Jenkins Version: 2.176.1

      Github Authentication Plugin Version: 0.32

      I'm trying to set up Matrix-based Authorization Strategy for my team, that requires me to grant permissions to users based on the Github team membership.

      Following the instructions on the wiki I'm specifying the group name as "org_name*team_name", but I'm getting the following error:

       

      org_name*engineering
      org.kohsuke.github.GHException: Failed to retrieve https://api.github.com/orgs/org_name/teams at org.kohsuke.github.Requester$PagingIterator.fetch(Requester.java:529) at org.kohsuke.github.Requester$PagingIterator.hasNext(Requester.java:494) at org.kohsuke.github.PagedIterator.fetch(PagedIterator.java:44) at org.kohsuke.github.PagedIterator.hasNext(PagedIterator.java:32) at org.kohsuke.github.GHOrganization.getTeamByName(GHOrganization.java:89) at org.jenkinsci.plugins.GithubAuthenticationToken.loadTeam(GithubAuthenticationToken.java:544) at org.jenkinsci.plugins.GithubSecurityRealm.loadGroupByGroupname(GithubSecurityRealm.java:794) at org.jenkinsci.plugins.matrixauth.AuthorizationContainerDescriptor.doCheckName_(AuthorizationContainerDescriptor.java:157) at hudson.security.GlobalMatrixAuthorizationStrategy$DescriptorImpl.doCheckName(GlobalMatrixAuthorizationStrategy.java:222) at java.lang.invoke.MethodHandle.invokeWithArguments(MethodHandle.java:627)
      

       We are currently successfully using the Github Committer Authorization Strategy, however it's becoming a necessity to add permissions based on user-groups, such as letting devs replay jobs. 

       

          [JENKINS-58479] Failing to retrieve teams

          Sam Gleske added a comment -

          There's a bug in the OAuth plugin where you must reference team name by common name and not by slug.

          So, if your engineering team is actually Engineering in the GitHub UI, then it must match that. I'll reference the existing issue when I find it.

          Sam Gleske added a comment - There's a bug in the OAuth plugin where you must reference team name by common name and not by slug. So, if your engineering team is actually Engineering in the GitHub UI, then it must match that. I'll reference the existing issue when I find it.

          Sam Gleske added a comment -

          JENKINS-34835 is the original issue.

          Sam Gleske added a comment - JENKINS-34835 is the original issue.

          sag47 so, should I be able to input `ORGNAME*Engineering`? I tried this and it throws the same error.

          The team is called "Engineering" in Github UI, and is referenced as `@ORGNAME/engineering`. I guess that's the slug?

          The url for the team is https://github.com/orgs/ORGNAME/teams/engineering

          Kote Mushegiani added a comment - sag47 so, should I be able to input `ORGNAME*Engineering`? I tried this and it throws the same error. The team is called "Engineering" in Github UI, and is referenced as `@ORGNAME/engineering`. I guess that's the slug? The url for the team is  https://github.com/orgs/ORGNAME/teams/engineering

          We are experiencing the same issue. Our existing configuration stopped working yesterday, probably after upgrading the GitHub Oauth plugin to 0.33.

          Juha Tiensyrjä added a comment - We are experiencing the same issue. Our existing configuration stopped working yesterday, probably after upgrading the GitHub Oauth plugin to 0.33.

          Sam Gleske added a comment -

          kmushegi if you visit https://[you Jenkins instance]/whoAmI all known authorities for your user will be there. If the name you have in matrix auth does not match the name in granted authorities then users will not have access. Find a user who's in the Engineering GitHub team and see what authorities they have granted.

          I can't reproduce this issue myself. juhtie01 can you describe in more detail what, specifically, stopped working? There were definite issues with the 0.32 version of the plugin that were fixed in 0.33. However, the fix was only to backend code on the globalSecurity page and should not have made a difference your configuration itself.

          Without more detail and steps to reproduce I don't know how else to approach this issue. It passes all of my local testing when trying to reproduce what this issue describes.

          Sam Gleske added a comment - kmushegi if you visit https://[you Jenkins instance]/whoAmI all known authorities for your user will be there. If the name you have in matrix auth does not match the name in granted authorities then users will not have access. Find a user who's in the Engineering GitHub team and see what authorities they have granted. I can't reproduce this issue myself. juhtie01 can you describe in more detail what, specifically, stopped working? There were definite issues with the 0.32 version of the plugin that were fixed in 0.33. However, the fix was only to backend code on the globalSecurity page and should not have made a difference your configuration itself. Without more detail and steps to reproduce I don't know how else to approach this issue. It passes all of my local testing when trying to reproduce what this issue describes.

