[OpenStack-Infra] JJB's use of inspect plugin info requires administrator permissions
Zaro
zaro0508 at gmail.com
Wed Jun 15 23:44:22 UTC 2016
That's just a basic sample script. Here's a script that will give you
more info: https://stackoverflow.com/questions/9815273/how-to-get-a-list-of-installed-jenkins-plugins-with-name-and-version-pair
-Khai
On Wed, Jun 15, 2016 at 4:32 PM, Thanh Ha <thanh.ha at linuxfoundation.org> wrote:
> I took a look at the groovy script idea. I think it might work but would be
> a bit more involved than the example. It seems
> Jenkins.instance.pluginManager.plugins simply prints a list of all plugins
> without their details like version etc...
>
> Regards,
> Thanh
>
> On 14 June 2016 at 20:11, Zaro <zaro0508 at gmail.com> wrote:
>>
>> Thanks for the clarification Andrew. I almost thought you guys knew
>> something that upstream Jenkins didn't ; ) I am able to repro with
>> ver 1.651.2. I agree with Thanh, the correct fix is to add a new ACLs
>> to jenkins security plugin to allow retrieving plugin info. I've
>> reviewed Thanh's workaround and it seems ok to me. The other possible
>> workaround you might consider is to create a user with 'Read' and
>> 'RunScripts' access which would allow running a groovy script [1] to
>> get the plugin info.
>>
>> [1]
>> https://python-jenkins.readthedocs.io/en/latest/api.html#jenkins.Jenkins.run_script
>>
>>
>> On Tue, Jun 14, 2016 at 12:44 PM, Andrew Grimberg
>> <agrimberg at linuxfoundation.org> wrote:
>> > On 06/14/2016 12:18 PM, Zaro wrote:
>> >> ahh, jenkins.io page confused me since it says latest LTS is 1.651.3
>> >>
>> >>
>> >> On Tue, Jun 14, 2016 at 12:13 PM, Darragh Bailey
>> >> <daragh.bailey at gmail.com> wrote:
>> >>> The 1.652.x series is an lts release, so fixes were backported to it
>> >>> that
>> >>> are not in subsequent dev releases.
>> >>>
>> >>> Darragh Bailey
>> >>> "Nothing is foolproof to a sufficiently talented fool" - unknown
>> >>>
>> >>> On 14 Jun 2016 20:02, "Zaro" <zaro0508 at gmail.com> wrote:
>> >>>>
>> >>>> ----- [ snippet ] ------------
>> >>>>>
>> >>>>> The behavior changed between 1.651.1 and 1.652.2.
>> >>>>>
>> >>>>> Specifically this was a security fix that came in with 1.652.2. See
>> >>>>> the
>> >>>>> security fixes [0] that came with the release notes. Search for
>> >>>>> SECURITY-250 or CVE-2016-3723.
>> >>>>>
>> >>>>> -Andy-
>> >>>>>
>> >>>>> [0]
>> >>>>>
>> >>>>>
>> >>>>> https://wiki.jenkins-ci.org/display/SECURITY/Jenkins+Security+Advisory+2016-05-11
>> >>>>
>> >>>> Hmm. I just tested with Jenkins ver 1.653 and was still able to
>> >>>> access plugin info using REST api as an anonymous user.
>> >>>> I enabled security with following settings:
>> >>>> * jenkins own db
>> >>>> * logged-in user can do anything
>> >>>> * prevent cross site request
>> >>>>
>> >>>> While not logged in I can get plugin info using
>> >>>> '<jenkins-baseurl>/pluginManager/api/json?depth=1'
>> >>>>
>> >>>> Maybe this there's some setting you have enabled that's causing your
>> >>>> jenkins to require admin to access plugin info?
>> >
>> > LTS is 1.651.x. My missive about the change being between 1.651.1 and
>> > 1.652.2 is incorrect. It's 1.651.1 and 1.651.2 that the security lock
>> > down occurred.
>> >
>> > As for what we have enabled in the security system. We use the matrix
>> > security setup.
>> >
>> > Our JJB user is granted rights inside the job category. To be specific:
>> >
>> > Job: Configure, Create, Delete, Discover, Read, Workspace
>> > Overall: Read
>> >
>> > There is no configuration option for listing the plugins. You only get
>> > access to it if you have Overall: Administer with the changes that came
>> > in with 1.651.2 unless there's a permission knob under the covers we
>> > haven't managed to figure out yet.
>> >
>> > -Andy-
>> >
>> > --
>> > Andrew J Grimberg
>> > Systems Administrator
>> > Release Engineering Team Lead
>> > The Linux Foundation
>> >
>
>
>
> _______________________________________________
> OpenStack-Infra mailing list
> OpenStack-Infra at lists.openstack.org
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-infra
>
More information about the OpenStack-Infra
mailing list