-
Bug
-
Resolution: Unresolved
-
Blocker
Jenkins Version: 2.176.1
Github Authentication Plugin Version: 0.32
I'm trying to set up Matrix-based Authorization Strategy for my team, that requires me to grant permissions to users based on the Github team membership.
Following the instructions on the wiki I'm specifying the group name as "org_name*team_name", but I'm getting the following error:
org_name*engineering
org.kohsuke.github.GHException: Failed to retrieve https://api.github.com/orgs/org_name/teams at org.kohsuke.github.Requester$PagingIterator.fetch(Requester.java:529) at org.kohsuke.github.Requester$PagingIterator.hasNext(Requester.java:494) at org.kohsuke.github.PagedIterator.fetch(PagedIterator.java:44) at org.kohsuke.github.PagedIterator.hasNext(PagedIterator.java:32) at org.kohsuke.github.GHOrganization.getTeamByName(GHOrganization.java:89) at org.jenkinsci.plugins.GithubAuthenticationToken.loadTeam(GithubAuthenticationToken.java:544) at org.jenkinsci.plugins.GithubSecurityRealm.loadGroupByGroupname(GithubSecurityRealm.java:794) at org.jenkinsci.plugins.matrixauth.AuthorizationContainerDescriptor.doCheckName_(AuthorizationContainerDescriptor.java:157) at hudson.security.GlobalMatrixAuthorizationStrategy$DescriptorImpl.doCheckName(GlobalMatrixAuthorizationStrategy.java:222) at java.lang.invoke.MethodHandle.invokeWithArguments(MethodHandle.java:627)
We are currently successfully using the Github Committer Authorization Strategy, however it's becoming a necessity to add permissions based on user-groups, such as letting devs replay jobs.
[JENKINS-58479] Failing to retrieve teams
Kote Mushegiani
created issue -
Kote Mushegiani
made changes -
| Description |
Original:
I'm trying to set up Matrix-based Authorization Strategy for my team, that requires me to grant permissions to users based on the Github team membership. Following the instructions on the wiki I'm specifying the group name as "org_name*team_name", but I'm getting the following error: {code:java} org_name*engineering org.kohsuke.github.GHException: Failed to retrieve https://api.github.com/orgs/org_name/teams at org.kohsuke.github.Requester$PagingIterator.fetch(Requester.java:529) at org.kohsuke.github.Requester$PagingIterator.hasNext(Requester.java:494) at org.kohsuke.github.PagedIterator.fetch(PagedIterator.java:44) at org.kohsuke.github.PagedIterator.hasNext(PagedIterator.java:32) at org.kohsuke.github.GHOrganization.getTeamByName(GHOrganization.java:89) at org.jenkinsci.plugins.GithubAuthenticationToken.loadTeam(GithubAuthenticationToken.java:544) at org.jenkinsci.plugins.GithubSecurityRealm.loadGroupByGroupname(GithubSecurityRealm.java:794) at org.jenkinsci.plugins.matrixauth.AuthorizationContainerDescriptor.doCheckName_(AuthorizationContainerDescriptor.java:157) at hudson.security.GlobalMatrixAuthorizationStrategy$DescriptorImpl.doCheckName(GlobalMatrixAuthorizationStrategy.java:222) at java.lang.invoke.MethodHandle.invokeWithArguments(MethodHandle.java:627) {code} |
New:
Jenkins Version: 2.176.1 Github Authentication Plugin Version: 0.32 I'm trying to set up Matrix-based Authorization Strategy for my team, that requires me to grant permissions to users based on the Github team membership. Following the instructions on the wiki I'm specifying the group name as "org_name*team_name", but I'm getting the following error: {code:java} org_name*engineering org.kohsuke.github.GHException: Failed to retrieve https://api.github.com/orgs/org_name/teams at org.kohsuke.github.Requester$PagingIterator.fetch(Requester.java:529) at org.kohsuke.github.Requester$PagingIterator.hasNext(Requester.java:494) at org.kohsuke.github.PagedIterator.fetch(PagedIterator.java:44) at org.kohsuke.github.PagedIterator.hasNext(PagedIterator.java:32) at org.kohsuke.github.GHOrganization.getTeamByName(GHOrganization.java:89) at org.jenkinsci.plugins.GithubAuthenticationToken.loadTeam(GithubAuthenticationToken.java:544) at org.jenkinsci.plugins.GithubSecurityRealm.loadGroupByGroupname(GithubSecurityRealm.java:794) at org.jenkinsci.plugins.matrixauth.AuthorizationContainerDescriptor.doCheckName_(AuthorizationContainerDescriptor.java:157) at hudson.security.GlobalMatrixAuthorizationStrategy$DescriptorImpl.doCheckName(GlobalMatrixAuthorizationStrategy.java:222) at java.lang.invoke.MethodHandle.invokeWithArguments(MethodHandle.java:627) {code} We are currently successfully using the Github Committer Authorization Strategy, however it's becoming a necessity to add permissions based on user-groups, such as letting devs replay jobs. |
Sam Gleske
added a comment - There's a bug in the OAuth plugin where you must reference team name by common name and not by slug.
So, if your engineering team is actually Engineering in the GitHub UI, then it must match that. I'll reference the existing issue when I find it.
Sam Gleske
added a comment - There's a bug in the OAuth plugin where you must reference team name by common name and not by slug.
So, if your engineering team is actually Engineering in the GitHub UI, then it must match that. I'll reference the existing issue when I find it. Sam Gleske
added a comment - JENKINS-34835 is the original issue. Kote Mushegiani
added a comment - sag47 so, should I be able to input `ORGNAME*Engineering`? I tried this and it throws the same error.
The team is called "Engineering" in Github UI, and is referenced as `@ORGNAME/engineering`. I guess that's the slug?
The url for the team is https://github.com/orgs/ORGNAME/teams/engineering
Kote Mushegiani
added a comment - sag47 so, should I be able to input `ORGNAME*Engineering`? I tried this and it throws the same error.
The team is called "Engineering" in Github UI, and is referenced as `@ORGNAME/engineering`. I guess that's the slug?
The url for the team is https://github.com/orgs/ORGNAME/teams/engineering 
Paul Clark
made changes -
| Assignee | Original: Sam Gleske [ sag47 ] | New: Paul Clark [ clarkster ] |
Juha Tiensyrjä
added a comment - We are experiencing the same issue. Our existing configuration stopped working yesterday, probably after upgrading the GitHub Oauth plugin to 0.33.
Juha Tiensyrjä
added a comment - We are experiencing the same issue. Our existing configuration stopped working yesterday, probably after upgrading the GitHub Oauth plugin to 0.33. Paul Clark
made changes -
| Assignee | Original: Paul Clark [ clarkster ] | New: Sam Gleske [ sag47 ] |
Sam Gleske
added a comment - kmushegi if you visit https://[you Jenkins instance]/whoAmI all known authorities for your user will be there. If the name you have in matrix auth does not match the name in granted authorities then users will not have access. Find a user who's in the Engineering GitHub team and see what authorities they have granted.
I can't reproduce this issue myself. juhtie01 can you describe in more detail what, specifically, stopped working? There were definite issues with the 0.32 version of the plugin that were fixed in 0.33. However, the fix was only to backend code on the globalSecurity page and should not have made a difference your configuration itself.
Without more detail and steps to reproduce I don't know how else to approach this issue. It passes all of my local testing when trying to reproduce what this issue describes.
Sam Gleske
added a comment - kmushegi if you visit https://[you Jenkins instance]/whoAmI all known authorities for your user will be there. If the name you have in matrix auth does not match the name in granted authorities then users will not have access. Find a user who's in the Engineering GitHub team and see what authorities they have granted.
I can't reproduce this issue myself. juhtie01 can you describe in more detail what, specifically, stopped working? There were definite issues with the 0.32 version of the plugin that were fixed in 0.33. However, the fix was only to backend code on the globalSecurity page and should not have made a difference your configuration itself.
Without more detail and steps to reproduce I don't know how else to approach this issue. It passes all of my local testing when trying to reproduce what this issue describes. 
Has anyone taken a look at this? Or are there any updates?