Skip to content

[JENKINS-72042] Add permission to manage config files #395

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
mawinter69 wants to merge 2 commits into
base: master
Choose a base branch
from
Open

[JENKINS-72042] Add permission to manage config files #395

mawinter69 wants to merge 2 commits into from

Conversation

@mawinter69
Copy link
Contributor

@mawinter69 mawinter69 commented Aug 18, 2025

Also JENKINS-63430

Add 2 permissions, one to manage global files and one to manage files on folder level

With the permission to manage global files but no Manage Permissions, a root action is added so one can access the configfiles url easily.

Questions:

Should the permission maybe not be enabled by default but only after setting a system property at startup?

Testing done

Integrated tests are fine

Also checked locally with a user granting the permissions that the links appear and config files can be edited.

Submitter checklist

  • Make sure you are opening from a topic/feature/bugfix branch (right side) and not your main branch!
  • Ensure that the pull request title represents the desired changelog entry
  • Please describe what you did
  • Link to relevant issues in GitHub or Jira
  • Link to relevant pull requests, esp. upstream and downstream changes
  • Ensure you have provided tests that demonstrate the feature works or the issue is fixed

@mawinter69
[JENKINS-72042] Add permission to manage config files
70fa17e 
Add 2 permissions, one to manage global files and one to manage files on
folder level
@mawinter69 mawinter69 requested a review from a team as a code owner August 18, 2025 00:10
mawinter69
mawinter69 commented Aug 18, 2025
View reviewed changes
src/main/java/org/jenkinsci/plugins/configfiles/maven/security/ServerCredentialMapping.java

// If we're on the global page and we don't have Overall/Manage permission or if we're in a project or folder
// and we don't have permission to use credentials and extended read in the item
if (permsToCheck.stream().anyMatch( per -> !contextToCheck.hasPermission(per))) {
Copy link
Contributor Author

@mawinter69 mawinter69 Aug 18, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

That way of checking the permissions looked wrong. It basically meant that for folders only with extended_read and use_item the credentials get filled. This is also different from

config-file-provider-plugin/src/main/java/org/jenkinsci/plugins/configfiles/custom/security/CustomizedCredentialMapping.java

Line 97 in 6b4fd13

if (!item.hasPermission(Item.EXTENDED_READ)
where only one of the permissions is needed.
Also use_item is a permission that is disabled by default.

@tomas-bezdek-jpmc
Copy link

tomas-bezdek-jpmc commented Aug 19, 2025

@mawinter69 I was just talking to my team few days ago about separate permissions for managed files, what a coincidence :) If it's not too much to ask, would you be open to add a set of permissions for read-only access?

@mawinter69
Copy link
Contributor Author

mawinter69 commented Aug 19, 2025

You mean something so you can read the files without SYSTEM_READ on global level or EXTENDED_READ on folder level? See also https://issues.jenkins.io/browse/JENKINS-76000 and https://issues.jenkins.io/browse/JENKINS-76001

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

enhancement

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@mawinter69 @tomas-bezdek-jpmc @alecharp