v2.36 security breaks plugins ability to automatically add more minions

[zxiiro]

It seems like the security patch v2.36 breaks the plugin in a few ways.

1. Minions no longer get removed automatically from the openstack side
2. New minions don't always spawn in a timely manor / or at all

It appears like the plugin is expecting the anonymous user to have the Overall/Administer permission which I am assuming the security fix secured.

INFO: Started provisioning prd-centos7-builder-2c-2g from odlvex with 1 executors. Remaining excess workload: 0
Jun 26, 2018 6:20:23 AM jenkins.plugins.openstack.compute.JCloudsSlaveTemplate provision
INFO: Provisioning new openstack server prd-centos7-builder-2c-2g-291 with options jenkins.plugins.openstack.compute.SlaveOptions@1b19bdb0[bootSource=Image ZZCI - CentOS 7 - builder - 20180611-1830,hardwareId=def1b86f-b7f8-4943-b430-4a0599170006,networkId=b5fcd86e-efac-4997-b8bc-dbe0d35bc229,userDataId=jenkins-init-script,instanceCap=75,instancesMin=0,floatingIpPool=<null>,securityGroups=default,availabilityZone=ca-ymq-2,startTimeout=600000,keyPairName=jenkins-ssh,numExecutors=1,jvmOptions=<null>,fsRoot=/w,launcherFactory=LauncherFactory.SSH: credId:jenkins-ssh, javaPath:null,retentionTime=0]
Jun 26, 2018 6:20:23 AM hudson.slaves.NodeProvisioner$2 run
WARNING: Unexpected exception encountered while provisioning agent prd-centos7-builder-2c-8g
hudson.security.AccessDeniedException2: anonymous is missing the Overall/Administer permission
        at hudson.security.ACL.checkPermission(ACL.java:68)
        at jenkins.plugins.openstack.compute.auth.OpenstackCredentials.getCredential(OpenstackCredentials.java:19)
        at jenkins.plugins.openstack.compute.JCloudsCloud.getOpenstack(JCloudsCloud.java:431)
        at jenkins.plugins.openstack.compute.JCloudsSlaveTemplate.provision(JCloudsSlaveTemplate.java:282)
        at jenkins.plugins.openstack.compute.JCloudsSlaveTemplate.provision(JCloudsSlaveTemplate.java:262)
        at jenkins.plugins.openstack.compute.JCloudsSlaveTemplate.provisionSlave(JCloudsSlaveTemplate.java:207)
        at jenkins.plugins.openstack.compute.JCloudsCloud$NodeCallable.call(JCloudsCloud.java:310)
        at jenkins.plugins.openstack.compute.JCloudsCloud$NodeCallable.call(JCloudsCloud.java:297)
        at jenkins.util.ContextResettingExecutorService$2.call(ContextResettingExecutorService.java:46)
        at java.util.concurrent.FutureTask.run(FutureTask.java:266)
        at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
        at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
        at java.lang.Thread.run(Thread.java:748)

[zxiiro]

This particular failure seems to be coming from the OpenstackCredentials file.

public static @CheckForNull OpenstackCredential getCredential(@CheckForNull String credentialId) {
    Jenkins.getInstance().getACL().checkPermission(Jenkins.ADMINISTER);

So the plugin itself appears to be using the anonymous account to query this information but I think the plugin needs to query the info as an admin user.

[olivergondza]

Hmm, for some reason this is not covered by unittests.

[zxiiro]

Something else I found out is if you go to "Manage Nodes" and manually click to provision the the node, it works and there is no permissions issue.

It seems to only affect the automated provisioner, which is using anonymous permissions I guess to query openstack and see if there is sufficient nodes.

[olivergondza]

@zxiiro. thanks for the report. I am releasing the fixed now.