[JIRA] (JENKINS-50249) disable "build by token" by default using a system property in Jenkins
Title: Message Title James Nord assigned an issue to Unassigned Jenkins / JENKINS-50249 disable "build by token" by default using a system property in Jenkins Change By: James Nord Assignee: James Nord Add Comment This message was sent by Atlassian JIRA (v7.3.0#73011-sha1:3c73d0e) -- You received this message because you are subscribed to the Google Groups "Jenkins Issues" group. To unsubscribe from this group and stop receiving emails from it, send an email to jenkinsci-issues+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[JIRA] (JENKINS-50249) disable "build by token" by default using a system property in Jenkins
Title: Message Title James Nord stopped work on JENKINS-50249 Change By: James Nord Status: In Progress Open Add Comment This message was sent by Atlassian JIRA (v7.3.0#73011-sha1:3c73d0e) -- You received this message because you are subscribed to the Google Groups "Jenkins Issues" group. To unsubscribe from this group and stop receiving emails from it, send an email to jenkinsci-issues+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[JIRA] (JENKINS-50249) disable "build by token" by default using a system property in Jenkins
Title: Message Title Jesse Glick updated an issue Jenkins / JENKINS-50249 disable "build by token" by default using a system property in Jenkins I think BuildAuthorizationToken itself could be split out into the build-token-root plugin, with a PluginServletFilter for URL compatibility. Change By: Jesse Glick Labels: split-plugins-from-core Add Comment This message was sent by Atlassian JIRA (v7.3.0#73011-sha1:3c73d0e) -- You received this message because you are subscribed to the Google Groups "Jenkins Issues" group. To unsubscribe from this group and stop receiving emails from it, send an email to jenkinsci-issues+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[JIRA] (JENKINS-50249) disable "build by token" by default using a system property in Jenkins
Title: Message Title Jesse Glick commented on JENKINS-50249 Re: disable "build by token" by default using a system property in Jenkins To be clear, I have no problem with moving the token functionality to the build-token-root plugin except for the fact that existing installations making requests to job/stuff/build?token=s3cr3t would be suddenly broken. Now we could try to make the migration easier in various ways: continue to detect the token query parameter, and return an error response whose text mentions the plugin delay the move for a while, in the meantime printing a warning to the system log when a token build is initiated make the token field read-only for jobs already using it, and hidden for new jobs Disabling via a system property does not seem like a good approach. This is just adding one more underdocumented runtime flag. Add Comment This message was sent by Atlassian JIRA (v7.3.0#73011-sha1:3c73d0e) -- You received this message because you are subscribed to the Google Groups "Jenkins Issues" group. To unsubscribe from this group and stop receiving emails from it, send an email to jenkinsci-issues+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[JIRA] (JENKINS-50249) disable "build by token" by default using a system property in Jenkins
Title: Message Title Jesse Glick commented on JENKINS-50249 Re: disable "build by token" by default using a system property in Jenkins introduce a couple of new endpoints That does not solve anything as you are still breaking existing usage. If you are going to force people to update scripts, you might as well have them use the build-token-root URL patterns. there is no point in using this when you have authorised users As previously noted, that is not true. for core the behaviour would be (if the property was not set) use the projects ACL rather than check the BuildToken, it the property was set then it would behave as of today That is already the behavior of core. If there is no token, Item.BUILD is checked (and only POST requests or GET requests with API token are allowed, as a CSRF defense). Add Comment This message was sent by Atlassian JIRA (v7.3.0#73011-sha1:3c73d0e) -- You received this message because you are subscribed to the Google Groups "Jenkins Issues" group. To unsubscribe from this group and stop receiving emails from it, send an email to jenkinsci-issues+unsubscr...@googlegroups.com. For more options, visit http
[JIRA] (JENKINS-50249) disable "build by token" by default using a system property in Jenkins
Title: Message Title James Nord edited a comment on JENKINS-50249 Re: disable "build by token" by default using a system property in Jenkins [~jglick] I am suggesting completely disabling {{ [ https://github.com/jenkinsci/ command-launcher-plugin jenkins /blob/master/ core/ src/main/java/ hudson jenkins / slaves model / CommandLauncher ParameterizedJobMixIn .java# L81}} L208] (replacing with an ACL check) , but that there is no point in using this when you have authorised users - so the only use case is really using the {{build-token-root}} plugin (where you want an anonymous user to be able to trigger the build but not see it) Thus for core the behaviour would be (if the property was not set) use the projects {{ACL}} rather than check the BuildToken, it the property was set then it would behave as of today.Now we could probably completely yank it out of core and move it to a lib and introduce a couple of new endooints {{job/buildWithToken}} {{job/buildWIthTokenAndParmaters}} {{job/pollingWithToken}} but I still do not see the use of this token unless you have anonymous read access, or you share a global read only user around. (and in that case I am left wondering if the build-token-root plugin would be better extended to require an list of authorised users (including anonymous) and then there is questionable need for any of this to be in core at all. Add Comment This message was sent by Atlassian JIRA (v7.3.0#73011-sha1:3c73d0e) -- You received this message because you are subscribed to the Google Groups "Jenkins Issues" group. To unsubscribe from this group and stop receiving emails from it, send an email to jenkinsci-issues+unsubsc
[JIRA] (JENKINS-50249) disable "build by token" by default using a system property in Jenkins
Title: Message Title Jesse Glick commented on JENKINS-50249 Re: disable "build by token" by default using a system property in Jenkins the only use case is really using the build-token-root plugin No, that plugin is needed only when you deny even read access to anonymous users. Add Comment This message was sent by Atlassian JIRA (v7.3.0#73011-sha1:3c73d0e) -- You received this message because you are subscribed to the Google Groups "Jenkins Issues" group. To unsubscribe from this group and stop receiving emails from it, send an email to jenkinsci-issues+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[JIRA] (JENKINS-50249) disable "build by token" by default using a system property in Jenkins
Title: Message Title James Nord commented on JENKINS-50249 Re: disable "build by token" by default using a system property in Jenkins Jesse Glick I am suggesting completely disabling https://github.com/jenkinsci/command-launcher-plugin/blob/master/src/main/java/hudson/slaves/CommandLauncher.java#L81, but that there is no point in using this when you have authorised users - so the only use case is really using the build-token-root plugin (where you want an anonymous user to be able to trigger the build but not see it) Thus for core the behaviour would be (if the property was not set) use the projects ACL rather than check the BuildToken, it the property was set then it would behave as of today. Now we could probably completely yank it out of core and move it to a lib and introduce a couple of new endooints job/buildWithToken job/buildWIthTokenAndParmaters job/pollingWithToken but I still do not see the use of this token unless you have anonymous read access, or you share a global read only user around. (and in that case I am left wondering if the build-token-root plugin would be better extended to require an list of authorised users (including anonymous) and then there is questionable need for any of this to be in core at all. Add Comment This message was sent by Atlassian JIRA (v7.3.0#73011-sha1:3c73d0e) -- You received this message because you are subscribed to the Google Groups "Jenkins Issues" group. To unsubscribe from this group and stop receiving emails from it, send an email to jenkinsci-issues+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[JIRA] (JENKINS-50249) disable "build by token" by default using a system property in Jenkins
Title: Message Title Jesse Glick commented on JENKINS-50249 Re: disable "build by token" by default using a system property in Jenkins See JENKINS-38257 for example. Unless and until a general system of limited-scope revokable tokens is added to Jenkins, BuildAuthorizationToken is an irreplaceable feature. I do not think it should have been deprecated in code to begin with, since disabling the user feature would lead to a critical loss of functionality. Add Comment This message was sent by Atlassian JIRA (v7.3.0#73011-sha1:3c73d0e) -- You received this message because you are subscribed to the Google Groups "Jenkins Issues" group. To unsubscribe from this group and stop receiving emails from it, send an email to jenkinsci-issues+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[JIRA] (JENKINS-50249) disable "build by token" by default using a system property in Jenkins
Title: Message Title Jesse Glick commented on JENKINS-50249 Re: disable "build by token" by default using a system property in Jenkins if special anonymous access to trigger a build is required a new plugin should be introduced It already exists: build-token-root The backend code was marked as deprecated Yet there is no satisfactory replacement. Saving your personal API token in a post-commit hook allows anyone on the team who can view SCM settings to impersonate you in Jenkins, which is undesirable. Add Comment This message was sent by Atlassian JIRA (v7.3.0#73011-sha1:3c73d0e) -- You received this message because you are subscribed to the Google Groups "Jenkins Issues" group. To unsubscribe from this group and stop receiving emails from it, send an email to jenkinsci-issues+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[JIRA] (JENKINS-50249) disable "build by token" by default using a system property in Jenkins
Title: Message Title James Nord assigned an issue to James Nord Jenkins / JENKINS-50249 disable "build by token" by default using a system property in Jenkins Change By: James Nord Assignee: James Nord Add Comment This message was sent by Atlassian JIRA (v7.3.0#73011-sha1:3c73d0e) -- You received this message because you are subscribed to the Google Groups "Jenkins Issues" group. To unsubscribe from this group and stop receiving emails from it, send an email to jenkinsci-issues+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[JIRA] (JENKINS-50249) disable "build by token" by default using a system property in Jenkins
Title: Message Title James Nord started work on JENKINS-50249 Change By: James Nord Status: Open In Progress Add Comment This message was sent by Atlassian JIRA (v7.3.0#73011-sha1:3c73d0e) -- You received this message because you are subscribed to the Google Groups "Jenkins Issues" group. To unsubscribe from this group and stop receiving emails from it, send an email to jenkinsci-issues+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[JIRA] (JENKINS-50249) disable "build by token" by default using a system property in Jenkins
Title: Message Title James Nord moved an issue Jenkins / JENKINS-50249 disable "build by token" by default using a system property in Jenkins Change By: James Nord Project: Security Issues Jenkins Key: SECURITY JENKINS - 781 50249 Workflow: Security v1.2 JNJira + In-Review Status: Untriaged Open Component/s: core Component/s: core Add Comment This message was sent by Atlassian JIRA (v7.3.0#73011-sha1:3c73d0e)