JENKINS-61206 - Support System Read / Extended read permissions for agent configurations

[timja]

See JENKINS-61206.

Adds system read / extended read support for agents / clouds.

The rule I applied was anything that was previously checking for administer for viewing is now system read, anything checking for connect or configure is Agent/ExtendedRead

Manual testing notes

When using the core-pr-tester (docker run --rm -ti -p 8080:8080 -e ID=4531 jenkins/core-pr-tester), you can use script console to enable the permissions:

Jenkins.SYSTEM_READ.enabled = true
Computer.EXTENDED_READ.enabled = true

Proposed changelog entries

• Entry 1: JENKINS-61206, Add system read support for 'Node Monitoring Configuration' and configuring clouds
• Entry 2: JENKINS-61206, Add Agent/ExtendedRead support for viewing agent configuration, system information and logs
• Entry 3: JENKINS-61206, Add support for the permissions attribute to task.jelly
• Entry 4: JENKINS-61206, Add hasAnyPermissions API to Functions to allow it to be called by views
• ...

Proposed upgrade guidelines

N/A

Submitter checklist

• JIRA issue is well described
• Changelog entries and upgrade guidelines are appropriate for the audience affected by the change (users or developer, depending on the change). Examples
  • Fill-in the Proposed changelog entries section only if there are breaking changes or other changes which may require extra steps from users during the upgrade
• Appropriate autotests or explanation to why this change has no tests
• For dependency updates: links to external changelogs and, if possible, full diffs

Desired reviewers

@mention

Maintainer checklist

Before the changes are marked as ready-for-merge:

• There are at least 2 approvals for the pull request and no outstanding requests for change
• Conversations in the pull request are over OR it is explicit that a reviewer does not block the change
• Changelog entries in the PR title and/or Proposed changelog entries are correct
• Proper changelog labels are set so that the changelog can be generated automatically
• If the change needs additional upgrade steps from users, upgrade-guide-needed label is set and there is a Proposed upgrade guidelines section in the PR title. (example)
• If it would make sense to backport the change to LTS, a JIRA issue should exist and be labeled as lts-candidate

[daniel-beck]

Just throw in that case? The assumption that object is an ancestor isn't necessarily true. For example, in upstream cause related UI, you would show information about another job / build.

[timja]

It’s consistent with hasPermission and wasn’t working without this for the l:task it was just silently doing nothing

[daniel-beck]

f:password has specific support to hide the password when it's shown in the context of an Item. This implemented a security fix (users without Configure/with Extended Read could see plain text or encrypted passwords on the config form).

jenkins/core/src/main/java/hudson/Functions.java

Lines 2019 to 2024 in ed80d24

	if (req != null) {
	Item item = req.findAncestorObject(Item.class);
	if (item != null && !item.hasPermission(Item.CONFIGURE)) {
	return "********";
	}
	}

While this is now pretty irrelevant for "read only" forms, it's not inconceivable that other views are added by a plugin that are available to users with Computer/ExtendedRead but are not marked read-only.

So I would like to see that method amended to mask f:password when neither Computer/Configure permission is granted, nor readOnlyMode set.

[timja]

f:password has specific support to hide the password when it's shown in the context of an Item. This implemented a security fix (users without Configure/with Extended Read could see plain text or encrypted passwords on the config form).

jenkins/core/src/main/java/hudson/Functions.java

Lines 2019 to 2024 in ed80d24

	if (req != null) {
	Item item = req.findAncestorObject(Item.class);
	if (item != null && !item.hasPermission(Item.CONFIGURE)) {
	return "********";
	}
	}

While this is now pretty irrelevant for "read only" forms, it's not inconceivable that other views are added by a plugin that are available to users with Computer/ExtendedRead but are not marked read-only.

So I would like to see that method amended to mask f:password when neither Computer/Configure permission is granted, nor readOnlyMode set.

The only usages of Computer.EXTENDED_READ are currently in jenkins core, this feature has never been documented, and it not enabled by the extended read permission plugin, I will fix that as part of this work.

I see it as pretty inconceivable really.

Do you still think it's worth doing that?

[daniel-beck]

@timja I do, any plugin adding support for Computer/Extended Read without also ensuring their custom form is readOnlyMode would enable this problem.

To clarify, it is not currently a problem for the reasons you mention, but may become one with this PR.

[timja]

Hmm k, will take a look

[timja]

@timja I do, any plugin adding support for Computer/Extended Read without also ensuring their custom form is readOnlyMode would enable this problem.

To clarify, it is not currently a problem for the reasons you mention, but may become one with this PR.

Pushed, will look at a test later on, I've manually tested it

[timja]

@timja I do, any plugin adding support for Computer/Extended Read without also ensuring their custom form is readOnlyMode would enable this problem.

To clarify, it is not currently a problem for the reasons you mention, but may become one with this PR.

For testing, any suggestion on how to add a form with a Computer in it's ancestor but not in what's already got readOnlyMode as part of this PR?

I tested it by commenting out the readOnlyMode and adding a secret field to JNLPLauncher

[daniel-beck]

For testing, any suggestion on how to add a form with a Computer in it's ancestor but not in what's already got readOnlyMode as part of this PR?

@timja Attach an Action to the Computer (or Slave I never remember which) with a view that has an f:password.

[timja]

For testing, any suggestion on how to add a form with a Computer in it's ancestor but not in what's already got readOnlyMode as part of this PR?

@timja Attach an Action to the Computer (or Slave I never remember which) with a view that has an f:password.

resolved in 393ad7f

[daniel-beck]

Looks like the same mistake that made all job configurations read-only?

Suggested change

	<j:when test="${app.hasPermission(it.CONFIGURE)}">
	<j:when test="${it.hasPermission(it.CONFIGURE)}">

[timja]

seems to work though, =/

[timja]

I've committed it but both seem to work in this case from what I can see

[daniel-beck]

Don't grant the permission globally, use project-specific matrix auth and grant it on the specific agent only.

[timja]

Hmm ? That’s what’s there now isn’t it?

[timja]

Ah you mean when I was testing before sure

[amuniz]

I've created #4724 which will generate some merge conflicts with this. I'm happy to resolve conflicts there is this is merged first (or help to resolve conflicts here if needed).

[timja]

@daniel-beck would you be able to take another look please?

[daniel-beck]

Didn't fit as a line comment, so mentioning it here: It would be good if users with Overall/SystemRead were able to see the global cloud configuration that now only says

The cloud configuration has moved to a separate configuration page.

---

I see nothing wrong with this PR, even in manual testing. Thanks for adding proper Computer/ExtendedRead support.

[timja]

Anyone else want to take a look at this?

[daniel-beck]

Re-:+1:

[daniel-beck]

Re-:+1: assuming latest changes were manually tested.

[oleg-nenashev]

@oleg-nenashev to retest it

[oleg-nenashev]

Yesterday I spent some time to verify the PR, and it looks good to me. On my test instance the forms worked pretty well with Extended Read. I am +1 for merging and early release so that we could do crowd testing during the hackfest.

Cc @jenkinsci/core , is everybody fine with release on Monday with this fix?