Hello,

      I've got a problem with Jenkins and role strategy plugin. I found similar issue mentioned here: https://wiki.jenkins.io/display/JENKINS/Role+Strategy+Plugin on 02.12.2014, but so far it seems that it still doesn't work properly.

      Jenkins 2.176.3
      Role-based Authorization Strategy 2.15
      FreeIPA, version: 4.5.4

      And I will just copy the issue because it's exactly the same in my scenario:

      The "configuration to be expect" should be:

      (Role) "Role 1" -> assigned to ->(Group) Group A ->that contains ->(Group) Group B ->that contains -> users.

      The workaround that we have implemented is:

      (Role) "Role 1" ->assigned to ->(Group) Group B ->that contains -> users.

      The issue seems due to nested group on freeIPA that doesn't works correctly with the plugin.

      Any suggestion would be appreciated.

      Thank in advance for your help.

      Best Regards.

      Karol

          [JENKINS-59981] Role strategy plugin - nested groups issue

          dracorp added a comment - - edited

          I have the same a problem for Active Directory. I use LDAP plugin to connect to AD. I also use filter (&(objectCategory=group)(member:1.2.840.113556.1.4.1941:={0})) for nested group. But it does not work for Global roles.
          Instead of main group, to which the user belongs indirectly, I have to list all subgroups for Global roles.

          Jenkins: 2.190.0

          Role-based Authorization Strategy: 2.15

          dracorp added a comment - - edited I have the same a problem for Active Directory. I use LDAP plugin to connect to AD. I also use filter (&(objectCategory=group)(member:1.2.840.113556.1.4.1941:={0})) for nested group. But it does not work for Global roles. Instead of main group, to which the user belongs indirectly, I have to list all subgroups for Global roles. Jenkins: 2.190.0 Role-based Authorization Strategy: 2.15

          Markus Winter added a comment -

          That is not a problem of rolestrategy plugin I think. Any authorization plugin is asked by Jenkins core code first if the user directly has permission. If not then it loops over the groups the user is a member of. The group membership is determined by the securityRealm, meaning Active Directory plugin, ldap plugin or any other authentication plugin.

          Check which groups you belong when you go to /whoAmI or to check other users go to /user/<userid>/

           

          Markus Winter added a comment - That is not a problem of rolestrategy plugin I think. Any authorization plugin is asked by Jenkins core code first if the user directly has permission. If not then it loops over the groups the user is a member of. The group membership is determined by the securityRealm, meaning Active Directory plugin, ldap plugin or any other authentication plugin. Check which groups you belong when you go to /whoAmI or to check other users go to /user/<userid>/  

          dracorp added a comment -

          Hi mawinter69 

          I didn't know those URLs, nice and thx.

          It agrees with what you wrote about. I have to contact with my AD admin.

          dracorp added a comment - Hi mawinter69   I didn't know those URLs, nice and thx. It agrees with what you wrote about. I have to contact with my AD admin.

          dracorp added a comment - - edited

          Together with my AD admin we've tested nested groups. For tree example:

          main_group:
           sub_group1
           sub_group2
          ....

          If I added only main_group I could login, assign admin privileges. Only ownership plugin does not work.
          User NAME is not registered in Jenkins

          But it does not work until I add a proper subgroup. After this, the directory for the account will be created in /users folder. And now I can remove the subgroup.

          So finally, I need all appropriate subgroups from AD tree.

          dracorp added a comment - - edited Together with my AD admin we've tested nested groups. For tree example: main_group: sub_group1 sub_group2 .... If I added only main_group I could login, assign admin privileges. Only ownership plugin does not work. User NAME is not registered in Jenkins But it does not work until I add a proper subgroup. After this, the directory for the account will be created in /users folder. And now I can remove the subgroup. So finally, I need all appropriate subgroups from AD tree.

            oleg_nenashev Oleg Nenashev
            wolskikd Karol Wolski
            Votes:
            0 Vote for this issue
            Watchers:
            5 Start watching this issue

              Created:
              Updated: