Skip to main content
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [List Home]
Re: [cross-project-issues-dev] [HIPP] Visibility of Hudson configuration for anonymous users 
> Anonymous users can see the console log which prints in order everything that's run although I guess does require more parsing on the reader's part to figure out the job full setup.

Yes, it is always possible but as you say it is really a burden to do that.

> 
> I do like the idea of allowing people to see how a job was setup but I do have a concern related to security. The extended read plugin seems to allow users to see the entire configuration page of a job without hiding any settings and I think at least 1 configuration setting might be open to abuse and that is the "Trigger builds remotely" build trigger which would allow anonymous users to see the authentication token, and potentially trigger jobs that use this type of trigger without the project's permission.

Thank you for sharing this. You're right that this may leak the authentication token. Is the remote triggering widely used by the eclipse projects? 

> 
> I just double checked the shared instance and we actually do NOT enable extended read for anonymous users. It's actually only enabled for all Eclipse committers. I'd be more comfortable enabling the same for HIPP by default if this was the case.

This may be a good start to have the same configuration as for the shared instance. Still, I reckon that making the configuration page available to anybody may help the community ! I don't have ideas about how to do that in a secure way, so any idea is welcome :)

Mikael

> 
> 
> Thanh
> 
> On 09/01/14 04:32 AM, Henrik Rentz-Reichert wrote:
>> same for eTrice HIPP (https://hudson.eclipse.org/etrice/)
>> 
>> +1
>> 
>> Henrik
>> 
>> Zitat von "Wenz, Michael" <michael.wenz@xxxxxxx>:
>>> Same for Graphiti HIPP.
>>> 
>>> +1
>>> 
>>> Thanks for pointing out,
>>> Michael
>>> 
>>> 
>>> -----Original Message-----
>>> From: cross-project-issues-dev-bounces@xxxxxxxxxxx [mailto:cross-project-issues-dev-bounces@xxxxxxxxxxx] On Behalf Of   Ed Willink
>>> Sent: Donnerstag, 9. Januar 2014 09:39
>>> To: Cross project issues
>>> Subject: Re: [cross-project-issues-dev] [HIPP] Visibility of Hudson   configuration for anonymous users
>>> 
>>> HI
>>> 
>>> Thanks Michael
>>> 
>>> +1
>>> 
>>> I certainly want my OCL/QVTd HIPP to be accessible and have been
>>> inconvenienced by not being able to access other HIPPs.
>>> 
>>>     Regards
>>> 
>>>         Ed Willink
>>> 
>>> On 09/01/2014 08:11, Mikaël Barbero wrote:
>>>> Hi all,
>>>> 
>>>> I often struggle to build (or setup a CI build for) eclipse projects. Sometimes, there is a wiki page about how to build the   project, but it may be outdated or not complete. I often want to   see how the project setup its jobs on hudson in order to know how I   should properly build the project.
>>>> 
>>>> On the shared instance, it was possible for anonymous users but it   is no longer available by default on HIPP instances. Project   leaders have to install the Extended Read Permission Plugin (https://wiki.jenkins-ci.org/display/JENKINS/Extended+Read+Permission+Plugin) by themselves and configure the additional permission for Anonymous.
>>>> 
>>>> I did it for EMF Compare (e.g. see https://hudson.eclipse.org/emfcompare/job/emfcompare-master/), and   I can ask individually to projects of interest to do it, but I   think would be good to make it a rule to let anonymous users see   the jobs configurations on HIPP. It should not be a choice let to   the HIPP owners because I think the availability of how to build an   open source project is an important criteria in order to consider   it truly open.
>>>> 
>>>> Do not see this mail as a rant against projects that did not install this plugin. They may not be aware of the issue. I just   would like to know your opinion. If you agree, I will open a bug   about it to see how to make it real for all HIPP instances.
>>>> 
>>>> Best regards,
>>>> Mikael
>>>> _______________________________________________
>>>> cross-project-issues-dev mailing list
>>>> cross-project-issues-dev@xxxxxxxxxxx
>>>> https://dev.eclipse.org/mailman/listinfo/cross-project-issues-dev
>>>> 
>>>> 
>>>> -----
>>>> No virus found in this message.
>>>> Checked by AVG - www.avg.com
>>>> Version: 2014.0.4259 / Virus Database: 3658/6986 - Release Date: 01/08/14
>>>> 
>>>> 
>>> 
>>> _______________________________________________
>>> cross-project-issues-dev mailing list
>>> cross-project-issues-dev@xxxxxxxxxxx
>>> https://dev.eclipse.org/mailman/listinfo/cross-project-issues-dev
>>> _______________________________________________
>>> cross-project-issues-dev mailing list
>>> cross-project-issues-dev@xxxxxxxxxxx
>>> https://dev.eclipse.org/mailman/listinfo/cross-project-issues-dev
>>> 
>> 
>>  07551/831365
>> 
>> 
>> 
>> 
>> 
>> ----- Ende der weitergeleiteten Nachricht -----
>> 
>> 
> 
> _______________________________________________
> cross-project-issues-dev mailing list
> cross-project-issues-dev@xxxxxxxxxxx
> https://dev.eclipse.org/mailman/listinfo/cross-project-issues-dev

Back to the top