On 06/14/2016 12:18 PM, Zaro wrote: > ahh, jenkins.io page confused me since it says latest LTS is 1.651.3 > > > On Tue, Jun 14, 2016 at 12:13 PM, Darragh Bailey > <[email protected]> wrote: >> The 1.652.x series is an lts release, so fixes were backported to it that >> are not in subsequent dev releases. >> >> Darragh Bailey >> "Nothing is foolproof to a sufficiently talented fool" - unknown >> >> On 14 Jun 2016 20:02, "Zaro" <[email protected]> wrote: >>> >>> ----- [ snippet ] ------------ >>>> >>>> The behavior changed between 1.651.1 and 1.652.2. >>>> >>>> Specifically this was a security fix that came in with 1.652.2. See the >>>> security fixes [0] that came with the release notes. Search for >>>> SECURITY-250 or CVE-2016-3723. >>>> >>>> -Andy- >>>> >>>> [0] >>>> >>>> https://wiki.jenkins-ci.org/display/SECURITY/Jenkins+Security+Advisory+2016-05-11 >>> >>> Hmm. I just tested with Jenkins ver 1.653 and was still able to >>> access plugin info using REST api as an anonymous user. >>> I enabled security with following settings: >>> * jenkins own db >>> * logged-in user can do anything >>> * prevent cross site request >>> >>> While not logged in I can get plugin info using >>> '<jenkins-baseurl>/pluginManager/api/json?depth=1' >>> >>> Maybe this there's some setting you have enabled that's causing your >>> jenkins to require admin to access plugin info?
LTS is 1.651.x. My missive about the change being between 1.651.1 and 1.652.2 is incorrect. It's 1.651.1 and 1.651.2 that the security lock down occurred. As for what we have enabled in the security system. We use the matrix security setup. Our JJB user is granted rights inside the job category. To be specific: Job: Configure, Create, Delete, Discover, Read, Workspace Overall: Read There is no configuration option for listing the plugins. You only get access to it if you have Overall: Administer with the changes that came in with 1.651.2 unless there's a permission knob under the covers we haven't managed to figure out yet. -Andy- -- Andrew J Grimberg Systems Administrator Release Engineering Team Lead The Linux Foundation
signature.asc
Description: OpenPGP digital signature
_______________________________________________ OpenStack-Infra mailing list [email protected] http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-infra
