Issue
-
When certain users (none admins) try to create a new item within a certain folder a "UserX is missing the Job/Create permission" error message appears even if they have that permission granted via a RBAC group.
Environment
-
CloudBees Jenkins Enterprise (CJE)
-
CloudBees Jenkins Operations Center (CJOC)
-
RBAC plugin
-
CloudBees Folders Plugin
Resolution
This issue is directly related to JENKINS-33759, the fix did not only involved the CloudBees Folders Plugin (available since 5.6) but also the core Jenkins Core (available since 2.x)
-
If CJE/CJOC < 2.x but CloudBees Folders Plugin >= 5.6: Upgrade CJE/CJOC > 2.x
-
If CJE/CJOC => 2.x but CloudBees Folders Plugin < 5.6: Upgrade CloudBees Folders Plugin > 5.x
For upgrading to Jenkins 2.x please review:
Example/Scenario
Description:
-
A CJE instance: Jenkins ver. 1.651.3.1 (CloudBees Jenkins Enterprise 16.06)
-
CloudBees Folders Plugin 5.11
-
RBAC-Folder structure
Jenkins // Root node
Administrators // Group at root level
Roles:
administer (and children)
Members:
admin <admin> (User : nectar.plugins.rbac.assignees.UserAssignee)
Browsers // Group at root level
Roles:
browse (and children)
Members:
developer1 <developer1> (User : nectar.plugins.rbac.assignees.UserAssignee)
Jenkins/Folder_TEST // Folder node
Test // Group at folder level
Roles:
develop (pinned)
Members:
developer1 <developer1> (User : nectar.plugins.rbac.assignees.UserAssignee)
After logging with "developer1", we move to "Folder_TEST" and try to create a new item. As a result, the following error appears on teh GUI:
On the other hand, log shows:
INFO: While serving https://jenkins-example.com/checkJobName: hudson.security.AccessDeniedException2: developer1 is missing the Job/Create permission
Resolution:
CloudBees Folders Plugin 5.11 is >= 5.6 so it is fine. However CJE needs to be updated from 1.651.3.1 to any version >= 2.7.19.x
Having done that, the error message is gone:
References: