Open frluo opened 5 years ago
Fearxpc
commented
5 years ago +1 Facing the same problem. We manage all of our permissions on top level folders and don't want to set global permission Job/Build to all users.
I think the main problem is here in line 60 where the ACL is requested of the Jenkins instance only. https://github.com/jenkinsci/gitlab-plugin/blob/5b278e0613d14a96894570a58504a6acaba11687/src/main/java/com/dabsquared/gitlabjenkins/webhook/build/BuildWebHookAction.java#L58-L66
tobias-richter
commented
4 years ago +1 for this. I just run into this issue on a Jenkins 2.235.3 with Role-Based-Strategy. I have a user that has no global build rights but inside the folder.
Willem1987
commented
3 years ago There seems to be a 1.5.17 sources release but no hpi? Is there any ETA on this?
Fearxpc
commented
3 years ago There seems to be a 1.5.17 sources release but no hpi? Is there any ETA on this?
Please check this issue: https://github.com/jenkinsci/gitlab-plugin/issues/1027
ghost
commented
2 years ago +1, I'm running Jenkins 2.303.3 and Gitlab Plugin 1.5.22 and I still have this issue.
If people/groups don't have global Job/Build they are not able to build anything.
hudson.security.AccessDeniedException3: user.name is missing the Job/Build permission
issue
Per plugin instruction document, I try to use userid+token for Jenkins job authentication: https://github.com/jenkinsci/gitlab-plugin#gitlab-to-jenkins-authentication, and use Configuring global authentication.
First, I grant the user with job/Build permission to certain jobs, e.g. grant permission to a folder which has several jobs. Second, I grant the user permission in global level, i.e. all jobs that has been assigned with job/Build permission.
After setting up above webhook in GitLab, and trigger the Job via GitLab, in the first scenario, the authentication is failed with code 403. and the second scenario is successful.
It seems GitLab plugin do not verify the folder level job/Build permission, instead, it checks only towards global job/Build permission.
Context
Logs & Traces
HTTP ERROR 403
Problem accessing /project/CTO/DevOps/sandbox/demo/test-global-role. Reason:
Powered by Jetty:// 9.4.z-SNAPSHOT
in Jenkins log: Jul 18, 2019 3:36:30 AM FINEST com.dabsquared.gitlabjenkins.webhook.build.BuildWebHookAction Unauthorized (Did you forget to add API Token to the web hook ?)
Problem description
Describe your problem in a meaningful way:
what were you doing (simple push, merge request, MR with fork, ...) Configure a Jenkins job webhook in gitlab in use global authentication way, i.e. with userid+API token+Jenkins Job URL. And trigger a push event from GitLab. This userid has been assigned with Job/Build permission for certain folders in Jenkins.
what was expected The webhook is able to trigger Jenkins job.
what occurred finally The push event from GitLab is rejected with code 403, user is missing Job/Build permission. When user assigned with global Job/Build permission, the Jenkins job can be triggered successfully.