Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-67312

Role-based Authorization Strategy: Naming Strategy = Role-Based Strategy is not working

    XMLWordPrintable

Details

    • Bug
    • Status: Open (View Workflow)
    • Major
    • Resolution: Unresolved
    • role-strategy-plugin
    • None
    • Jenkins 2.319.1, Role-based Authorization Strategy 3.2.0

    Description

      Role-based Authorization Strategy plug-in provides Naming Strategy = Role-Based Strategy in Configure System. With this option:

      • If a user doesn't have global Job > Create permission then New Item menu item disappears for a user and creation of jobs becomes impossible. This is not how it's supposed to work per plug-in docs. User with item role and item Job > Create permission should be able to create jobs following a pattern defined in Item roles.
      • If a user does have global Job > Create permission then the user can create any job: this is working as documented.

      Attachments

        Activity

          dk Dmitriy Korobskiy created issue -
          dk Dmitriy Korobskiy made changes -
          Field Original Value New Value
          Description Role-based Authorization Strategy plug-in provides Naming Strategy = Role-Based Strategy in Configure Systems. With this option:

          * If a role doesn't have global Job > Create permission then New Item menu item disappears for a user and creation of jobs becomes. This is not how it's supposed to work per plug-in docs. User with item role and item Job > Create permission should be able to create jobs following a pattern defined in Item roles.
          * If a roles does have global Job > Create permission then the user can create *any* job: this is working as documented.
          Role-based Authorization Strategy plug-in provides Naming Strategy = Role-Based Strategy in Configure Systems. With this option:

          * If a role doesn't have global Job > Create permission then New Item menu item disappears for a user and creation of jobs becomes impossible. This is not how it's supposed to work per plug-in docs. User with item role and item Job > Create permission should be able to create jobs following a pattern defined in Item roles.
          * If a roles does have global Job > Create permission then the user can create *any* job: this is working as documented.
          dk Dmitriy Korobskiy made changes -
          Description Role-based Authorization Strategy plug-in provides Naming Strategy = Role-Based Strategy in Configure Systems. With this option:

          * If a role doesn't have global Job > Create permission then New Item menu item disappears for a user and creation of jobs becomes impossible. This is not how it's supposed to work per plug-in docs. User with item role and item Job > Create permission should be able to create jobs following a pattern defined in Item roles.
          * If a roles does have global Job > Create permission then the user can create *any* job: this is working as documented.
          Role-based Authorization Strategy plug-in provides Naming Strategy = Role-Based Strategy in Configure Systems. With this option:

          * If a user doesn't have global Job > Create permission then New Item menu item disappears for a user and creation of jobs becomes impossible. This is not how it's supposed to work per plug-in docs. User with item role and item Job > Create permission should be able to create jobs following a pattern defined in Item roles.
          * If a user does have global Job > Create permission then the user can create *any* job: this is working as documented.
          dk Dmitriy Korobskiy made changes -
          Description Role-based Authorization Strategy plug-in provides Naming Strategy = Role-Based Strategy in Configure Systems. With this option:

          * If a user doesn't have global Job > Create permission then New Item menu item disappears for a user and creation of jobs becomes impossible. This is not how it's supposed to work per plug-in docs. User with item role and item Job > Create permission should be able to create jobs following a pattern defined in Item roles.
          * If a user does have global Job > Create permission then the user can create *any* job: this is working as documented.
          Role-based Authorization Strategy plug-in provides Naming Strategy = Role-Based Strategy in Configure System. With this option:

          * If a user doesn't have global Job > Create permission then New Item menu item disappears for a user and creation of jobs becomes impossible. This is not how it's supposed to work per plug-in docs. User with item role and item Job > Create permission should be able to create jobs following a pattern defined in Item roles.
          * If a user does have global Job > Create permission then the user can create *any* job: this is working as documented.
          robert7788 robert wang added a comment - - edited

          me too

          Jenkins 2.342 / Role-based Authorization Strategy 3.2.0

          role permission config is invalid. only Administrator can take effect.

