Re: [OpenStack-Infra] JJB's use of inspect plugin info requires administrator permissions
Thanks for the clarification Andrew. I almost thought you guys knew something that upstream Jenkins didn't ; ) I am able to repro with ver 1.651.2. I agree with Thanh, the correct fix is to add a new ACLs to jenkins security plugin to allow retrieving plugin info. I've reviewed Thanh's workaround and it seems ok to me. The other possible workaround you might consider is to create a user with 'Read' and 'RunScripts' access which would allow running a groovy script [1] to get the plugin info. [1] https://python-jenkins.readthedocs.io/en/latest/api.html#jenkins.Jenkins.run_script On Tue, Jun 14, 2016 at 12:44 PM, Andrew Grimbergwrote: > On 06/14/2016 12:18 PM, Zaro wrote: >> ahh, jenkins.io page confused me since it says latest LTS is 1.651.3 >> >> >> On Tue, Jun 14, 2016 at 12:13 PM, Darragh Bailey >> wrote: >>> The 1.652.x series is an lts release, so fixes were backported to it that >>> are not in subsequent dev releases. >>> >>> Darragh Bailey >>> "Nothing is foolproof to a sufficiently talented fool" - unknown >>> >>> On 14 Jun 2016 20:02, "Zaro" wrote: - [ snippet ] > > The behavior changed between 1.651.1 and 1.652.2. > > Specifically this was a security fix that came in with 1.652.2. See the > security fixes [0] that came with the release notes. Search for > SECURITY-250 or CVE-2016-3723. > > -Andy- > > [0] > > https://wiki.jenkins-ci.org/display/SECURITY/Jenkins+Security+Advisory+2016-05-11 Hmm. I just tested with Jenkins ver 1.653 and was still able to access plugin info using REST api as an anonymous user. I enabled security with following settings: * jenkins own db * logged-in user can do anything * prevent cross site request While not logged in I can get plugin info using '/pluginManager/api/json?depth=1' Maybe this there's some setting you have enabled that's causing your jenkins to require admin to access plugin info? > > LTS is 1.651.x. My missive about the change being between 1.651.1 and > 1.652.2 is incorrect. It's 1.651.1 and 1.651.2 that the security lock > down occurred. > > As for what we have enabled in the security system. We use the matrix > security setup. > > Our JJB user is granted rights inside the job category. To be specific: > > Job: Configure, Create, Delete, Discover, Read, Workspace > Overall: Read > > There is no configuration option for listing the plugins. You only get > access to it if you have Overall: Administer with the changes that came > in with 1.651.2 unless there's a permission knob under the covers we > haven't managed to figure out yet. > > -Andy- > > -- > Andrew J Grimberg > Systems Administrator > Release Engineering Team Lead > The Linux Foundation > ___ OpenStack-Infra mailing list OpenStack-Infra@lists.openstack.org http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-infra
Re: [OpenStack-Infra] JJB's use of inspect plugin info requires administrator permissions
On 06/14/2016 12:18 PM, Zaro wrote: > ahh, jenkins.io page confused me since it says latest LTS is 1.651.3 > > > On Tue, Jun 14, 2016 at 12:13 PM, Darragh Bailey >wrote: >> The 1.652.x series is an lts release, so fixes were backported to it that >> are not in subsequent dev releases. >> >> Darragh Bailey >> "Nothing is foolproof to a sufficiently talented fool" - unknown >> >> On 14 Jun 2016 20:02, "Zaro" wrote: >>> >>> - [ snippet ] The behavior changed between 1.651.1 and 1.652.2. Specifically this was a security fix that came in with 1.652.2. See the security fixes [0] that came with the release notes. Search for SECURITY-250 or CVE-2016-3723. -Andy- [0] https://wiki.jenkins-ci.org/display/SECURITY/Jenkins+Security+Advisory+2016-05-11 >>> >>> Hmm. I just tested with Jenkins ver 1.653 and was still able to >>> access plugin info using REST api as an anonymous user. >>> I enabled security with following settings: >>> * jenkins own db >>> * logged-in user can do anything >>> * prevent cross site request >>> >>> While not logged in I can get plugin info using >>> '/pluginManager/api/json?depth=1' >>> >>> Maybe this there's some setting you have enabled that's causing your >>> jenkins to require admin to access plugin info? LTS is 1.651.x. My missive about the change being between 1.651.1 and 1.652.2 is incorrect. It's 1.651.1 and 1.651.2 that the security lock down occurred. As for what we have enabled in the security system. We use the matrix security setup. Our JJB user is granted rights inside the job category. To be specific: Job: Configure, Create, Delete, Discover, Read, Workspace Overall: Read There is no configuration option for listing the plugins. You only get access to it if you have Overall: Administer with the changes that came in with 1.651.2 unless there's a permission knob under the covers we haven't managed to figure out yet. -Andy- -- Andrew J Grimberg Systems Administrator Release Engineering Team Lead The Linux Foundation signature.asc Description: OpenPGP digital signature ___ OpenStack-Infra mailing list OpenStack-Infra@lists.openstack.org http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-infra
Re: [OpenStack-Infra] JJB's use of inspect plugin info requires administrator permissions
ahh, jenkins.io page confused me since it says latest LTS is 1.651.3 On Tue, Jun 14, 2016 at 12:13 PM, Darragh Baileywrote: > The 1.652.x series is an lts release, so fixes were backported to it that > are not in subsequent dev releases. > > Darragh Bailey > "Nothing is foolproof to a sufficiently talented fool" - unknown > > On 14 Jun 2016 20:02, "Zaro" wrote: >> >> - [ snippet ] >> > >> > The behavior changed between 1.651.1 and 1.652.2. >> > >> > Specifically this was a security fix that came in with 1.652.2. See the >> > security fixes [0] that came with the release notes. Search for >> > SECURITY-250 or CVE-2016-3723. >> > >> > -Andy- >> > >> > [0] >> > >> > https://wiki.jenkins-ci.org/display/SECURITY/Jenkins+Security+Advisory+2016-05-11 >> >> Hmm. I just tested with Jenkins ver 1.653 and was still able to >> access plugin info using REST api as an anonymous user. >> I enabled security with following settings: >> * jenkins own db >> * logged-in user can do anything >> * prevent cross site request >> >> While not logged in I can get plugin info using >> '/pluginManager/api/json?depth=1' >> >> Maybe this there's some setting you have enabled that's causing your >> jenkins to require admin to access plugin info? ___ OpenStack-Infra mailing list OpenStack-Infra@lists.openstack.org http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-infra
Re: [OpenStack-Infra] JJB's use of inspect plugin info requires administrator permissions
The 1.652.x series is an lts release, so fixes were backported to it that are not in subsequent dev releases. Darragh Bailey "Nothing is foolproof to a sufficiently talented fool" - unknown On 14 Jun 2016 20:02, "Zaro"wrote: > - [ snippet ] > > > > The behavior changed between 1.651.1 and 1.652.2. > > > > Specifically this was a security fix that came in with 1.652.2. See the > > security fixes [0] that came with the release notes. Search for > > SECURITY-250 or CVE-2016-3723. > > > > -Andy- > > > > [0] > > > https://wiki.jenkins-ci.org/display/SECURITY/Jenkins+Security+Advisory+2016-05-11 > > Hmm. I just tested with Jenkins ver 1.653 and was still able to > access plugin info using REST api as an anonymous user. > I enabled security with following settings: > * jenkins own db > * logged-in user can do anything > * prevent cross site request > > While not logged in I can get plugin info using > '/pluginManager/api/json?depth=1' > > Maybe this there's some setting you have enabled that's causing your > jenkins to require admin to access plugin info? > ___ OpenStack-Infra mailing list OpenStack-Infra@lists.openstack.org http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-infra
Re: [OpenStack-Infra] JJB's use of inspect plugin info requires administrator permissions
