-
Improvement
-
Resolution: Fixed
-
Minor
-
-
matrix-auth-2.4
I use Project Based Authorization - each user has its own permissions to folders and jobs. Also, I use DSL Plugin - managing is much simpler. My configuration is based on one global permission and permissions per job/folder. As jobs can be defined with different inheritance strategy via code like this:
properties {
authorizationMatrix {
inheritanceStrategy {
inheritingGlobal()
}
}
}
folders can't be. By default, folders have "Inherit permissions from parent ACL" and it's not what I want. I have many subfolders, and not all subfolder should has the same permissions fo the same users. For example:
folderA | - subfolderA | - subfolderB
In this scenario, subfolderA and subfolderB will inherit permissions from folderA, but I don't want it. It means that if userA and userB have read access to folderA, both users will have read access to subfolderA and subfolderB.
I have tried many scenarios and without the possibility to choose the inheritance strategy in folder DSL configuration, I cannot satisfy my needs. Could you please add authorizationMatrix property as for the job?
[JENKINS-49199] Job DSL Authorizarion Matrix cannot manage the folder inheritance
Emil Wypych
added a comment - Hi, daspilker
Yes, I know that Job DSL only provides syntax for existing options. And the problem is that Job DSL doesn't provide syntax for Project-based Authorization Matrix during the folder creation, I CAN do it manually. The original plugin allows me to do it. But I cannot do it with Job DSL Plugin. There is no option, there is no syntax for it. And this is the future request (type: improvement). I'm not sure why you have closed this request and I don't understand your answer.
Try to configure your folders manually and then port the configuration to Job DSL
Can't do that, Job DSL Plugin doesn't provide valid syntax. But I can configure my folders manually. Job DSL API doesn't have proper syntax, and I cannot use syntax from job configuration (syntax errors).
Emil Wypych
added a comment - Hi, daspilker
Yes, I know that Job DSL only provides syntax for existing options. And the problem is that Job DSL doesn't provide syntax for Project-based Authorization Matrix during the folder creation, I CAN do it manually. The original plugin allows me to do it. But I cannot do it with Job DSL Plugin. There is no option, there is no syntax for it. And this is the future request (type: improvement ). I'm not sure why you have closed this request and I don't understand your answer.
Try to configure your folders manually and then port the configuration to Job DSL
Can't do that, Job DSL Plugin doesn't provide valid syntax. But I can configure my folders manually. Job DSL API doesn't have proper syntax, and I cannot use syntax from job configuration (syntax errors). 
Daniel Spilker
added a comment - Post an example of the relevant parts of the config.xml that can't be generated with Job DSL.
Daniel Spilker
added a comment - Post an example of the relevant parts of the config.xml that can't be generated with Job DSL. Emil Wypych
added a comment - Sure, here you are:
<description>Test jobs</description> <displayName>Testing</displayName> <properties> <com.cloudbees.hudson.plugins.folder.properties.AuthorizationMatrixProperty> <inheritanceStrategy class="org.jenkinsci.plugins.matrixauth.inheritance.InheritGlobalStrategy"/> <permission>hudson.model.Item.Read:bob.fortesting</permission> </com.cloudbees.hudson.plugins.folder.properties.AuthorizationMatrixProperty> <org.jenkinsci.plugins.pipeline.modeldefinition.config.FolderConfig plugin="pipeline-model-definition@1.2.7"> <dockerLabel></dockerLabel> <registry plugin="docker-commons@1.11"/> </org.jenkinsci.plugins.pipeline.modeldefinition.config.FolderConfig> </properties>
As you can see this is a folder, and the most important here is this line:
<inheritanceStrategy class="org.jenkinsci.plugins.matrixauth.inheritance.InheritGlobalStrategy"/>
I cannot find a valid syntax for Inheritance.
In the Job DSL API Viewer, there is only "authorization" function, but it doesn't allow to manage the inheritance. Also, there are no "properties" for this. The job has something like this:
properties {
authorizationMatrix {
permissions(Iterable<String> value)
inheritanceStrategy {
ingeritingGlobal()
}
}
}
but it doesn't work with the folder.
Hope it will be helpful. If you need more information, I'll try to provide them as soon as possible.
Maybe there is an option to do what I want, but then there is a lack of documentation.
Emil Wypych
added a comment - Sure, here you are:
<description>Test jobs</description>
<displayName>Testing</displayName>
<properties>
<com.cloudbees.hudson.plugins.folder.properties.AuthorizationMatrixProperty>
<inheritanceStrategy class="org.jenkinsci.plugins.matrixauth.inheritance.InheritGlobalStrategy"/>
<permission>hudson.model.Item.Read:bob.fortesting</permission>
</com.cloudbees.hudson.plugins.folder.properties.AuthorizationMatrixProperty>
<org.jenkinsci.plugins.pipeline.modeldefinition.config.FolderConfig plugin="pipeline-model-definition@1.2.7">
<dockerLabel></dockerLabel>
<registry plugin="docker-commons@1.11"/>
</org.jenkinsci.plugins.pipeline.modeldefinition.config.FolderConfig>
</properties>
As you can see this is a folder, and the most important here is this line:
<inheritanceStrategy class="org.jenkinsci.plugins.matrixauth.inheritance.InheritGlobalStrategy"/>
I cannot find a valid syntax for Inheritance.
