Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-64447

CLI is not working for AD groups set in Role-based authorization

    XMLWordPrintable

    Details

    • Similar Issues:

      Description

      We use Azure AD authentication with Role-based authorization plugin, it works perfectly from the web pages. In the authorization options we use email addresses for users and group names for groups, both of these works.

      However, when we try to use the CLI, the groups are not found. In the attached log, the user has the Overall/Read permission through a group, but that is not found. If I give the permission directly for a single user (without AD groups), it works.

      Interestingly, when I use direct permissions, the error message "The user *** may or may not exist in the SecurityRealm, so we provide minimum access" still appears in the logs, but the CLI itself is working.

       

      Dec 15 10:29:49 jenkins tomcat9[1599]: Authentication attempted from email@redacted.com with Sun RSA public key, 2048 bits
      Dec 15 10:29:49 jenkins tomcat9[1599]:   params: null
      Dec 15 10:29:49 jenkins tomcat9[1599]:   modulus: *****
      Dec 15 10:29:49 jenkins tomcat9[1599]:   public exponent: 65537
      Dec 15 10:29:49 jenkins tomcat9[1599]: The user email@redacted.com may or may not exist in the SecurityRealm, so we provide minimum access
      Dec 15 10:29:49 jenkins tomcat9[1599]: authenticated: email@redacted.com []
      Dec 15 10:29:49 jenkins tomcat9[1599]: doAuth(email@redacted.com@ServerSessionImpl[null@/10.0.100.9:52238]) key type=ssh-rsa, fingerprint=SHA256:***** - authentication result: true
      Dec 15 10:29:49 jenkins tomcat9[1599]: doAuth(email@redacted.com@ServerSessionImpl[null@/10.0.100.9:52238]) send SSH_MSG_USERAUTH_PK_OK for key type=ssh-rsa, fingerprint=SHA256:*****
      Dec 15 10:29:49 jenkins tomcat9[1599]: writePacket(Nio2Session[local=/10.0.210.1:2222, remote=/10.0.100.9:52238]) Writing 352 bytes
      Dec 15 10:29:49 jenkins tomcat9[1599]: handleCompletedWriteCycle(Nio2Session[local=/10.0.210.1:2222, remote=/10.0.100.9:52238]) finished writing len=352
      Dec 15 10:29:49 jenkins tomcat9[1599]: handleAuthenticationInProgress(email@redacted.com@ServerSessionImpl[null@/10.0.100.9:52238]) SSH_MSG_USERAUTH_REQUEST
      Dec 15 10:29:49 jenkins tomcat9[1599]: handleReadCycleCompletion(Nio2Session[local=/10.0.210.1:2222, remote=/10.0.100.9:52238]) read 688 bytes
      Dec 15 10:29:49 jenkins tomcat9[1599]: process(ServerSessionImpl[null@/10.0.100.9:52238]) Received SSH_MSG_USERAUTH_REQUEST user=email@redacted.com, service=ssh-connection, method=publickey
      Dec 15 10:29:49 jenkins tomcat9[1599]: process(ServerSessionImpl[null@/10.0.100.9:52238]) Authenticating user 'email@redacted.com' with service 'ssh-connection' and method 'publickey' (attempt 2 / 20)
      Dec 15 10:29:49 jenkins tomcat9[1599]: doAuth(email@redacted.com@ServerSessionImpl[null@/10.0.100.9:52238]) verify key type=ssh-rsa, factories=ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,ssh-ed25519,ssh-rsa,ssh-dss, fingerprint=SHA256:*****
      Dec 15 10:29:49 jenkins tomcat9[1599]: Authentication attempted from email@redacted.com with Sun RSA public key, 2048 bits
      Dec 15 10:29:49 jenkins tomcat9[1599]:   params: null
      Dec 15 10:29:49 jenkins tomcat9[1599]:   modulus: *****
      Dec 15 10:29:49 jenkins tomcat9[1599]:   public exponent: 65537