          Sam Gleske added a comment -

          kmushegi I also forgot to mention that you need to upgrade to github-outh 0.33 because plugin version 0.32 suffers from a critical bug in matrix auth. See JENKINS-57154 for details

          Sam Gleske added a comment - kmushegi I also forgot to mention that you need to upgrade to github-outh 0.33 because plugin version 0.32 suffers from a critical bug in matrix auth. See JENKINS-57154 for details

          I believe that the plugin upgrade was coincidental / a red herring related to something either GitHub or one of the organization admins did and only manifested once we restarted the Jenkins instance with the new plugin version. We fixed the problem by revoking the Oauth application privileges from GitHub organization settings page, logged in with the machine user whose token is used for the Oauth app, requested for permissions and had one of the org admins to approve those permissions. After that, no more errors.

          Juha Tiensyrjä added a comment - I believe that the plugin upgrade was coincidental / a red herring related to something either GitHub or one of the organization admins did and only manifested once we restarted the Jenkins instance with the new plugin version. We fixed the problem by revoking the Oauth application privileges from GitHub organization settings page, logged in with the machine user whose token is used for the Oauth app, requested for permissions and had one of the org admins to approve those permissions. After that, no more errors.

          sag47 I will try upgrading the plugin and setting up the matrix auth.

           

          I'm in the Engineering github team, but the only authority I see is `authenticated`. I guess after I switch to matrix auth that will change?

          Could you advice on what are the risks of being locked out as the result of setting matrix auth wrong? Does 0.33 still require referencing the team name by its common name and not slug?

          Kote Mushegiani added a comment - sag47 I will try upgrading the plugin and setting up the matrix auth.   I'm in the Engineering github team, but the only authority I see is `authenticated`. I guess after I switch to matrix auth that will change? Could you advice on what are the risks of being locked out as the result of setting matrix auth wrong? Does 0.33 still require referencing the team name by its common name and not slug?

          After upgrading the plugin, I still see the same error when trying to add a group to matrix auth in the following way "ORGNAME*engineering" or "ORGNAME*Engineering"

          Kote Mushegiani added a comment - After upgrading the plugin, I still see the same error when trying to add a group to matrix auth in the following way "ORGNAME*engineering" or "ORGNAME*Engineering"

          Sam Gleske added a comment -

          Strange, I can't seem to be able to replicate your issue. You should be able to see your own granted authorities under:

          kmushegi Is it possible that you didn't grant your OAuth app permission to view the org and its teams? GitHub now allows orgs to restrict team only to allowed OAuth apps. In that case, the plugin wouldn't be able to query teams of the org. See the earlier comment by juhtie01 which is a similar situation as I describe.

          The risks of being locked out are similar to the risks with other plugins. The only way to recover would be to edit the root config.xml and restoring your access. Personally, I configure my own username in addition to teams to ensure that my specific user doesn't lose access when configuring matrix authorization.

          Does 0.33 still require referencing the team name by its common name and not slug?

          Yes, the plugin still has bug JENKINS-34835 where you must reference teams by common name and not slug.

          Sam Gleske added a comment - Strange, I can't seem to be able to replicate your issue. You should be able to see your own granted authorities under: https://yourjenkins/whoAmI - when you go here does your GitHub teams show up under granted authorities? kmushegi Is it possible that you didn't grant your OAuth app permission to view the org and its teams? GitHub now allows orgs to restrict team only to allowed OAuth apps. In that case, the plugin wouldn't be able to query teams of the org. See the earlier comment by juhtie01 which is a similar situation as I describe. The risks of being locked out are similar to the risks with other plugins. The only way to recover would be to edit the root config.xml and restoring your access. Personally, I configure my own username in addition to teams to ensure that my specific user doesn't lose access when configuring matrix authorization. Does 0.33 still require referencing the team name by its common name and not slug? Yes, the plugin still has bug JENKINS-34835 where you must reference teams by common name and not slug.

            sag47 Sam Gleske
            kmushegi Kote Mushegiani
            Votes:
            0 Vote for this issue
            Watchers:
            4 Start watching this issue

              Created:
              Updated: