-
Notifications
You must be signed in to change notification settings - Fork 59
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Update 194.v70a6d5203ce4 breaks my jenkins azurea d #198
Comments
Can you provide a bit more detail? What does your authentication config look like? Are you using users individually or groups? |
Hey, My config looks like: <authorizationStrategy class="com.michelin.cio.hudson.plugins.rolestrategy.RoleBasedAuthorizationStrategy">
<roleMap type="projectRoles">
<role name="ARM" pattern="ARM.*">
<permissions>
<permission>com.cloudbees.plugins.credentials.CredentialsProvider.Update</permission>
<permission>hudson.model.Item.Release</permission>
<permission>hudson.model.Item.Create</permission>
<permission>hudson.model.Run.Delete</permission>
<permission>hudson.model.Item.Workspace</permission>
<permission>com.cloudbees.plugins.credentials.CredentialsProvider.Delete</permission>
<permission>com.cloudbees.plugins.credentials.CredentialsProvider.ManageDomains</permission>
<permission>hudson.model.Run.Replay</permission>
<permission>hudson.model.Item.Configure</permission>
<permission>hudson.model.Item.Cancel</permission>
<permission>hudson.model.Item.Delete</permission>
<permission>hudson.model.Item.Read</permission>
<permission>com.cloudbees.plugins.credentials.CredentialsProvider.Create</permission>
<permission>hudson.model.Item.Build</permission>
<permission>hudson.scm.SCM.Tag</permission>
<permission>hudson.model.Item.Discover</permission>
<permission>hudson.model.Run.Update</permission>
</permissions>
<assignedSIDs>
<sid>jenkins-aeaarm</sid>
</assignedSIDs>
</role>
</roleMap>
<roleMap type="globalRoles">
<role name="admin" pattern=".*">
<permissions>
<permission>hudson.model.View.Delete</permission>
<permission>hudson.model.Computer.Connect</permission>
<permission>hudson.model.Run.Delete</permission>
<permission>com.cloudbees.plugins.credentials.CredentialsProvider.ManageDomains</permission>
<permission>hudson.model.Computer.Create</permission>
<permission>hudson.model.View.Configure</permission>
<permission>hudson.model.Computer.Build</permission>
<permission>hudson.model.Item.Configure</permission>
<permission>hudson.model.Hudson.Administer</permission>
<permission>hudson.model.Item.Cancel</permission>
<permission>hudson.model.Item.Read</permission>
<permission>com.cloudbees.plugins.credentials.CredentialsProvider.View</permission>
<permission>hudson.model.Computer.Delete</permission>
<permission>hudson.model.Item.Build</permission>
<permission>hudson.scm.SCM.Tag</permission>
<permission>hudson.model.Item.Move</permission>
<permission>hudson.model.Item.Discover</permission>
<permission>hudson.model.Hudson.Read</permission>
<permission>com.cloudbees.plugins.credentials.CredentialsProvider.Update</permission>
<permission>hudson.model.Item.Release</permission>
<permission>hudson.model.Item.Create</permission>
<permission>hudson.model.Item.Workspace</permission>
<permission>com.cloudbees.plugins.credentials.CredentialsProvider.Delete</permission>
<permission>hudson.model.Computer.Provision</permission>
<permission>hudson.model.Run.Replay</permission>
<permission>hudson.model.View.Read</permission>
<permission>hudson.model.View.Create</permission>
<permission>hudson.model.Item.Delete</permission>
<permission>hudson.model.Computer.Configure</permission>
<permission>com.cloudbees.plugins.credentials.CredentialsProvider.Create</permission>
<permission>hudson.model.Computer.Disconnect</permission>
<permission>hudson.model.Run.Update</permission>
</permissions>
<assignedSIDs>
<sid>[email protected]</sid>
<sid>jenkins-aeaadmin</sid>
</assignedSIDs>
</role>
<role name="developers" pattern=".*">
<permissions>
<permission>hudson.model.Hudson.Read</permission>
<permission>hudson.model.View.Create</permission>
<permission>hudson.model.View.Delete</permission>
<permission>hudson.model.View.Configure</permission>
<permission>hudson.model.View.Read</permission>
</permissions>
<assignedSIDs>
<sid>jenkins-aeaarm</sid>
</assignedSIDs>
</role>
</roleMap>
<roleMap type="slaveRoles"/>
</authorizationStrategy>
<securityRealm class="com.microsoft.jenkins.azuread.AzureSecurityRealm">
<clientid>XXXX</clientid>
<clientsecret>XXXX</clientsecret>
<tenant>XXXXXXXX</tenant>
<cacheduration>0</cacheduration>
<fromrequest>false</fromrequest>
<environmentName>Azure</environmentName>
<disableGraphIntegration>false</disableGraphIntegration>
</securityRealm> Most of users are in groups but my user is assigned in a role too, it's happening for both kind of users. |
RoleBasedAuthorizationStrategy is not compatible yet… see https://issues.jenkins.io/browse/JENKINS-67422 |
I've been using newer versions of this plugins since today:
Once I restored azure-ad plugin jenkins started working again. |
This should be fixed in commit 8555a0b No release to this commit yet |
Thanks! I'll be waiting the release to test it |
Still not working, the same message
I rolled back again |
I just ran into the same issue. We use Project-based Matrix Authentication Strategy. I can confirm rolling back to 191.vfc8019068670 resolves the issue. |
The role-strategy plugin is checking the permissions based on SID. It works if user is assigned to role as Azure Object ID or in The groups are not working, because of a change on line: https://github.com/jenkinsci/azure-ad-plugin/blob/master/src/main/java/com/microsoft/jenkins/azuread/AzureAdGroup.java#L23 Group authority is now group Object ID. It is better for azure-ad plugin, because it is mapping Object ID to FullSid in https://github.com/jenkinsci/azure-ad-plugin/blob/master/src/main/java/com/microsoft/jenkins/azuread/ObjId2FullSidMap.java. This change caused that you have to define the group in role-strategy plugin as Object ID. I will revert the change on https://github.com/jenkinsci/azure-ad-plugin/blob/master/src/main/java/com/microsoft/jenkins/azuread/AzureAdGroup.java#L23 and the groups may be defined as name or Object ID in role-strategy plugin. In azure-ad plugin the behavior will remain the same as the group authorities are listed as string Object ID and AzureAdGroup object. @monwolf Would you check if @gtbuchanan Would you post you authorization configuration, please? |
The user is in the group. |
@AdrianFarmadin Based on your response it sounds like the issue is we are using the group name rather than Object ID. Here is our config: <authorizationStrategy class="hudson.security.ProjectMatrixAuthorizationStrategy">
<permission>GROUP:com.cloudbees.plugins.credentials.CredentialsProvider.Create:JenkinsAdmin</permission>
<permission>GROUP:com.cloudbees.plugins.credentials.CredentialsProvider.Delete:JenkinsAdmin</permission>
<permission>GROUP:com.cloudbees.plugins.credentials.CredentialsProvider.ManageDomains:JenkinsAdmin</permission>
<permission>GROUP:com.cloudbees.plugins.credentials.CredentialsProvider.Update:JenkinsAdmin</permission>
<permission>GROUP:com.cloudbees.plugins.credentials.CredentialsProvider.View:JenkinsAdmin</permission>
<permission>GROUP:hudson.model.Computer.Build:JenkinsAdmin</permission>
<permission>GROUP:hudson.model.Computer.Configure:JenkinsAdmin</permission>
<permission>GROUP:hudson.model.Computer.Connect:JenkinsAdmin</permission>
<permission>GROUP:hudson.model.Computer.Create:JenkinsAdmin</permission>
<permission>GROUP:hudson.model.Computer.Delete:JenkinsAdmin</permission>
<permission>GROUP:hudson.model.Computer.Disconnect:JenkinsAdmin</permission>
<permission>GROUP:hudson.model.Hudson.Administer:JenkinsAdmin</permission>
<permission>GROUP:hudson.model.Hudson.Read:authenticated</permission>
<permission>GROUP:hudson.model.Hudson.Read:JenkinsAdmin</permission>
<permission>GROUP:hudson.model.Hudson.Read:JenkinsUsers</permission>
<permission>GROUP:hudson.model.Item.Build:JenkinsAdmin</permission>
<permission>GROUP:hudson.model.Item.Build:JenkinsUsers</permission>
<permission>GROUP:hudson.model.Item.Cancel:JenkinsAdmin</permission>
<permission>GROUP:hudson.model.Item.Configure:JenkinsAdmin</permission>
<permission>GROUP:hudson.model.Item.Create:JenkinsAdmin</permission>
<permission>GROUP:hudson.model.Item.Delete:JenkinsAdmin</permission>
<permission>GROUP:hudson.model.Item.Discover:JenkinsAdmin</permission>
<permission>GROUP:hudson.model.Item.Move:JenkinsAdmin</permission>
<permission>GROUP:hudson.model.Item.Read:authenticated</permission>
<permission>GROUP:hudson.model.Item.Read:JenkinsAdmin</permission>
<permission>GROUP:hudson.model.Item.Read:JenkinsUsers</permission>
<permission>GROUP:hudson.model.Item.Workspace:JenkinsAdmin</permission>
<permission>GROUP:hudson.model.Run.Delete:JenkinsAdmin</permission>
<permission>GROUP:hudson.model.Run.Replay:JenkinsAdmin</permission>
<permission>GROUP:hudson.model.Run.Update:JenkinsAdmin</permission>
<permission>GROUP:hudson.model.View.Configure:JenkinsAdmin</permission>
<permission>GROUP:hudson.model.View.Create:JenkinsAdmin</permission>
<permission>GROUP:hudson.model.View.Delete:JenkinsAdmin</permission>
<permission>GROUP:hudson.model.View.Read:authenticated</permission>
<permission>GROUP:hudson.model.View.Read:JenkinsAdmin</permission>
<permission>GROUP:hudson.model.View.Read:JenkinsUsers</permission>
<permission>GROUP:hudson.scm.SCM.Tag:JenkinsAdmin</permission>
<permission>GROUP:org.jenkins.plugins.lockableresources.LockableResourcesManager.Reserve:JenkinsAdmin</permission>
<permission>GROUP:org.jenkins.plugins.lockableresources.LockableResourcesManager.Unlock:JenkinsAdmin</permission>
<permission>GROUP:org.jenkins.plugins.lockableresources.LockableResourcesManager.View:JenkinsAdmin</permission>
</authorizationStrategy>
<securityRealm class="com.microsoft.jenkins.azuread.AzureSecurityRealm">
<clientid>REDACTED</clientid>
<clientsecret>REDACTED</clientsecret>
<tenant>REDACTED</tenant>
<cacheduration>3600</cacheduration>
<fromrequest>false</fromrequest>
<environmentName>Azure</environmentName>
<disableGraphIntegration>false</disableGraphIntegration>
</securityRealm> |
Right you shouldn't really do that because AAD group names are not unique. Someone else could configure that group name. There should be two valid options for groups.
If you configure the plugin with the Azure AD matrix auth strategy then there's a user / group picker which will populate it appropriately and you can check the config to get the right values |
I was able to get upgraded but I had to make manual changes to |
@monwolf is this resolved for you? |
Duplicate of #190 |
Jenkins and plugins versions report
What Operating System are you using (both controller, and any agents involved in the problem)?
Centos 7.6
Reproduction steps
After update from 191.vfc8019068670 to 194.v70a6d5203ce4, jenkins stopped to authenticate saying missing permissions Global/Read. I had to rollback to the previous version.
Expected Results
Users can log in as done before the update
Actual Results
Global/Read permissions missing for all users.
Anything else?
No response
The text was updated successfully, but these errors were encountered: