxfoundation.org> wrote:
> On 06/14/2016 12:18 PM, Zaro wrote:
>> ahh, jenkins.io page confused me since it says latest LTS is 1.651.3
>>
>>
>> On Tue, Jun 14, 2016 at 12:13 PM, Darragh Bailey
>> <daragh.bailey at gmail.com> wrote:
>>> The 1.652.x series is an lts  release, so fixes were backported to it  that
>>> are not in subsequent dev releases.
>>>
>>> Darragh Bailey
>>> "Nothing is foolproof to a sufficiently talented fool" - unknown
>>>
>>> On 14 Jun 2016 20:02, "Zaro" <zaro0508 at gmail.com> wrote:
>>>>
>>>> ----- [ snippet ] ------------
>>>>>
>>>>> The behavior changed between 1.651.1 and 1.652.2.
>>>>>
>>>>> Specifically this was a security fix that came in with 1.652.2. See the
>>>>> security fixes [0] that came with the release notes. Search for
>>>>> SECURITY-250 or CVE-2016-3723.
>>>>>
>>>>> -Andy-
>>>>>
>>>>> [0]
>>>>>
>>>>> https://wiki.jenkins-ci.org/display/SECURITY/Jenkins+Security+Advisory+2016-05-11
>>>>
>>>> Hmm.  I just tested with Jenkins ver 1.653 and was still able to
>>>> access plugin info using REST api as an anonymous user.
>>>> I enabled security with following settings:
>>>>  * jenkins own db
>>>>  * logged-in user can do anything
>>>>  * prevent cross site request
>>>>
>>>> While not logged in I can get plugin info using
>>>> '<jenkins-baseurl>/pluginManager/api/json?depth=1'
>>>>
>>>> Maybe this there's some setting you have enabled that's causing your
>>>> jenkins to require admin to access plugin info?
>
> LTS is 1.651.x. My missive about the change being between 1.651.1 and
> 1.652.2 is incorrect. It's 1.651.1 and 1.651.2 that the security lock
> down occurred.
>
> As for what we have enabled in the security system. We use the matrix
> security setup.
>
> Our JJB user is granted rights inside the job category. To be specific:
>
> Job: Configure, Create, Delete, Discover, Read, Workspace
> Overall: Read
>
> There is no configuration option for listing the plugins. You only get
> access to it if you have Overall: Administer with the changes that came
> in with 1.651.2 unless there's a permission knob under the covers we
> haven't managed to figure out yet.
>
> -Andy-
>
> --
> Andrew J Grimberg
> Systems Administrator
> Release Engineering Team Lead
> The Linux Foundation
>



More information about the OpenStack-Infra mailing list