In the Job DSL API Viewer, there is only "authorization" function, but it doesn't allow to manage the inheritance. Also, there are no "properties" for this. The job has something like this:
properties {
authorizationMatrix {
permissions(Iterable<String> value)
inheritanceStrategy {
ingeritingGlobal()
}
}
}
but it doesn't work with the folder.
Hope it will be helpful. If you need more information, I'll try to provide them as soon as possible.
Maybe there is an option to do what I want, but then there is a lack of documentation. Daniel Spilker
added a comment - Ah, unfortunately the Automatically Generated DSL does not work for com.cloudbees.hudson.plugins.folder.properties.AuthorizationMatrixProperty because the class does not declare a DataBoundConstructor.
But you can use a Configure Block to add the necessary config options:
folder('example') { configure { it / 'properties' / 'com.cloudbees.hudson.plugins.folder.properties.AuthorizationMatrixProperty' { inheritanceStrategy(class: 'org.jenkinsci.plugins.matrixauth.inheritance.InheritGlobalStrategy') permission('hudson.model.Item.Read:bob.fortesting') } } }
Daniel Spilker
added a comment - Ah, unfortunately the Automatically Generated DSL does not work for com.cloudbees.hudson.plugins.folder.properties.AuthorizationMatrixProperty because the class does not declare a DataBoundConstructor .
But you can use a Configure Block to add the necessary config options:
folder( 'example' ) {
configure {
it / 'properties' / 'com.cloudbees.hudson.plugins.folder.properties.AuthorizationMatrixProperty' {
inheritanceStrategy(class: 'org.jenkinsci.plugins.matrixauth.inheritance.InheritGlobalStrategy' )
permission( 'hudson.model.Item.Read:bob.fortesting' )
}
}
}
Emil Wypych
added a comment - Oh, ok, I understand. So thanks, daspilker - I will test it tomorrow and let you know about results. 
Emil Wypych
added a comment - Oh, ok, I understand. So thanks, daspilker - I will test it tomorrow and let you know about results. Daniel Spilker
added a comment - I opened a PR for the matrix-auth-plugin to enable support for the Automatically Generated DSL:
https://github.com/jenkinsci/matrix-auth-plugin/pull/45
That will enable this syntax:
folder('example') { properties { authorizationMatrixProperty { permissions(['hudson.model.Item.Read:bob.fortesting']) inheritanceStrategy { inheritingGlobal() } } } }
Daniel Spilker
added a comment - I opened a PR for the matrix-auth-plugin to enable support for the Automatically Generated DSL:
https://github.com/jenkinsci/matrix-auth-plugin/pull/45
That will enable this syntax:
folder( 'example' ) {
properties {
authorizationMatrixProperty {
permissions([ 'hudson.model.Item.Read:bob.fortesting' ])
inheritanceStrategy {
inheritingGlobal()
}
}
}
}
Emil Wypych
added a comment - daspilker thanks for the provided information. The workaround is great - works fine, as expected. So I will use it until your PR is merged and the new version is released.
Emil Wypych
added a comment - daspilker thanks for the provided information. The workaround is great - works fine, as expected. So I will use it until your PR is merged and the new version is released. 
Josh Sleeper
added a comment - apologies for the slight necro-post, but I haven't come across a better place to say something about this not working for me with the very latest Jenkins and matrix-auth plugins.
even something as simple as the example daspilker gave above (except using authorizationMatrix since that was the symbol chosen) fails for me with the following error:
ERROR: Scripts not permitted to use method groovy.lang.GroovyObject invokeMethod java.lang.String java.lang.Object (javaposse.jobdsl.dsl.Folder authorizationMatrix ConfigureJobDsl$_run_closure2$_closure5$_closure6)
here's some specific code that's giving me that error:
folder('project') { properties { authorizationMatrix { inheritanceStrategy { inheriting() } permissions(['hudson.model.Item.Build:jsleeper']) } } }
Josh Sleeper
added a comment - apologies for the slight necro-post, but I haven't come across a better place to say something about this not working for me with the very latest Jenkins and matrix-auth plugins.
even something as simple as the example daspilker gave above (except using authorizationMatrix since that was the symbol chosen) fails for me with the following error:
ERROR: Scripts not permitted to use method groovy.lang.GroovyObject invokeMethod java.lang. String java.lang. Object (javaposse.jobdsl.dsl.Folder authorizationMatrix ConfigureJobDsl$_run_closure2$_closure5$_closure6)
here's some specific code that's giving me that error:
folder( 'project' ) {
properties {
authorizationMatrix {
inheritanceStrategy {
inheriting()
}
permissions([ 'hudson.model.Item.Build:jsleeper' ])
}
}
}
Job DSL only provides configuration syntax for existing options. Try to configure your folders manually and then port the configuration to Job DSL. If the option is not available, open a feature request for the appropriate plugin.