Hi all, Until recently anonymous users had permissions to view jobs, logs, and other similar information of our Jenkins server running at ci.hive.apache which poses a security risk.
After discussions in secur...@hive.apache.org we decided to restrict the permissions of anonymous users to the bare minimum. As of Friday, July 12, 2024, anonymous users can see the main Jenkins pages but nothing more than that. In addition, we decided to remove the build permission from general authenticated users. This means that contributors who do not belong to the apache organization (non-committers) will not be able to start a build via the Jenkins UI. They can still trigger a build by pushing (empty) commits to their PR or by closing/reopening their PR. If you discover problems with the above permissioning scheme please let us know. Credit: Thanks to Cofin_cf for bringing up the issue about unauthenticated access on our security list. Thanks to Zoltan Haindrich for providing valuable feedback and ideas on improving our authentication and permission handling on Jenkins. Best, Stamatis
