[cbi-dev] Make jenkins.eclipse.org job config publicly visible by default?

Discussion:

Mickael Istria

2018-10-10 07:49:23 UTC

Hi,

Is there a way, with new Jenkins instances, to make the job configuration
and builds publicly visible by default?
I think it would really help projects to learn from the other, and make it
easier for projects to grow a community if non-committers are also allowed
to see build results and configuration.
I didn't even found a way to configure it manually...
Do you want me to open a bug about it?

--
Mickael Istria
Eclipse IDE <https://www.eclipse.org/downloads/eclipse-packages/>
developer, for Red Hat Developers <https://developers.redhat.com/>

Frederic Gurr

2018-10-10 09:41:34 UTC

Permalink

Hi,

By default, anonymous users have the following permissions:

* Overall/Read
* Job/Read

So anonymous users can see build results, build artifacts & console logs.

By default, all logged in committers also have the following permission:

* Job/ExtendedRead

This allows to *read* the job configuration.
Allowing non-privileged users to read the job configuration *can* be a
potential security issue.

Admin permissions are required to change the permissions (Manage ->
Configure Global Security) JIPP-wide.
On the old infra, permissions can also be changed on a job-level (Enable
project-based security), e.g. like it was done here:
https://ci.eclipse.org/acute/job/aCute-sonarqube/configure
This is not supported on CJE.

Hope that helps,

Fred

Post by Mickael Istria
Hi,
Is there a way, with new Jenkins instances, to make the job
configuration and builds publicly visible by default?
I think it would really help projects to learn from the other, and make
it easier for projects to grow a community if non-committers are also
allowed to see build results and configuration.
I didn't even found a way to configure it manually...
Do you want me to open a bug about it?
--
Mickael Istria
Eclipse IDE <https://www.eclipse.org/downloads/eclipse-packages/>
developer, for Red Hat Developers <https://developers.redhat.com/>
_______________________________________________
cbi-dev mailing list
To change your delivery options, retrieve your password, or unsubscribe from this list, visit
https://dev.eclipse.org/mailman/listinfo/cbi-dev

--
Frederic Gurr
Release Engineer | Eclipse Foundation Europe GmbH

Annastr. 44, D-64673 Zwingenberg
Handelsregister: Darmstadt HRB 92821
Managing Directors: Ralph Mueller, Mike Milinkovich, Chris Laroque

Mickael Istria

2018-10-10 10:07:01 UTC

Permalink

On Wed, Oct 10, 2018 at 11:41 AM Frederic Gurr <

Post by Frederic Gurr
* Overall/Read
* Job/Read
So anonymous users can see build results, build artifacts & console logs.

Ok, so that could be an issue with my specific pipeline job then.
On https://jenkins.eclipse.org/wildwebdeveloper/job/Wildwebdeveloper/ , if
I'm not logged in, I can't see the Pull Request jobs. I'd like any user to
be able to look at PR build status.

Post by Frederic Gurr
* Job/ExtendedRead
This allows to *read* the job configuration.

Ok, good then.

Allowing non-privileged users to read the job configuration *can* be a

Post by Frederic Gurr
potential security issue.

Out of curiosity, what kind of security issue could it be?

Ed Willink

2018-10-10 10:29:16 UTC

Permalink

Hi

Before sending my earlier too-simple response to accessing
download.eclipse.org, I checked and corrected the permissions of
https://ci.eclipse.org/ocl/job/promoter/

It would appear that the intention to provide read access by default is
not happening in practice. It would appear that most jobs do not comply.

I see two sets of defaults. One for anonymous and one for authenticated
users. Does "authenticated" mean logged in? Both sets of permissions
seem blank by default.

I feel that it is very important to at least allow logged in users to
read the job config. The only security issue I can see is if some script
has a clear text password, which seems like a very undesirable practice
meriting an alternative solution, just possibly an explicitly private
config.

Â Â Â Regards

Â Â Â Â Â Â Ed Willink

Post by Mickael Istria
On Wed, Oct 10, 2018 at 11:41 AM Frederic Gurr
* Overall/Read
* Job/Read
So anonymous users can see build results, build artifacts & console logs.
Ok, so that could be an issue with my specific pipeline job then.
On https://jenkins.eclipse.org/wildwebdeveloper/job/Wildwebdeveloper/
, if I'm not logged in, I can't see the Pull Request jobs. I'd like
any user to be able to look at PR build status.
* Job/ExtendedRead
This allows to *read* the job configuration.
Ok, good then.
Allowing non-privileged users to read the job configuration *can* be a
potential security issue.
Out of curiosity, what kind of security issue could it be?
_______________________________________________
cbi-dev mailing list
To change your delivery options, retrieve your password, or unsubscribe from this list, visit
https://dev.eclipse.org/mailman/listinfo/cbi-dev

---
This email has been checked for viruses by Avast antivirus software.
https://www.avast.com/antivirus

Frederic Gurr

2018-10-10 10:58:00 UTC

Permalink

Hi,

Post by Ed Willink
Hi
It would appear that the intention to provide read access by default is
not happening in practice. It would appear that most jobs do not comply.
I see two sets of defaults. One for anonymous and one for authenticated
users. Does "authenticated" mean logged in?

Yes

Post by Ed Willink
Both sets of permissions seem blank by default.

You are looking at the job config, but I was referring to the Global
security settings, where anonymous - as mentioned - has Overall Read and
Job Read permissions. Authenticated Users is a default group that has
indeed no permissions. It does not matter though, since all logged in
users belong to the common group which has Overall Read, Job Read and
Job ExtendedRead permissions.

All jobs inherit the global permissions. The permissions work
additively, so you can't take away a permission on job level that has
been granted globally.

Regards,

Fred

Frederic Gurr

2018-10-10 10:44:32 UTC

Permalink

Hi,

Post by Frederic Gurr
* Overall/Read
* Job/Read
So anonymous users can see build results, build artifacts & console logs.
Ok, so that could be an issue with my specific pipeline job then.
On https://jenkins.eclipse.org/wildwebdeveloper/job/Wildwebdeveloper/ ,
if I'm not logged in, I can't see the Pull Request jobs. I'd like any
user to be able to look at PR build status.

Might also be a missing configuration or even a bug.

Post by Frederic Gurr
Allowing non-privileged users to read the job configuration *can* be a
potential security issue.
Out of curiosity, what kind of security issue could it be?

E.g. clear text password/credentials exposed in the config.

Regards,

Fred

Mickael Istria

2018-10-10 10:53:55 UTC

Permalink

On Wed, Oct 10, 2018 at 12:44 PM Frederic Gurr <

Post by Frederic Gurr
Hi,

Might also be a missing configuration or even a bug.

Would you be able to help me in troubleshooting that? Do you want a ticket
on bugs.eclipse.org for this issue/work item?

Frederic Gurr

2018-10-10 11:26:29 UTC

Permalink

Hi,

Post by Mickael Istria
Would you be able to help me in troubleshooting that? Do you want a
ticket on bugs.eclipse.org <http://bugs.eclipse.org> for this issue/work
item?

AFAICT there is no job specific setting for this. It seems to work in
the old infra environment (see https://ci.eclipse.org/acute/job/aCute/).
Not sure if this is a CJE restriction or bug.

I'd recommend to ask on the jenkins user group:
https://groups.google.com/forum/#!forum/jenkinsci-users
or open a bug on the Jenkins JIRA:
https://issues.jenkins-ci.org

Regards,

Fred