           

          robert7788 robert wang added a comment - - edited me too Jenkins 2.342 / Role-based Authorization Strategy 3.2.0 role permission config is invalid. only Administrator can take effect.  
          fvila Francis added a comment - - edited

          Version 3.2.0

          In a nutshell: Item roles for specific users are not taken into account

          Case 1: tata user logged out despite global and item roles

          "tata" user is logged out despite having global and item roles

          Manage Roles

          *Global Roles*
          admin: All privileges
          dev : Overall/Read

          *Item Roles*
          dev2 : All privileges, pattern

          Assign roles

          *Global role*

            admin dev
          tata tata      X
          Anonymous    

          *Item roles*

            dev2
          tata tata   X
          Anonymous  

          Result

          Expected: for tata, full rights on jobs with the pattern defined in dev2

          Observed: Access Denied: tata is missing the Overall/Read permission

          Case 2: Adding global role to Anonymous gives tata login, but no jobs showing

          *Global role*

            admin dev
          tata tata     X
          Anonymous     X

          *Item roles*

            dev2
          tata tata   X
          Anonymous  

          Result

          Expected: for tata, ** full rights on jobs with pattern defined in dev, no rights without login

          Observed: tata logs in but no jobs visible

          Case 3: Adding global+item role to Anonymous gives tata rights

          *Global role*

            admin dev
          tata tata    X
          Anonymous    X

          *Item roles*

            dev2
          tata tata  X
          Anonymous  X

          Result

          Works as expected: both tata and anonymous have full rights on jobs satisfying the pattern.

          But not satisfactory as we don't want anonymous to have build rights

          fvila Francis added a comment - - edited Version 3.2.0 In a nutshell: Item roles for specific users are not taken into account Case 1: tata user logged out despite global and item roles "tata" user is logged out despite having global and item roles Manage Roles * Global Roles * admin : All privileges dev : Overall/Read * Item Roles * dev2 : All privileges, pattern Assign roles * Global role *   admin dev tata tata      X Anonymous     * Item roles *   dev2 tata tata   X Anonymous   Result Expected: for tata, full rights on jobs with the pattern defined in dev2 Observed: Access Denied: tata is missing the Overall/Read permission Case 2: Adding global role to Anonymous gives tata login, but no jobs showing * Global role *   admin dev tata tata     X Anonymous     X * Item roles *   dev2 tata tata   X Anonymous   Result Expected: for tata, ** full rights on jobs with pattern defined in dev, no rights without login Observed: tata logs in but no jobs visible Case 3: Adding global+item role to Anonymous gives tata rights * Global role *   admin dev tata tata    X Anonymous    X * Item roles *   dev2 tata tata  X Anonymous  X Result Works as expected: both tata and anonymous have full rights on jobs satisfying the pattern. But not satisfactory as we don't want anonymous to have build rights
          fvila Francis made changes -
          Attachment image-2022-04-15-14-20-59-034.png [ 57703 ]
          fvila Francis added a comment - - edited

          Worse: with LDAP, global role assigned to user has no effect at all. Plugin is unusable.

          • jenkins 2.342
          • role-strategy@3.2.0
          • ldap@2.7

          I have just 1 user and 2 global roles

          If I remove the admin role for Anonymous, I lose admin privileges when logged in as my user. Days spent deleting config.xml, reentering data, etc

          At one time I had a Jenkins user with the same name as my LDAP user, that might have confused things, but I deleted it and the error persists.