      Dec 15 10:29:49 jenkins tomcat9[1599]: The user email@redacted.com may or may not exist in the SecurityRealm, so we provide minimum access
      Dec 15 10:29:49 jenkins tomcat9[1599]: authenticated: email@redacted.com []
      Dec 15 10:29:49 jenkins tomcat9[1599]: doAuth(email@redacted.com@ServerSessionImpl[null@/10.0.100.9:52238]) key type=ssh-rsa, fingerprint=SHA256:***** - authentication result: true
      Dec 15 10:29:49 jenkins tomcat9[1599]: doAuth(email@redacted.com@ServerSessionImpl[null@/10.0.100.9:52238]) key type=ssh-rsa, fingerprint=SHA256:***** - verified
      Dec 15 10:29:49 jenkins tomcat9[1599]: handleAuthenticationSuccess(email@redacted.com@ServerSessionImpl[null@/10.0.100.9:52238]) SSH_MSG_USERAUTH_REQUEST
      Dec 15 10:29:49 jenkins tomcat9[1599]: writePacket(Nio2Session[local=/10.0.210.1:2222, remote=/10.0.100.9:52238]) Writing 64 bytes
      Dec 15 10:29:49 jenkins tomcat9[1599]: handleCompletedWriteCycle(Nio2Session[local=/10.0.210.1:2222, remote=/10.0.100.9:52238]) finished writing len=64
      Dec 15 10:29:49 jenkins tomcat9[1599]: Session email@redacted.com@/10.0.100.9:52238 authenticated
      Dec 15 10:29:49 jenkins tomcat9[1599]: handleReadCycleCompletion(Nio2Session[local=/10.0.210.1:2222, remote=/10.0.100.9:52238]) read 80 bytes
      Dec 15 10:29:49 jenkins tomcat9[1599]: channelOpen(ServerConnectionService[ServerSessionImpl[email@redacted.com@/10.0.100.9:52238]]) SSH_MSG_CHANNEL_OPEN sender=0, type=session, window-size=2097152, packet-size=32768
      Dec 15 10:29:49 jenkins tomcat9[1599]: init() service=ServerConnectionService[ServerSessionImpl[email@redacted.com@/10.0.100.9:52238]] session=ServerSessionImpl[email@redacted.com@/10.0.100.9:52238] id=0
      Dec 15 10:29:49 jenkins tomcat9[1599]: init(Window[server/local](ChannelSession[id=0, recipient=-1]-ServerSessionImpl[email@redacted.com@/10.0.100.9:52238])) size=2097152, max=2097152, packet=32768
      Dec 15 10:29:49 jenkins tomcat9[1599]: registerChannel(ServerConnectionService[ServerSessionImpl[email@redacted.com@/10.0.100.9:52238]])[id=0] ChannelSession[id=0, recipient=-1]-ServerSessionImpl[email@redacted.com@/10.0.100.9:52238]
      Dec 15 10:29:49 jenkins tomcat9[1599]: setRecipient(ChannelSession[id=0, recipient=-1]-ServerSessionImpl[email@redacted.com@/10.0.100.9:52238]) recipient=0
      Dec 15 10:29:49 jenkins tomcat9[1599]: init(Window[server/remote](ChannelSession[id=0, recipient=0]-ServerSessionImpl[email@redacted.com@/10.0.100.9:52238])) size=2097152, max=2097152, packet=32768
      Dec 15 10:29:49 jenkins tomcat9[1599]: init(Window[server/local](ChannelSession[id=0, recipient=0]-ServerSessionImpl[email@redacted.com@/10.0.100.9:52238])) re-initializing
      Dec 15 10:29:49 jenkins tomcat9[1599]: init(Window[server/local](ChannelSession[id=0, recipient=0]-ServerSessionImpl[email@redacted.com@/10.0.100.9:52238])) size=2097152, max=2097152, packet=32768
      Dec 15 10:29:49 jenkins tomcat9[1599]: operationComplete(ChannelSession[id=0, recipient=0]-ServerSessionImpl[email@redacted.com@/10.0.100.9:52238]) send SSH_MSG_CHANNEL_OPEN_CONFIRMATION recipient=0, sender=0, window-size=2097152, packet-size=32768
      Dec 15 10:29:49 jenkins tomcat9[1599]: writePacket(Nio2Session[local=/10.0.210.1:2222, remote=/10.0.100.9:52238]) Writing 80 bytes
      Dec 15 10:29:49 jenkins tomcat9[1599]: handleCompletedWriteCycle(Nio2Session[local=/10.0.210.1:2222, remote=/10.0.100.9:52238]) finished writing len=80
