[OpenStack-Infra] JJB's use of inspect plugin info requires administrator permissions
Thanh Ha
thanh.ha at linuxfoundation.org
Wed Jun 15 23:32:45 UTC 2016
I took a look at the groovy script idea. I think it might work but would be
a bit more involved than the example. It seems
Jenkins.instance.pluginManager.plugins simply prints a list of all plugins
without their details like version etc...
Regards,
Thanh
On 14 June 2016 at 20:11, Zaro <zaro0508 at gmail.com> wrote:
> Thanks for the clarification Andrew. I almost thought you guys knew
> something that upstream Jenkins didn't ; ) I am able to repro with
> ver 1.651.2. I agree with Thanh, the correct fix is to add a new ACLs
> to jenkins security plugin to allow retrieving plugin info. I've
> reviewed Thanh's workaround and it seems ok to me. The other possible
> workaround you might consider is to create a user with 'Read' and
> 'RunScripts' access which would allow running a groovy script [1] to
> get the plugin info.
>
> [1]
> https://python-jenkins.readthedocs.io/en/latest/api.html#jenkins.Jenkins.run_script
>
>
> On Tue, Jun 14, 2016 at 12:44 PM, Andrew Grimberg
> <agrimberg at linuxfoundation.org> wrote:
> > On 06/14/2016 12:18 PM, Zaro wrote:
> >> ahh, jenkins.io page confused me since it says latest LTS is 1.651.3
> >>
> >>
> >> On Tue, Jun 14, 2016 at 12:13 PM, Darragh Bailey
> >> <daragh.bailey at gmail.com> wrote:
> >>> The 1.652.x series is an lts release, so fixes were backported to it
> that
> >>> are not in subsequent dev releases.
> >>>
> >>> Darragh Bailey
> >>> "Nothing is foolproof to a sufficiently talented fool" - unknown
> >>>
> >>> On 14 Jun 2016 20:02, "Zaro" <zaro0508 at gmail.com> wrote:
> >>>>
> >>>> ----- [ snippet ] ------------
> >>>>>
> >>>>> The behavior changed between 1.651.1 and 1.652.2.
> >>>>>
> >>>>> Specifically this was a security fix that came in with 1.652.2. See
> the
> >>>>> security fixes [0] that came with the release notes. Search for
> >>>>> SECURITY-250 or CVE-2016-3723.
> >>>>>
> >>>>> -Andy-
> >>>>>
> >>>>> [0]
> >>>>>
> >>>>>
> https://wiki.jenkins-ci.org/display/SECURITY/Jenkins+Security+Advisory+2016-05-11
> >>>>
> >>>> Hmm. I just tested with Jenkins ver 1.653 and was still able to
> >>>> access plugin info using REST api as an anonymous user.
> >>>> I enabled security with following settings:
> >>>> * jenkins own db
> >>>> * logged-in user can do anything
> >>>> * prevent cross site request
> >>>>
> >>>> While not logged in I can get plugin info using
> >>>> '<jenkins-baseurl>/pluginManager/api/json?depth=1'
> >>>>
> >>>> Maybe this there's some setting you have enabled that's causing your
> >>>> jenkins to require admin to access plugin info?
> >
> > LTS is 1.651.x. My missive about the change being between 1.651.1 and
> > 1.652.2 is incorrect. It's 1.651.1 and 1.651.2 that the security lock
> > down occurred.
> >
> > As for what we have enabled in the security system. We use the matrix
> > security setup.
> >
> > Our JJB user is granted rights inside the job category. To be specific:
> >
> > Job: Configure, Create, Delete, Discover, Read, Workspace
> > Overall: Read
> >
> > There is no configuration option for listing the plugins. You only get
> > access to it if you have Overall: Administer with the changes that came
> > in with 1.651.2 unless there's a permission knob under the covers we
> > haven't managed to figure out yet.
> >
> > -Andy-
> >
> > --
> > Andrew J Grimberg
> > Systems Administrator
> > Release Engineering Team Lead
> > The Linux Foundation
> >
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-infra/attachments/20160615/07971d4a/attachment-0001.html>
More information about the OpenStack-Infra
mailing list