          Here is the config.xml extract. If I remove the line <sid>anonymous</sid> from <roleMap type="globalRoles">, I lose admin rights

          <authorizationStrategy class="com.michelin.cio.hudson.plugins.rolestrategy.RoleBasedAuthorizationStrategy">
           <roleMap type="slaveRoles"/>
           <roleMap type="projectRoles"/>
           <roleMap type="globalRoles">
           <role name="admin" pattern=".*">
           <permissions>
           <permission>hudson.model.View.Delete</permission>
           <permission>hudson.model.Computer.Connect</permission>
           <permission>hudson.model.Run.Delete</permission>
           <permission>com.cloudbees.plugins.credentials.CredentialsProvider.ManageDomains</permission>
           <permission>hudson.model.Computer.Create</permission>
           <permission>hudson.model.View.Configure</permission>
           <permission>hudson.model.Computer.Build</permission>
           <permission>hudson.model.Item.Configure</permission>
           <permission>hudson.model.Hudson.Administer</permission>
           <permission>hudson.model.Item.Cancel</permission>
           <permission>hudson.model.Item.Read</permission>
           <permission>com.cloudbees.plugins.credentials.CredentialsProvider.View</permission>
           <permission>hudson.model.Computer.Delete</permission>
           <permission>hudson.model.Item.Build</permission>
           <permission>org.jenkins.plugins.lockableresources.LockableResourcesManager.Unlock</permission>
           <permission>hudson.scm.SCM.Tag</permission>
           <permission>hudson.model.Item.Move</permission>
           <permission>hudson.model.Item.Discover</permission>
           <permission>hudson.model.Hudson.Read</permission>
           <permission>com.cloudbees.plugins.credentials.CredentialsProvider.Update</permission>
           <permission>org.jenkins.plugins.lockableresources.LockableResourcesManager.Steal</permission>
           <permission>hudson.model.Item.Create</permission>
           <permission>org.jfrog.hudson.ArtifactoryPlugin.Release</permission>
           <permission>hudson.model.Item.Workspace</permission>
           <permission>com.cloudbees.plugins.credentials.CredentialsProvider.Delete</permission>
           <permission>hudson.model.Computer.Provision</permission>
           <permission>hudson.model.Run.Replay</permission>
           <permission>hudson.model.View.Read</permission>
           <permission>org.jenkins.plugins.lockableresources.LockableResourcesManager.View</permission>
           <permission>hudson.model.View.Create</permission>
           <permission>hudson.model.Item.Delete</permission>
           <permission>org.jfrog.hudson.ArtifactoryPlugin.Promote</permission>
           <permission>hudson.model.Computer.Configure</permission>
           <permission>com.cloudbees.plugins.credentials.CredentialsProvider.Create</permission>
           <permission>hudson.model.Computer.Disconnect</permission>
           <permission>org.jenkins.plugins.lockableresources.LockableResourcesManager.Reserve</permission>
           <permission>hudson.model.Run.Update</permission>
           </permissions>
           <assignedSIDs>
           <sid>USER:fvila</sid>
           <sid>anonymous</sid>
           </assignedSIDs>
           </role>
           <role name="dev" pattern=".*">
           <permissions>
           <permission>hudson.model.Hudson.Read</permission>
           <permission>hudson.model.Item.Cancel</permission>
           <permission>hudson.model.Item.Read</permission>
           <permission>hudson.model.Item.Build</permission>
           </permissions>
           <assignedSIDs>
           <sid>anonymous</sid>
           <sid>USER:fvila</sid>
           </assignedSIDs>
           </role>
           </roleMap>
           </authorizationStrategy>
          
          fvila Francis added a comment - - edited Worse: with LDAP, global role assigned to user has no effect at all. Plugin is unusable. jenkins 2.342 role-strategy@3.2.0 ldap@2.7 I have just 1 user and 2 global roles If I remove the admin role for Anonymous, I lose admin privileges when logged in as my user. Days spent deleting config.xml, reentering data, etc At one time I had a Jenkins user with the same name as my LDAP user, that might have confused things, but I deleted it and the error persists. Here is the config.xml extract. If I remove the line <sid>anonymous</sid> from <roleMap type="globalRoles">, I lose admin rights <authorizationStrategy class= "com.michelin.cio.hudson.plugins.rolestrategy.RoleBasedAuthorizationStrategy" > <roleMap type= "slaveRoles" /> <roleMap type= "projectRoles" /> <roleMap type= "globalRoles" > <role name= "admin" pattern= ".*" > <permissions> <permission> hudson.model.View.Delete </permission> <permission> hudson.model.Computer.Connect </permission> <permission> hudson.model.Run.Delete </permission> <permission> com.cloudbees.plugins.credentials.CredentialsProvider.ManageDomains </permission> <permission> hudson.model.Computer.Create </permission> <permission> hudson.model.View.Configure </permission> <permission> hudson.model.Computer.Build </permission> <permission> hudson.model.Item.Configure </permission> <permission> hudson.model.Hudson.Administer </permission> <permission> hudson.model.Item.Cancel </permission> <permission> hudson.model.Item.Read </permission> <permission> com.cloudbees.plugins.credentials.CredentialsProvider.View </permission> <permission> hudson.model.Computer.Delete </permission> <permission> hudson.model.Item.Build </permission> <permission> org.jenkins.plugins.lockableresources.LockableResourcesManager.Unlock </permission> <permission> hudson.scm.SCM.Tag </permission> <permission> hudson.model.Item.Move </permission> <permission> hudson.model.Item.Discover </permission> <permission> hudson.model.Hudson.Read </permission> <permission> com.cloudbees.plugins.credentials.CredentialsProvider.Update </permission> <permission> org.jenkins.plugins.lockableresources.LockableResourcesManager.Steal </permission> <permission> hudson.model.Item.Create </permission> <permission> org.jfrog.hudson.ArtifactoryPlugin.Release </permission> <permission> hudson.model.Item.Workspace </permission> <permission> com.cloudbees.plugins.credentials.CredentialsProvider.Delete </permission> <permission> hudson.model.Computer.Provision </permission> <permission> hudson.model.Run.Replay </permission> <permission> hudson.model.View.Read </permission> <permission> org.jenkins.plugins.lockableresources.LockableResourcesManager.View </permission> <permission> hudson.model.View.Create </permission> <permission> hudson.model.Item.Delete </permission> <permission> org.jfrog.hudson.ArtifactoryPlugin.Promote </permission> <permission> hudson.model.Computer.Configure </permission> <permission> com.cloudbees.plugins.credentials.CredentialsProvider.Create </permission> <permission> hudson.model.Computer.Disconnect </permission> <permission> org.jenkins.plugins.lockableresources.LockableResourcesManager.Reserve </permission> <permission> hudson.model.Run.Update </permission> </permissions> <assignedSIDs> <sid> USER:fvila </sid> <sid> anonymous </sid> </assignedSIDs> </role> <role name= "dev" pattern= ".*" > <permissions> <permission> hudson.model.Hudson.Read </permission> <permission> hudson.model.Item.Cancel </permission> <permission> hudson.model.Item.Read </permission> <permission> hudson.model.Item.Build </permission> </permissions> <assignedSIDs> <sid> anonymous </sid> <sid> USER:fvila </sid> </assignedSIDs> </role> </roleMap> </authorizationStrategy>
          fvila Francis added a comment -

          I managed to solve the problem by editing the config.xml file directly.

          In admin's assignedSIDs, I gave my user 2 lines, one with USER:myname, the other with just myname

          <assignedSIDs>
           <sid>USER:fvila</sid>
           <sid>fvila</sid>
           </assignedSIDs>
          

           In the UI, this shows fvila in red and with No type prefix: fvila.

          fvila Francis added a comment - I managed to solve the problem by editing the config.xml file directly. In admin's assignedSIDs , I gave my user 2 lines, one with USER:myname , the other with just myname <assignedSIDs> <sid> USER:fvila </sid> <sid> fvila </sid> </assignedSIDs>  In the UI, this shows fvila in red and with No type prefix: fvila.
          mawinter69 Markus Winter made changes -
          Assignee Oleg Nenashev [ oleg_nenashev ] Markus Winter [ mawinter69 ]

          People

            mawinter69 Markus Winter
            dk Dmitriy Korobskiy
            Votes:
            0 Vote for this issue
            Watchers:
            3 Start watching this issue

            Dates

              Created:
              Updated: