Re: [OpenStack-Infra] JJB's use of inspect plugin info requires administrator permissions

[Zaro]

Thanks for the clarification Andrew.  I almost thought you guys knew
something that upstream Jenkins didn't ; )  I am able to repro with
ver 1.651.2.  I agree with Thanh, the correct fix is to add a new ACLs
to jenkins security plugin to allow retrieving plugin info.  I've
reviewed Thanh's workaround and it seems ok to me.  The other possible
workaround you might consider is to create a user with 'Read' and
'RunScripts' access which would allow running a groovy script [1] to
get the plugin info.

[1] 
https://python-jenkins.readthedocs.io/en/latest/api.html#jenkins.Jenkins.run_script


On Tue, Jun 14, 2016 at 12:44 PM, Andrew Grimberg
 wrote:
> On 06/14/2016 12:18 PM, Zaro wrote:
>> ahh, jenkins.io page confused me since it says latest LTS is 1.651.3
>>
>>
>> On Tue, Jun 14, 2016 at 12:13 PM, Darragh Bailey
>>  wrote:
>>> The 1.652.x series is an lts  release, so fixes were backported to it  that
>>> are not in subsequent dev releases.
>>>
>>> Darragh Bailey
>>> "Nothing is foolproof to a sufficiently talented fool" - unknown
>>>
>>> On 14 Jun 2016 20:02, "Zaro"  wrote:

 - [ snippet ] 
>
> The behavior changed between 1.651.1 and 1.652.2.
>
> Specifically this was a security fix that came in with 1.652.2. See the
> security fixes [0] that came with the release notes. Search for
> SECURITY-250 or CVE-2016-3723.
>
> -Andy-
>
> [0]
>
> https://wiki.jenkins-ci.org/display/SECURITY/Jenkins+Security+Advisory+2016-05-11

 Hmm.  I just tested with Jenkins ver 1.653 and was still able to
 access plugin info using REST api as an anonymous user.
 I enabled security with following settings:
  * jenkins own db
  * logged-in user can do anything
  * prevent cross site request

 While not logged in I can get plugin info using
 '/pluginManager/api/json?depth=1'

 Maybe this there's some setting you have enabled that's causing your
 jenkins to require admin to access plugin info?
>
> LTS is 1.651.x. My missive about the change being between 1.651.1 and
> 1.652.2 is incorrect. It's 1.651.1 and 1.651.2 that the security lock
> down occurred.
>
> As for what we have enabled in the security system. We use the matrix
> security setup.
>
> Our JJB user is granted rights inside the job category. To be specific:
>
> Job: Configure, Create, Delete, Discover, Read, Workspace
> Overall: Read
>
> There is no configuration option for listing the plugins. You only get
> access to it if you have Overall: Administer with the changes that came
> in with 1.651.2 unless there's a permission knob under the covers we
> haven't managed to figure out yet.
>
> -Andy-
>
> --
> Andrew J Grimberg
> Systems Administrator
> Release Engineering Team Lead
> The Linux Foundation
>

___
OpenStack-Infra mailing list
OpenStack-Infra@lists.openstack.org
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-infra

Re: [OpenStack-Infra] JJB's use of inspect plugin info requires administrator permissions

[Andrew Grimberg]

On 06/14/2016 12:18 PM, Zaro wrote:
> ahh, jenkins.io page confused me since it says latest LTS is 1.651.3
> 
> 
> On Tue, Jun 14, 2016 at 12:13 PM, Darragh Bailey
>  wrote:
>> The 1.652.x series is an lts  release, so fixes were backported to it  that
>> are not in subsequent dev releases.
>>
>> Darragh Bailey
>> "Nothing is foolproof to a sufficiently talented fool" - unknown
>>
>> On 14 Jun 2016 20:02, "Zaro"  wrote:
>>>
>>> - [ snippet ] 

 The behavior changed between 1.651.1 and 1.652.2.

 Specifically this was a security fix that came in with 1.652.2. See the
 security fixes [0] that came with the release notes. Search for
 SECURITY-250 or CVE-2016-3723.

 -Andy-

 [0]

 https://wiki.jenkins-ci.org/display/SECURITY/Jenkins+Security+Advisory+2016-05-11
>>>
>>> Hmm.  I just tested with Jenkins ver 1.653 and was still able to
>>> access plugin info using REST api as an anonymous user.
>>> I enabled security with following settings:
>>>  * jenkins own db
>>>  * logged-in user can do anything
>>>  * prevent cross site request
>>>
>>> While not logged in I can get plugin info using
>>> '/pluginManager/api/json?depth=1'
>>>
>>> Maybe this there's some setting you have enabled that's causing your
>>> jenkins to require admin to access plugin info?

LTS is 1.651.x. My missive about the change being between 1.651.1 and
1.652.2 is incorrect. It's 1.651.1 and 1.651.2 that the security lock
down occurred.

As for what we have enabled in the security system. We use the matrix
security setup.

Our JJB user is granted rights inside the job category. To be specific:

Job: Configure, Create, Delete, Discover, Read, Workspace
Overall: Read

There is no configuration option for listing the plugins. You only get
access to it if you have Overall: Administer with the changes that came
in with 1.651.2 unless there's a permission knob under the covers we
haven't managed to figure out yet.

-Andy-

-- 
Andrew J Grimberg
Systems Administrator
Release Engineering Team Lead
The Linux Foundation



signature.asc
Description: OpenPGP digital signature
___
OpenStack-Infra mailing list
OpenStack-Infra@lists.openstack.org
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-infra

Re: [OpenStack-Infra] JJB's use of inspect plugin info requires administrator permissions

[Zaro]

ahh, jenkins.io page confused me since it says latest LTS is 1.651.3


On Tue, Jun 14, 2016 at 12:13 PM, Darragh Bailey
 wrote:
> The 1.652.x series is an lts  release, so fixes were backported to it  that
> are not in subsequent dev releases.
>
> Darragh Bailey
> "Nothing is foolproof to a sufficiently talented fool" - unknown
>
> On 14 Jun 2016 20:02, "Zaro"  wrote:
>>
>> - [ snippet ] 
>> >
>> > The behavior changed between 1.651.1 and 1.652.2.
>> >
>> > Specifically this was a security fix that came in with 1.652.2. See the
>> > security fixes [0] that came with the release notes. Search for
>> > SECURITY-250 or CVE-2016-3723.
>> >
>> > -Andy-
>> >
>> > [0]
>> >
>> > https://wiki.jenkins-ci.org/display/SECURITY/Jenkins+Security+Advisory+2016-05-11
>>
>> Hmm.  I just tested with Jenkins ver 1.653 and was still able to
>> access plugin info using REST api as an anonymous user.
>> I enabled security with following settings:
>>  * jenkins own db
>>  * logged-in user can do anything
>>  * prevent cross site request
>>
>> While not logged in I can get plugin info using
>> '/pluginManager/api/json?depth=1'
>>
>> Maybe this there's some setting you have enabled that's causing your
>> jenkins to require admin to access plugin info?

___
OpenStack-Infra mailing list
OpenStack-Infra@lists.openstack.org
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-infra

Re: [OpenStack-Infra] JJB's use of inspect plugin info requires administrator permissions

[Darragh Bailey]

The 1.652.x series is an lts  release, so fixes were backported to it  that
are not in subsequent dev releases.

Darragh Bailey
"Nothing is foolproof to a sufficiently talented fool" - unknown
On 14 Jun 2016 20:02, "Zaro"  wrote:

> - [ snippet ] 
> >
> > The behavior changed between 1.651.1 and 1.652.2.
> >
> > Specifically this was a security fix that came in with 1.652.2. See the
> > security fixes [0] that came with the release notes. Search for
> > SECURITY-250 or CVE-2016-3723.
> >
> > -Andy-
> >
> > [0]
> >
> https://wiki.jenkins-ci.org/display/SECURITY/Jenkins+Security+Advisory+2016-05-11
>
> Hmm.  I just tested with Jenkins ver 1.653 and was still able to
> access plugin info using REST api as an anonymous user.
> I enabled security with following settings:
>  * jenkins own db
>  * logged-in user can do anything
>  * prevent cross site request
>
> While not logged in I can get plugin info using
> '/pluginManager/api/json?depth=1'
>
> Maybe this there's some setting you have enabled that's causing your
> jenkins to require admin to access plugin info?
>
___
OpenStack-Infra mailing list
OpenStack-Infra@lists.openstack.org
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-infra

Re: [OpenStack-Infra] JJB's use of inspect plugin info requires administrator permissions

[Zaro]

- [ snippet ] 
>
> The behavior changed between 1.651.1 and 1.652.2.
>
> Specifically this was a security fix that came in with 1.652.2. See the
> security fixes [0] that came with the release notes. Search for
> SECURITY-250 or CVE-2016-3723.
>
> -Andy-
>
> [0]
> https://wiki.jenkins-ci.org/display/SECURITY/Jenkins+Security+Advisory+2016-05-11

Hmm.  I just tested with Jenkins ver 1.653 and was still able to
access plugin info using REST api as an anonymous user.
I enabled security with following settings:
 * jenkins own db
 * logged-in user can do anything
 * prevent cross site request

While not logged in I can get plugin info using
'/pluginManager/api/json?depth=1'

Maybe this there's some setting you have enabled that's causing your
jenkins to require admin to access plugin info?

___
OpenStack-Infra mailing list
OpenStack-Infra@lists.openstack.org
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-infra

Re: [OpenStack-Infra] Fun (important!) project: optimize Gerrit's nova git repo

[Jeremy Stanley]

On 2016-06-14 11:26:32 +0200 (+0200), Antoine Musso wrote:
[...]
> On the non-gc repo you can get useful statistics regarding objects by using:
> git count-objects -vH
> 
> count: 37
> size: 1.56 MiB
> in-pack: 707396
> packs: 5
> size-pack: 276.97 MiB
> prune-packable: 14
> garbage: 1
> size-garbage: 2.81 MiB
> 
> From the man page:
> 
> 37 loose objects consuming 1.56MiB of disk.
> 707396 objects in pack files which is a 276.97 MiB
> 14 loose objects are in pack file and can be reclaimed: git prune-packed
> 1 neither valid loose or valid pack taking 2.81 MiB
[...]

Current state of the openstack/nova repo on Gerrit:

count: 5086291
size: 36.91 GiB
in-pack: 1350559
packs: 163
size-pack: 431.08 MiB
prune-packable: 344
garbage: 0
size-garbage: 0 bytes

-- 
Jeremy Stanley

___
OpenStack-Infra mailing list
OpenStack-Infra@lists.openstack.org
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-infra

[OpenStack-Infra] Barcelona summit talk ideas

[Paul Belanger]

Greetings,

I wanted to start another etherpad[1] for collaboration on summit talk ideas
related to openstack-infra. I think it worked well for Austin and see no reason
not to do it again.

I've already outlined a few ideas of what interests me (and hopefully others),
please take a moment to review and add your own ideas.

We have until July 13 to submit talks[2]:

 JULY 13, 2016 AT 11:59PM PDT (JULY 14 6:59 UTC) IS THE DEADLINE TO SUBMIT A
 TALK.

[1] https://etherpad.openstack.org/p/barcelona-upstream-openstack-infa
[2] https://www.openstack.org/summit-login/login

___
OpenStack-Infra mailing list
OpenStack-Infra@lists.openstack.org
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-infra

Re: [OpenStack-Infra] Fun (important!) project: optimize Gerrit's nova git repo

[Antoine Musso]

On 13/06/16 18:29, Zaro wrote:

`git gc` enables prune by default [1]. Running `git gc` cleans up the
objects (6.4G -> 380M) and moves the refs to packed-refs file (382M ->
6M). I see the exact same result whether I run with C git or jgit.

Original files:
  ~/temp/nova.git.test$ du -hsx * | sort -r | head -10
  6.4G nova.git.orig/objects
  6.1M nova.git.orig/info
  4.0K nova.git.orig/config
  4.0K nova.git.orig/HEAD
  382M nova.git.orig/refs
  2.1M nova.git.orig/logs
  0B nova.git.orig/hooks
  0B nova.git.orig/description
  0B nova.git.orig/branches


Hello,

On the non-gc repo you can get useful statistics regarding objects by 
using: git count-objects -vH


count: 37
size: 1.56 MiB
in-pack: 707396
packs: 5
size-pack: 276.97 MiB
prune-packable: 14
garbage: 1
size-garbage: 2.81 MiB

From the man page:

37 loose objects consuming 1.56MiB of disk.
707396 objects in pack files which is a 276.97 MiB
14 loose objects are in pack file and can be reclaimed: git prune-packed
1 neither valid loose or valid pack taking 2.81 MiB


Also Gerrit tends to leak references under refs/cache-automerge which 
might pill up and cause no more needed objects to still be referenced. 
I am not sure what they are for.


--
Antoine Musso

___
OpenStack-Infra mailing list
OpenStack-Infra@lists.openstack.org
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-infra