      Dec 15 10:29:49 jenkins tomcat9[1599]: handleReadCycleCompletion(Nio2Session[local=/10.0.210.1:2222, remote=/10.0.100.9:52238]) read 112 bytes
      Dec 15 10:29:49 jenkins tomcat9[1599]: handleChannelRequest(ChannelSession[id=0, recipient=0]-ServerSessionImpl[email@redacted.com@/10.0.100.9:52238]) SSH_MSG_CHANNEL_REQUEST exec wantReply=true
      Dec 15 10:29:49 jenkins tomcat9[1599]: handleExec(ChannelSession[id=0, recipient=0]-ServerSessionImpl[email@redacted.com@/10.0.100.9:52238]) Executing command: console Core-Gen-Master/Core-Run-Test 1419
      Dec 15 10:29:49 jenkins tomcat9[1599]: prepareChannelCommand(ChannelSession[id=0, recipient=0]-ServerSessionImpl[email@redacted.com@/10.0.100.9:52238])[exec] prepared command
      Dec 15 10:29:49 jenkins tomcat9[1599]: sendResponse(ChannelSession[id=0, recipient=0]-ServerSessionImpl[email@redacted.com@/10.0.100.9:52238]) request=exec result=ReplySuccess, want-reply=true
      Dec 15 10:29:49 jenkins tomcat9[1599]: writePacket(Nio2Session[local=/10.0.210.1:2222, remote=/10.0.100.9:52238]) Writing 64 bytes
      Dec 15 10:29:49 jenkins tomcat9[1599]: handleCompletedWriteCycle(Nio2Session[local=/10.0.210.1:2222, remote=/10.0.100.9:52238]) finished writing len=64
      Dec 15 10:29:49 jenkins tomcat9[1599]: sendResponse(ChannelSession[id=0, recipient=0]-ServerSessionImpl[email@redacted.com@/10.0.100.9:52238]) request=exec activate command
      Dec 15 10:29:49 jenkins tomcat9[1599]: The user email@redacted.com may or may not exist in the SecurityRealm, so we provide minimum access
      Dec 15 10:29:49 jenkins tomcat9[1599]: The user email@redacted.com may or may not exist in the SecurityRealm, so we provide minimum access
      Dec 15 10:29:49 jenkins tomcat9[1599]: hasPermission(org.acegisecurity.providers.UsernamePasswordAuthenticationToken@2d87e98f: Username: email@redacted.com; Password: [PROTECTED]; Authenticated: true; Details: null; Granted Authorities: authenticated,Permission[class hudson.model.Hudson,Read])=>null, thus false
      Dec 15 10:29:49 jenkins tomcat9[1599]: Failed call to CLI command console, with 2 arguments, as user email@redacted.com.
      Dec 15 10:29:49 jenkins tomcat9[1599]: hudson.security.AccessDeniedException2: email@redacted.com is missing the Overall/Read permission
      Dec 15 10:29:49 jenkins tomcat9[1599]:     at hudson.security.ACL.checkPermission(ACL.java:79)
      Dec 15 10:29:49 jenkins tomcat9[1599]:     at hudson.security.AccessControlled.checkPermission(AccessControlled.java:47)
      Dec 15 10:29:49 jenkins tomcat9[1599]:     at hudson.cli.CLICommand.main(CLICommand.java:245)
      Dec 15 10:29:49 jenkins tomcat9[1599]:     at org.jenkinsci.main.modules.sshd.CLICommandAdapter$1.run(CLICommandAdapter.java:37)
      Dec 15 10:29:49 jenkins tomcat9[1599]:     at org.jenkinsci.main.modules.sshd.AsynchronousCommand$1.run(AsynchronousCommand.java:112)
      Dec 15 10:29:49 jenkins tomcat9[1599]:     at java.base/java.lang.Thread.run(Thread.java:834) 

       

        Attachments

          Activity

          There are no comments yet on this issue.

            People

            Assignee:
            azure_devops Azure DevOps
            Reporter:
            ngg1 NGG
            Votes:
            0 Vote for this issue
            Watchers:
            1 Start watching this issue

              Dates

              Created:
              Updated: