Script console should not have RUN_SCRIPTS permission
I propose to change RUN_SCRIPTS permission back to ADMINISTER permission for Script console, because Script console give a user with permission RUN_SCRIPTS access which should have only user with ADMINISTER permission (he can do whatever he want). What do you thing about this?
Re: Script console should not have RUN_SCRIPTS permission
RUN_SCRIPTS is used to allow some user to run (mostly groovy) scripts that can access Jenkins.instance in-memory model (scriptler, groovy system script, groovy console), so - as you said - do whatever he want but some actions that require explicit ADMINISTER permission. so imho this makes sense to keep this permission as is. 2012/11/7 lvoty...@redhat.com lvoty...@redhat.com I propose to change RUN_SCRIPTS permission back to ADMINISTER permission for Script console, because Script console give a user with permission RUN_SCRIPTS access which should have only user with ADMINISTER permission (he can do whatever he want). What do you thing about this?
Re: Script console should not have RUN_SCRIPTS permission
so, what would be the RUN_SCRIPTS permission according to your point of view ? Scriptler is exactly designed for your use case to let user run Administrative scripts without ability to edit them, so they can get some Admini-power delegated for a limited set of use-cases 2012/11/7 lvoty...@redhat.com lvoty...@redhat.com I have another point of view - user has permission to run script and does not have permission to configure slaves - with Script console he can do it. So I think that System groovy script should run only user with ADMINISTER permission. I did into Scriptler plugin option user script (scripts which can run users with permission RUN_SCRIPTS), because I want to enable them run system groovy some system groovy script, but I want to have control what they run too(they can run only scripts which users with ADMINISTER permission prepared for them and enabled to them). Script console with RUN_SCRIPTS permission (which is in core - so it is not plugin which I do not have to install if it does suit to me) make impossible to enable users without ADMINISTER permission to run some system groovy script and interrupt other permission, but only by scripts which I enable them. There is example for better understanding the problem which RUN_SCRIPTS permission for Script console cause me. I want to enable users (without ADMINISTER permission) to configure slaves, but I do not want to enable them change labels - so I can not give them permission to configure slaves. But with Scriptler plugin I can create script which enable configure slave, but does not enable configure labels.
Re: Script console should not have RUN_SCRIPTS permission
RUN_SCRIPTS permission would be for running system groovy scripts, not for
creating (in case of system scripts).
If the Script console has RUN_SCRIPT permission, there is almost no
difference between power of user with RUN_SCRIPT permission and user with
ADMINISTER permission.
Example:
public void setAuthorizationStrategy(AuthorizationStrategy a) {
if (a == null)
a = AuthorizationStrategy.UNSECURED;
useSecurity = true;
authorizationStrategy = a;
}
This is public method of Jenkins class in which you can set authorization
strategy which can configure in GUI only user with ADMINISTER permission,
but wiht Script console (which has RUN_SCRIPTS permission) can set
authorization strategy user which does not have ADMINISTER permission. I
think that it is wrong.
Dynamic Drop DownList Box
Hi,
I am actually implementing a jenkins plugin where I want to update the
contents of a select control dynamically based on selections of other
controls.
For instance, if I have 2 selects. The first one contains values ( a list
of environments) like Env1, Env2, Env3 etc. The second one contains values
(a list of nodes, each environment contains a list of nodes) likes n11,
n12, n13, n21, n22, V23, etc. It can be seen as key value pair. Env1 has n11,
n12, n13, or Env2 has n21, n22, n23 and so on. I would like when I select
Env1 or Env2, it displays the correct values in the second select.
I follow the same example in UI Samples plugin in the dynamic dropdown
list, but it doesn't work.
Here is my config.jelly file :
f:entry title=Choisir votre environment
field=environments
f:select id=envSelection name=envSelection
onChange=loadNodesForEnv(this); /
/f:entry
f:entry title=Choisir votre noeud field=nodes
f:select id=nodeSelection /
/f:entry
...
In my descriptor, I have written those 2 methods (as the Dynamic Dropdown
list plugin) :
public ListBoxModel doFillEnvironmentsItems() {
LOG.info(=== Environments
===);
ListBoxModel models = new ListBoxModel();
ListEnvironment envs = EnvironmentManager.getInstance()
.getEnvironments();
for (Environment e : envs) {
models.add(e.getName());
}
return models;
}
public ListBoxModel doFillNodesItems(@QueryParameter String
environments) {
if (environments == null) {
LOG.info( NU
==);
}
ListBoxModel models = new ListBoxModel();
models.add(Nodes test);
return models;
}
I am able to update the environments but unable to fill the nodes. In the
second method, the parameter environments is Null.
How can I correct that.
Best regards
log4j version in jenkins.war is too old
Hi, people! I bumped into a problem with some third-party libraries (namely, dasein-cloud-nimbula) that I am trying to use within a plugin. The library depends on log4j version no less than 1.2.15, but jenkins.war contains 1.2.9 that has classpath precedence over one supplied in plugin (or I guess so). That conflict causes *java.lang.NoSuchMethodError: org.apache.log4j.Logger.isTraceEnabled()Z* errors due to the method absent in 1.2.9. mvn depency:tree points that log4j dependency comes from a * org.acegisecurity.acegi-security* dependency in core/pom.xml, put pom for the acegi-security contains no version specification in log4j dependency. see herehttp://repo1.maven.org/maven2/org/acegisecurity/acegi-security/1.0.5/acegi-security-1.0.5.pom My questions are: 1. can log4j in Jenkins be promoted to the latest version? If so, I could create a pull request as soon as someone points me the way to do it. 2. how can I override that dependency problem in my plugin's pom.xml? Maybe, thats not a problem at all. Testbed that gives me the error is *mvn hpi:run* in my plugin dev project. TY for any help or hints.
Re: Script console should not have RUN_SCRIPTS permission
On 11/07/2012 07:40 AM, lvoty...@redhat.com wrote: there is almost no difference between power of user with RUN_SCRIPT permission and user with ADMINISTER permission. RUN_SCRIPTS is _more_ powerful than ADMINISTER; as you note, it is effectively a universal permission. That is why it exists—to make it possible to grant some users ADMINISTER but not RUN_SCRIPTS. While RUN_SCRIPTS is technically impliedBy ADMINISTER as a convenience for typical installations, a specialized authorization strategy can nonetheless deny it to some users—crucial for a hosted service which also prevents even users with ADMINISTER from running builds on master, uploading custom plugins, etc. So I would expect that in Scriptler, RUN_SCRIPTS would be required to create (or download) new scripts, while lesser permissions would suffice to run them. Probably a script could have an associated metadata flag to indicate whether or not it does its own authorization. If false, Scriptler would require (global) ADMINISTER; this would be a sensible default option for simple scripts expected to be run by Jenkins admins or users of unsecured installations. If true, Scriptler would perform no security check on its own, but the script could do so based on the Authentication of the user running the script. For example, a script to add a label to all slaves matching some criterion could check for CONFIGURE on each such Slave before doing anything (and decide whether to fail or just issue a warning and continue).
Re: Commit access for GitHub
done… /Domi On 06.11.2012, at 21:50, kusemuckl kusemu...@googlemail.com wrote: Hi! I would like to move my plugin (utplsql-plugin) to github, to make some modifications. My GitHub ID is kusemuckl. Please give me commit access. Regards Nils
Commit Access for GitHub
Need to bring my Hudson Tray App out of the dark ages somewhat and need access to GitHub for this please. GithubID: davyboyhayes Many thanks, David
Re: Commit Access for GitHub
Hi there, On 07/11/12 19:19, David Hayes wrote: Need to bring my Hudson Tray App out of the dark ages somewhat and need access to GitHub for this please. You should now have access to the repo here: https://github.com/jenkinsci/hudsontrayapp-plugin Regards, Chris
Set Slave ToolInstallation path with groovy cli script
Hello everyone, I'm looking for help with writing a groovy script for use with jenkins-cli that can set the ToolInstallation path for a particular slave and tool. In https://wiki.jenkins-ci.org/display/JENKINS/Display+Tools+Location+on+All+Nodes I see how I can enumerate all the tools and their installations. However, not being a Java developer, I'm having trouble figuring out what the inverse of ToolInstallation.translateFor() might be. First off, is it possible to set the tool path for a slave from a cli/groovy script? If so, can someone point me in the right direction for how I might set (and save) a new path? Thanks a lot, Matt
Re: Commit access for GitHub
Thanks!
Re: Script console should not have RUN_SCRIPTS permission
I thought that the most powerful permission should be ADMINISTER (at least
by documentation). So it is the reason why I want Script console with
ADMINISTER permission - because it is powerful tool which grant God-like
access. I think that we do not need some lesser permission for run scripts
(but not create) if there is a RUN_SCRIPTS permission and ADMINISTER is the
most powerful.
/**
* {@link Permission} that represents the God-like access. Equivalent of
Unix root.
*
* p
* All permissions are eventually {@linkplain Permission#impliedBy implied
by} this permission.
*
* @deprecated since 2009-01-23.
* Access {@link jenkins.model.Jenkins#ADMINISTER} instead.
*/
public static final Permission HUDSON_ADMINISTER = new Permission(
HUDSON_PERMISSIONS,Administer, hudson.model.Messages.
_Hudson_AdministerPermission_Description(),null);
Re: Request hosting github
Thanks. But as I saw I couldn't do any commit in the fork(new repository). It also doesn't show in the repositories list after I change to jenkinsci organization It shows the message http-request-plugin Developers grants 1 user admin access to 0 repositories. As you see 0 repositories. May you help me? Regards Janario Oliveira On Wednesday, November 7, 2012 6:04:58 AM UTC-2, nicolas de loof wrote: repo : https://github.com/jenkinsci/http-request-plugin ci job : https://jenkins.ci.cloudbees.com/job/plugins/job/http-request-plugin/ 2012/11/7 Janario janari...@gmail.com javascript: Hi I'd like to request host to my plugin(http-request-plugin). My github is janario Please tell me if I have to do something more. Regards Janario Oliveira
Re: Set Slave ToolInstallation path with groovy cli script
On 11/07/2012 03:42 PM, Matt Gollob wrote: I'm having trouble figuring out what the inverse of ToolInstallation.translateFor() might be Hint: hudson.tools.ToolLocationNodeProperty
Re: Script console should not have RUN_SCRIPTS permission
On 11/07/2012 05:49 PM, lvoty...@redhat.com wrote: I thought that the most powerful permission should be ADMINISTER (at least by documentation). The documentation is misleading in this regard.
New Jira component for lotus connections plugin
Hi, a jira component for my lotus connections plugin would be very useful (for bug reports and feature requests), can anyone please add it? my jira username: philrumble plugin id: lotus-connections-plugin Have Fun, Phil