- [ snippet ] > > The behavior changed between 1.651.1 and 1.652.2. > > Specifically this was a security fix that came in with 1.652.2. See the > security fixes [0] that came with the release notes. Search for > SECURITY-250 or CVE-2016-3723. > > -Andy- > > [0] > https://wiki.jenkins-ci.org/display/SECURITY/Jenkins+Security+Advisory+2016-05-11 Hmm. I just tested with Jenkins ver 1.653 and was still able to access plugin info using REST api as an anonymous user. I enabled security with following settings: * jenkins own db * logged-in user can do anything * prevent cross site request While not logged in I can get plugin info using '/pluginManager/api/json?depth=1' Maybe this there's some setting you have enabled that's causing your jenkins to require admin to access plugin info? ___ OpenStack-Infra mailing list OpenStack-Infra@lists.openstack.org http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-infra
Re: [OpenStack-Infra] Fun (important!) project: optimize Gerrit's nova git repo
On 2016-06-14 11:26:32 +0200 (+0200), Antoine Musso wrote: [...] > On the non-gc repo you can get useful statistics regarding objects by using: > git count-objects -vH > > count: 37 > size: 1.56 MiB > in-pack: 707396 > packs: 5 > size-pack: 276.97 MiB > prune-packable: 14 > garbage: 1 > size-garbage: 2.81 MiB > > From the man page: > > 37 loose objects consuming 1.56MiB of disk. > 707396 objects in pack files which is a 276.97 MiB > 14 loose objects are in pack file and can be reclaimed: git prune-packed > 1 neither valid loose or valid pack taking 2.81 MiB [...] Current state of the openstack/nova repo on Gerrit: count: 5086291 size: 36.91 GiB in-pack: 1350559 packs: 163 size-pack: 431.08 MiB prune-packable: 344 garbage: 0 size-garbage: 0 bytes -- Jeremy Stanley ___ OpenStack-Infra mailing list OpenStack-Infra@lists.openstack.org http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-infra
[OpenStack-Infra] Barcelona summit talk ideas
Greetings, I wanted to start another etherpad[1] for collaboration on summit talk ideas related to openstack-infra. I think it worked well for Austin and see no reason not to do it again. I've already outlined a few ideas of what interests me (and hopefully others), please take a moment to review and add your own ideas. We have until July 13 to submit talks[2]: JULY 13, 2016 AT 11:59PM PDT (JULY 14 6:59 UTC) IS THE DEADLINE TO SUBMIT A TALK. [1] https://etherpad.openstack.org/p/barcelona-upstream-openstack-infa [2] https://www.openstack.org/summit-login/login ___ OpenStack-Infra mailing list OpenStack-Infra@lists.openstack.org http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-infra
Re: [OpenStack-Infra] Fun (important!) project: optimize Gerrit's nova git repo
On 13/06/16 18:29, Zaro wrote: `git gc` enables prune by default [1]. Running `git gc` cleans up the objects (6.4G -> 380M) and moves the refs to packed-refs file (382M -> 6M). I see the exact same result whether I run with C git or jgit. Original files: ~/temp/nova.git.test$ du -hsx * | sort -r | head -10 6.4G nova.git.orig/objects 6.1M nova.git.orig/info 4.0K nova.git.orig/config 4.0K nova.git.orig/HEAD 382M nova.git.orig/refs 2.1M nova.git.orig/logs 0B nova.git.orig/hooks 0B nova.git.orig/description 0B nova.git.orig/branches Hello, On the non-gc repo you can get useful statistics regarding objects by using: git count-objects -vH count: 37 size: 1.56 MiB in-pack: 707396 packs: 5 size-pack: 276.97 MiB prune-packable: 14 garbage: 1 size-garbage: 2.81 MiB From the man page: 37 loose objects consuming 1.56MiB of disk. 707396 objects in pack files which is a 276.97 MiB 14 loose objects are in pack file and can be reclaimed: git prune-packed 1 neither valid loose or valid pack taking 2.81 MiB Also Gerrit tends to leak references under refs/cache-automerge which might pill up and cause no more needed objects to still be referenced. I am not sure what they are for. -- Antoine Musso ___ OpenStack-Infra mailing list OpenStack-Infra@lists.openstack.org http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-infra