I took a look at the groovy script idea. I think it might work but would be a bit more involved than the example. It seems Jenkins.instance.pluginManager.plugins simply prints a list of all plugins without their details like version etc...
Regards, Thanh On 14 June 2016 at 20:11, Zaro <zaro0...@gmail.com> wrote: > Thanks for the clarification Andrew. I almost thought you guys knew > something that upstream Jenkins didn't ; ) I am able to repro with > ver 1.651.2. I agree with Thanh, the correct fix is to add a new ACLs > to jenkins security plugin to allow retrieving plugin info. I've > reviewed Thanh's workaround and it seems ok to me. The other possible > workaround you might consider is to create a user with 'Read' and > 'RunScripts' access which would allow running a groovy script [1] to > get the plugin info. > > [1] > https://python-jenkins.readthedocs.io/en/latest/api.html#jenkins.Jenkins.run_script > > > On Tue, Jun 14, 2016 at 12:44 PM, Andrew Grimberg > <agrimb...@linuxfoundation.org> wrote: > > On 06/14/2016 12:18 PM, Zaro wrote: > >> ahh, jenkins.io page confused me since it says latest LTS is 1.651.3 > >> > >> > >> On Tue, Jun 14, 2016 at 12:13 PM, Darragh Bailey > >> <daragh.bai...@gmail.com> wrote: > >>> The 1.652.x series is an lts release, so fixes were backported to it > that > >>> are not in subsequent dev releases. > >>> > >>> Darragh Bailey > >>> "Nothing is foolproof to a sufficiently talented fool" - unknown > >>> > >>> On 14 Jun 2016 20:02, "Zaro" <zaro0...@gmail.com> wrote: > >>>> > >>>> ----- [ snippet ] ------------ > >>>>> > >>>>> The behavior changed between 1.651.1 and 1.652.2. > >>>>> > >>>>> Specifically this was a security fix that came in with 1.652.2. See > the > >>>>> security fixes [0] that came with the release notes. Search for > >>>>> SECURITY-250 or CVE-2016-3723. > >>>>> > >>>>> -Andy- > >>>>> > >>>>> [0] > >>>>> > >>>>> > https://wiki.jenkins-ci.org/display/SECURITY/Jenkins+Security+Advisory+2016-05-11 > >>>> > >>>> Hmm. I just tested with Jenkins ver 1.653 and was still able to > >>>> access plugin info using REST api as an anonymous user. > >>>> I enabled security with following settings: > >>>> * jenkins own db > >>>> * logged-in user can do anything > >>>> * prevent cross site request > >>>> > >>>> While not logged in I can get plugin info using > >>>> '<jenkins-baseurl>/pluginManager/api/json?depth=1' > >>>> > >>>> Maybe this there's some setting you have enabled that's causing your > >>>> jenkins to require admin to access plugin info? > > > > LTS is 1.651.x. My missive about the change being between 1.651.1 and > > 1.652.2 is incorrect. It's 1.651.1 and 1.651.2 that the security lock > > down occurred. > > > > As for what we have enabled in the security system. We use the matrix > > security setup. > > > > Our JJB user is granted rights inside the job category. To be specific: > > > > Job: Configure, Create, Delete, Discover, Read, Workspace > > Overall: Read > > > > There is no configuration option for listing the plugins. You only get > > access to it if you have Overall: Administer with the changes that came > > in with 1.651.2 unless there's a permission knob under the covers we > > haven't managed to figure out yet. > > > > -Andy- > > > > -- > > Andrew J Grimberg > > Systems Administrator > > Release Engineering Team Lead > > The Linux Foundation > > >
_______________________________________________ OpenStack-Infra mailing list OpenStack-Infra@lists.openstack.org http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-infra