Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-64447

CLI is not working for AD groups set in Role-based authorization

XMLWordPrintable

      We use Azure AD authentication with Role-based authorization plugin, it works perfectly from the web pages. In the authorization options we use email addresses for users and group names for groups, both of these works.

      However, when we try to use the CLI, the groups are not found. In the attached log, the user has the Overall/Read permission through a group, but that is not found. If I give the permission directly for a single user (without AD groups), it works.

      Interestingly, when I use direct permissions, the error message "The user *** may or may not exist in the SecurityRealm, so we provide minimum access" still appears in the logs, but the CLI itself is working.

       

      Dec 15 10:29:49 jenkins tomcat9[1599]: Authentication attempted from email@redacted.com with Sun RSA public key, 2048 bits
Dec 15 10:29:49 jenkins tomcat9[1599]:   params: null
Dec 15 10:29:49 jenkins tomcat9[1599]:   modulus: *****
Dec 15 10:29:49 jenkins tomcat9[1599]:   public exponent: 65537
Dec 15 10:29:49 jenkins tomcat9[1599]: The user email@redacted.com may or may not exist in the SecurityRealm, so we provide minimum access
Dec 15 10:29:49 jenkins tomcat9[1599]: authenticated: email@redacted.com []
Dec 15 10:29:49 jenkins tomcat9[1599]: doAuth(email@redacted.com@ServerSessionImpl[null@/10.0.100.9:52238]) key type=ssh-rsa, fingerprint=SHA256:***** - authentication result: true
Dec 15 10:29:49 jenkins tomcat9[1599]: doAuth(email@redacted.com@ServerSessionImpl[null@/10.0.100.9:52238]) send SSH_MSG_USERAUTH_PK_OK for key type=ssh-rsa, fingerprint=SHA256:*****
Dec 15 10:29:49 jenkins tomcat9[1599]: writePacket(Nio2Session[local=/10.0.210.1:2222, remote=/10.0.100.9:52238]) Writing 352 bytes
Dec 15 10:29:49 jenkins tomcat9[1599]: handleCompletedWriteCycle(Nio2Session[local=/10.0.210.1:2222, remote=/10.0.100.9:52238]) finished writing len=352
Dec 15 10:29:49 jenkins tomcat9[1599]: handleAuthenticationInProgress(email@redacted.com@ServerSessionImpl[null@/10.0.100.9:52238]) SSH_MSG_USERAUTH_REQUEST
Dec 15 10:29:49 jenkins tomcat9[1599]: handleReadCycleCompletion(Nio2Session[local=/10.0.210.1:2222, remote=/10.0.100.9:52238]) read 688 bytes
Dec 15 10:29:49 jenkins tomcat9[1599]: process(ServerSessionImpl[null@/10.0.100.9:52238]) Received SSH_MSG_USERAUTH_REQUEST user=email@redacted.com, service=ssh-connection, method=publickey
Dec 15 10:29:49 jenkins tomcat9[1599]: process(ServerSessionImpl[null@/10.0.100.9:52238]) Authenticating user 'email@redacted.com' with service 'ssh-connection' and method 'publickey' (attempt 2 / 20)
Dec 15 10:29:49 jenkins tomcat9[1599]: doAuth(email@redacted.com@ServerSessionImpl[null@/10.0.100.9:52238]) verify key type=ssh-rsa, factories=ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,ssh-ed25519,ssh-rsa,ssh-dss, fingerprint=SHA256:*****
Dec 15 10:29:49 jenkins tomcat9[1599]: Authentication attempted from email@redacted.com with Sun RSA public key, 2048 bits
Dec 15 10:29:49 jenkins tomcat9[1599]:   params: null
Dec 15 10:29:49 jenkins tomcat9[1599]:   modulus: *****
Dec 15 10:29:49 jenkins tomcat9[1599]:   public exponent: 65537
Dec 15 10:29:49 jenkins tomcat9[1599]: The user email@redacted.com may or may not exist in the SecurityRealm, so we provide minimum access
Dec 15 10:29:49 jenkins tomcat9[1599]: authenticated: email@redacted.com []
Dec 15 10:29:49 jenkins tomcat9[1599]: doAuth(email@redacted.com@ServerSessionImpl[null@/10.0.100.9:52238]) key type=ssh-rsa, fingerprint=SHA256:***** - authentication result: true
Dec 15 10:29:49 jenkins tomcat9[1599]: doAuth(email@redacted.com@ServerSessionImpl[null@/10.0.100.9:52238]) key type=ssh-rsa, fingerprint=SHA256:***** - verified
Dec 15 10:29:49 jenkins tomcat9[1599]: handleAuthenticationSuccess(email@redacted.com@ServerSessionImpl[null@/10.0.100.9:52238]) SSH_MSG_USERAUTH_REQUEST
Dec 15 10:29:49 jenkins tomcat9[1599]: writePacket(Nio2Session[local=/10.0.210.1:2222, remote=/10.0.100.9:52238]) Writing 64 bytes
Dec 15 10:29:49 jenkins tomcat9[1599]: handleCompletedWriteCycle(Nio2Session[local=/10.0.210.1:2222, remote=/10.0.100.9:52238]) finished writing len=64
Dec 15 10:29:49 jenkins tomcat9[1599]: Session email@redacted.com@/10.0.100.9:52238 authenticated
Dec 15 10:29:49 jenkins tomcat9[1599]: handleReadCycleCompletion(Nio2Session[local=/10.0.210.1:2222, remote=/10.0.100.9:52238]) read 80 bytes
Dec 15 10:29:49 jenkins tomcat9[1599]: channelOpen(ServerConnectionService[ServerSessionImpl[email@redacted.com@/10.0.100.9:52238]]) SSH_MSG_CHANNEL_OPEN sender=0, type=session, window-size=2097152, packet-size=32768
Dec 15 10:29:49 jenkins tomcat9[1599]: init() service=ServerConnectionService[ServerSessionImpl[email@redacted.com@/10.0.100.9:52238]] session=ServerSessionImpl[email@redacted.com@/10.0.100.9:52238] id=0
Dec 15 10:29:49 jenkins tomcat9[1599]: init(Window[server/local](ChannelSession[id=0, recipient=-1]-ServerSessionImpl[email@redacted.com@/10.0.100.9:52238])) size=2097152, max=2097152, packet=32768
Dec 15 10:29:49 jenkins tomcat9[1599]: registerChannel(ServerConnectionService[ServerSessionImpl[email@redacted.com@/10.0.100.9:52238]])[id=0] ChannelSession[id=0, recipient=-1]-ServerSessionImpl[email@redacted.com@/10.0.100.9:52238]
Dec 15 10:29:49 jenkins tomcat9[1599]: setRecipient(ChannelSession[id=0, recipient=-1]-ServerSessionImpl[email@redacted.com@/10.0.100.9:52238]) recipient=0
Dec 15 10:29:49 jenkins tomcat9[1599]: init(Window[server/remote](ChannelSession[id=0, recipient=0]-ServerSessionImpl[email@redacted.com@/10.0.100.9:52238])) size=2097152, max=2097152, packet=32768
Dec 15 10:29:49 jenkins tomcat9[1599]: init(Window[server/local](ChannelSession[id=0, recipient=0]-ServerSessionImpl[email@redacted.com@/10.0.100.9:52238])) re-initializing
Dec 15 10:29:49 jenkins tomcat9[1599]: init(Window[server/local](ChannelSession[id=0, recipient=0]-ServerSessionImpl[email@redacted.com@/10.0.100.9:52238])) size=2097152, max=2097152, packet=32768
Dec 15 10:29:49 jenkins tomcat9[1599]: operationComplete(ChannelSession[id=0, recipient=0]-ServerSessionImpl[email@redacted.com@/10.0.100.9:52238]) send SSH_MSG_CHANNEL_OPEN_CONFIRMATION recipient=0, sender=0, window-size=2097152, packet-size=32768
Dec 15 10:29:49 jenkins tomcat9[1599]: writePacket(Nio2Session[local=/10.0.210.1:2222, remote=/10.0.100.9:52238]) Writing 80 bytes
Dec 15 10:29:49 jenkins tomcat9[1599]: handleCompletedWriteCycle(Nio2Session[local=/10.0.210.1:2222, remote=/10.0.100.9:52238]) finished writing len=80
Dec 15 10:29:49 jenkins tomcat9[1599]: handleReadCycleCompletion(Nio2Session[local=/10.0.210.1:2222, remote=/10.0.100.9:52238]) read 112 bytes
Dec 15 10:29:49 jenkins tomcat9[1599]: handleChannelRequest(ChannelSession[id=0, recipient=0]-ServerSessionImpl[email@redacted.com@/10.0.100.9:52238]) SSH_MSG_CHANNEL_REQUEST exec wantReply=true
Dec 15 10:29:49 jenkins tomcat9[1599]: handleExec(ChannelSession[id=0, recipient=0]-ServerSessionImpl[email@redacted.com@/10.0.100.9:52238]) Executing command: console Core-Gen-Master/Core-Run-Test 1419
Dec 15 10:29:49 jenkins tomcat9[1599]: prepareChannelCommand(ChannelSession[id=0, recipient=0]-ServerSessionImpl[email@redacted.com@/10.0.100.9:52238])[exec] prepared command
Dec 15 10:29:49 jenkins tomcat9[1599]: sendResponse(ChannelSession[id=0, recipient=0]-ServerSessionImpl[email@redacted.com@/10.0.100.9:52238]) request=exec result=ReplySuccess, want-reply=true
Dec 15 10:29:49 jenkins tomcat9[1599]: writePacket(Nio2Session[local=/10.0.210.1:2222, remote=/10.0.100.9:52238]) Writing 64 bytes
Dec 15 10:29:49 jenkins tomcat9[1599]: handleCompletedWriteCycle(Nio2Session[local=/10.0.210.1:2222, remote=/10.0.100.9:52238]) finished writing len=64
Dec 15 10:29:49 jenkins tomcat9[1599]: sendResponse(ChannelSession[id=0, recipient=0]-ServerSessionImpl[email@redacted.com@/10.0.100.9:52238]) request=exec activate command
Dec 15 10:29:49 jenkins tomcat9[1599]: The user email@redacted.com may or may not exist in the SecurityRealm, so we provide minimum access
Dec 15 10:29:49 jenkins tomcat9[1599]: The user email@redacted.com may or may not exist in the SecurityRealm, so we provide minimum access
Dec 15 10:29:49 jenkins tomcat9[1599]: hasPermission(org.acegisecurity.providers.UsernamePasswordAuthenticationToken@2d87e98f: Username: email@redacted.com; Password: [PROTECTED]; Authenticated: true; Details: null; Granted Authorities: authenticated,Permission[class hudson.model.Hudson,Read])=>null, thus false
Dec 15 10:29:49 jenkins tomcat9[1599]: Failed call to CLI command console, with 2 arguments, as user email@redacted.com.
Dec 15 10:29:49 jenkins tomcat9[1599]: hudson.security.AccessDeniedException2: email@redacted.com is missing the Overall/Read permission
Dec 15 10:29:49 jenkins tomcat9[1599]:     at hudson.security.ACL.checkPermission(ACL.java:79)
Dec 15 10:29:49 jenkins tomcat9[1599]:     at hudson.security.AccessControlled.checkPermission(AccessControlled.java:47)
Dec 15 10:29:49 jenkins tomcat9[1599]:     at hudson.cli.CLICommand.main(CLICommand.java:245)
Dec 15 10:29:49 jenkins tomcat9[1599]:     at org.jenkinsci.main.modules.sshd.CLICommandAdapter$1.run(CLICommandAdapter.java:37)
Dec 15 10:29:49 jenkins tomcat9[1599]:     at org.jenkinsci.main.modules.sshd.AsynchronousCommand$1.run(AsynchronousCommand.java:112)
Dec 15 10:29:49 jenkins tomcat9[1599]:     at java.base/java.lang.Thread.run(Thread.java:834)

       

            azure_devops Azure DevOps
            ngg1 NGG
            Votes:
            0 Vote for this issue
            Watchers:
            2 Start watching this issue

              Created:
              Updated:
              Resolved: