RBAC & Folders: User is missing the Job-Create permission

Issue

  • When certain users (none admins) try to create a new item within a certain folder a “UserX is missing the Job/Create permission” error message appears even if they have that permission granted via a RBAC group.

Environment

  • CloudBees Jenkins Enterprise (CJE)
  • CloudBees Jenkins Operations Center (CJOC)
  • RBAC plugin
  • CloudBees Folders Plugin

Resolution

This issue is directly related to JENKINS-33759, the fix did not only involved the CloudBees Folders Plugin (available since 5.6) but also the core Jenkins Core (available since 2.x)

  • If CJE/CJOC < 2.x but CloudBees Folders Plugin >= 5.6: Upgrade CJE/CJOC > 2.x
  • If CJE/CJOC => 2.x but CloudBees Folders Plugin < 5.6: Upgrade CloudBees Folders Plugin > 5.x

For upgrading to Jenkins 2.x please review:

Example/Scenario

Description:

  • A CJE instance: Jenkins ver. 1.651.3.1 (CloudBees Jenkins Enterprise 16.06)
  • CloudBees Folders Plugin 5.11
  • RBAC-Folder structure
Jenkins  // Root node
  Administrators // Group at root level
    Roles:
      administer (and children)
    Members:
      admin <admin> (User : nectar.plugins.rbac.assignees.UserAssignee)
  Browsers // Group at root level
    Roles:
      browse (and children)
    Members:
      developer1 <developer1> (User : nectar.plugins.rbac.assignees.UserAssignee)
Jenkins/Folder_TEST // Folder node
  Test  // Group at folder level
    Roles:
      develop (pinned)
    Members:
      developer1 <developer1> (User : nectar.plugins.rbac.assignees.UserAssignee)

After logging with “developer1”, we move to “Folder_TEST” and try to create a new item. As a result, the following error appears on teh GUI:

error-new-item

On the other hand, log shows:

INFO: While serving http://jenkins-example.com/checkJobName: hudson.security.AccessDeniedException2: developer1 is missing the Job/Create permission

Resolution:

CloudBees Folders Plugin 5.11 is >= 5.6 so it is fine. However CJE needs to be updated from 1.651.3.1 to any version >= 2.7.19.x

Having done that, the error message is gone:

error-new-item-gone

References:

Have more questions? Submit a request

0 Comments

Please sign in to leave a comment.