Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-59981

Role strategy plugin - nested groups issue

    XMLWordPrintable

Details

    Description

      Hello,

      I've got a problem with Jenkins and role strategy plugin. I found similar issue mentioned here: https://wiki.jenkins.io/display/JENKINS/Role+Strategy+Plugin on 02.12.2014, but so far it seems that it still doesn't work properly.

      Jenkins 2.176.3
      Role-based Authorization Strategy 2.15
      FreeIPA, version: 4.5.4

      And I will just copy the issue because it's exactly the same in my scenario:

      The "configuration to be expect" should be:

      (Role) "Role 1" -> assigned to ->(Group) Group A ->that contains ->(Group) Group B ->that contains -> users.

      The workaround that we have implemented is:

      (Role) "Role 1" ->assigned to ->(Group) Group B ->that contains -> users.

      The issue seems due to nested group on freeIPA that doesn't works correctly with the plugin.

      Any suggestion would be appreciated.

      Thank in advance for your help.

      Best Regards.

      Karol

      Attachments

        Activity

          dracorp Piotr Rogoża added a comment - - edited

          I have the same a problem for Active Directory. I use LDAP plugin to connect to AD. I also use filter (&(objectCategory=group)(member:1.2.840.113556.1.4.1941:={0})) for nested group. But it does not work for Global roles.
          Instead of main group, to which the user belongs indirectly, I have to list all subgroups for Global roles.

          Jenkins: 2.190.0

          Role-based Authorization Strategy: 2.15

          dracorp Piotr Rogoża added a comment - - edited I have the same a problem for Active Directory. I use LDAP plugin to connect to AD. I also use filter (&(objectCategory=group)(member:1.2.840.113556.1.4.1941:={0})) for nested group. But it does not work for Global roles. Instead of main group, to which the user belongs indirectly, I have to list all subgroups for Global roles. Jenkins: 2.190.0 Role-based Authorization Strategy: 2.15
          mawinter69 Markus Winter added a comment -

          That is not a problem of rolestrategy plugin I think. Any authorization plugin is asked by Jenkins core code first if the user directly has permission. If not then it loops over the groups the user is a member of. The group membership is determined by the securityRealm, meaning Active Directory plugin, ldap plugin or any other authentication plugin.

          Check which groups you belong when you go to /whoAmI or to check other users go to /user/<userid>/

           

          mawinter69 Markus Winter added a comment - That is not a problem of rolestrategy plugin I think. Any authorization plugin is asked by Jenkins core code first if the user directly has permission. If not then it loops over the groups the user is a member of. The group membership is determined by the securityRealm, meaning Active Directory plugin, ldap plugin or any other authentication plugin. Check which groups you belong when you go to /whoAmI or to check other users go to /user/<userid>/  
          dracorp Piotr Rogoża added a comment -

          Hi mawinter69 

          I didn't know those URLs, nice and thx.

          It agrees with what you wrote about. I have to contact with my AD admin.

          dracorp Piotr Rogoża added a comment - Hi mawinter69   I didn't know those URLs, nice and thx. It agrees with what you wrote about. I have to contact with my AD admin.
          dracorp Piotr Rogoża added a comment - - edited

          Together with my AD admin we've tested nested groups. For tree example:

          main_group:
           sub_group1
           sub_group2
          ....

          If I added only main_group I could login, assign admin privileges. Only ownership plugin does not work.
          User NAME is not registered in Jenkins

          But it does not work until I add a proper subgroup. After this, the directory for the account will be created in /users folder. And now I can remove the subgroup.

          So finally, I need all appropriate subgroups from AD tree.

          dracorp Piotr Rogoża added a comment - - edited Together with my AD admin we've tested nested groups. For tree example: main_group: sub_group1 sub_group2 .... If I added only main_group I could login, assign admin privileges. Only ownership plugin does not work. User NAME is not registered in Jenkins But it does not work until I add a proper subgroup. After this, the directory for the account will be created in /users folder. And now I can remove the subgroup. So finally, I need all appropriate subgroups from AD tree.

          People

            oleg_nenashev Oleg Nenashev
            wolskikd Karol Wolski
            Votes:
            0 Vote for this issue
            Watchers:
            5 Start watching this issue

            Dates

              Created:
              Updated: