Hi everyone, When I investigated the cause for a bug involving Blue Ocean and Matrix Auth plugins today (JENKINS-46540), I noticed that it seems undefined whether "Overall" permissions would be granted on non root objects.
This matters because Matrix Auth plugin allows to not inherit permissions from higher level ACLs, so that something like "Access to all jobs except X" can more easily be implemented through the few jobs that are exceptions, rather than granting the permission individually on all other jobs. As a side effect, checking for Overall/Read on non root level, for example l:task's `permission` attribute, will now fail (which AFAICT is ultimately the cause of JENKINS-46540). Obviously, checking Overall/Read is generally not useful outside of UnprotectedRootActions with nontrivial behavior, as users are expected to have this permission to even see the UI that would check that permission. Perhaps a better example: I expect the same problem applies to an agent level permission check for Overall/RunScripts to display the agent script console link in Computer/sidepanel.jelly. Of course, we don't allow these 'dangerous' permissions to be granted independent of Administer without jumping through hoops for a few years now, so it's not a great example either. To not prevent accidental locking out of administrators, Overall/Administer is an exception to permissions not being inherited in Matrix Auth, so cannot serve as an example here. What is the correct behavior for authorization realms here? Should Overall/* permissions be inherited by all ACLs? -- You received this message because you are subscribed to the Google Groups "Jenkins Developers" group. To unsubscribe from this group and stop receiving emails from it, send an email to jenkinsci-dev+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-dev/BB24313B-C33A-4F2E-ABE3-3392F972427C%40beckweb.net. For more options, visit https://groups.google.com/d/optout.