Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-67387

"No type prefix: " in "Assign roles:" after updating "Matrix Authorization Strategy" to 3.0

    • Icon: Bug Bug
    • Resolution: Not A Defect
    • Icon: Minor Minor
    • matrix-auth-plugin
    • None
    • Jenkins 2.303.3
      Matrix Authorization Strategy 3.0
      JDK 11
      RH 7

      I’ve updated Matrix “Authorization Strategy” plugin from 2.6.11 to 3.0.
      Now on the “Assign Roles” configuration page, all users/groups are prefixed by:
      "No type prefix:" in red.
      I’ve understood that the new plugin needs adaptations. (https://plugins.jenkins.io/matrix-auth/#releases)
      I’ve tried to delete the users and add them newly. But as soon as I reload the page after “Save” or “Apply”, I’m back in the same situation.

      With the hint from https://community.jenkins.io/t/matrix-authorization-strategy-3-0-no-type-prefix/1043
      I added 'USER:' before my user entries - that seems to have fixed the problem.

      Some hint on that in the GUI would be really good. (and/or on the version notes https://plugins.jenkins.io/matrix-auth/#releases)

       

      Update: Unfortunately, it seems my account has lost the “Admin” permissions. Quite bad, locked myself out for the moment…
      So the "USER:..." didn't solved it seemingly.

      In home/config.xml I found:

      ...

      In home/config.xml I found:

      ...
         <roleMap type="globalRoles">
       <role name="admin" pattern=".*">
        <permissions>
      ....
      <permission>hudson.model.Hudson.Administer</permission>
      ....
      </permissions>
       <assignedSIDs>
      ...
      <sid>USER:jm044248</sid>
      ....

       

      jm044248 is me - so I would assume, I should have the Admin permissions, but....

       

          [JENKINS-67387] "No type prefix: " in "Assign roles:" after updating "Matrix Authorization Strategy" to 3.0

          Martin Jost added a comment - - edited

          If I try to do a "JENKINS_URL/exit"
          I get "jm044248 is missing the Overall/Administer permission"
          Is this something to enter as " <permission>....</permission>" ???

           

          Martin Jost added a comment - - edited If I try to do a "JENKINS_URL/exit" I get "jm044248 is missing the Overall/Administer permission" Is this something to enter as " <permission>....</permission> " ???  

          Daniel Beck added a comment -

          The release notes are very explicit that you need to wait with upgrading until compatible versions of dependent plugins, in this case role-strategy, are released.

          Quoting:

          • Plugin APIs have changed significantly.While some compatibility is retained, other plugins that depend on this plugin will likely need to be adapted to these changes or may behave in unexpected ways.If you use any plugins with a dependency on this plugin, make sure they're compatible with this release before upgrading.

          Daniel Beck added a comment - The release notes are very explicit that you need to wait with upgrading until compatible versions of dependent plugins, in this case role-strategy , are released. Quoting: Plugin APIs have changed significantly.While some compatibility is retained, other plugins that depend on this plugin will likely need to be adapted to these changes or may behave in unexpected ways. If you use any plugins with a dependency on this plugin, make sure they're compatible with this release before upgrading.

          Adam Outler added a comment -

          I would say that is non-explicit.  I was not aware of any dependencies on this plugin and the plugin said it would upgrade on save which led me to believe I should upgrade.  Is there a use case for this plugin without the role-strategy?  This should be made more explicit within the release notes.  I just spent 3 hours troubleshooting this problem to find out that I should not have upgraded because I have dependencies.  I found out I had dependencies when I found this jira. 

          I've currently configured duplicates of all of my users and groups.  I have one which is just the user/group and the other which is USER/GROUP:user/group.  I assume this won't cause any problems in the future? 

          Adam Outler added a comment - I would say that is non-explicit.  I was not aware of any dependencies on this plugin and the plugin said it would upgrade on save which led me to believe I should upgrade.  Is there a use case for this plugin without the role-strategy?  This should be made more explicit within the release notes.  I just spent 3 hours troubleshooting this problem to find out that I should not have upgraded because I have dependencies.  I found out I had dependencies when I found this jira.  I've currently configured duplicates of all of my users and groups.  I have one which is just the user/group and the other which is USER/GROUP:user/group.  I assume this won't cause any problems in the future? 

          Daniel Beck added a comment -

          Is there a use case for this plugin without the role-strategy?

          Yes, otherwise there wouldn't be 3-4 times more installs of matrix-auth than role-strategy. For a basic introduction, see https://www.jenkins.io/doc/book/security/managing-security/#authorization (which is referenced on https://plugins.jenkins.io/matrix-auth/ in the second line).

          This should be made more explicit within the release notes.

          I've updated https://plugins.jenkins.io/matrix-auth/#releases weeks ago to include the following:

          Role-based Authorization Strategy has already been reported as incompatible with this release (JENKINS-67393).

          How much more explicit do you want it?

          Daniel Beck added a comment - Is there a use case for this plugin without the role-strategy? Yes, otherwise there wouldn't be 3-4 times more installs of matrix-auth than role-strategy. For a basic introduction, see https://www.jenkins.io/doc/book/security/managing-security/#authorization (which is referenced on https://plugins.jenkins.io/matrix-auth/ in the second line). This should be made more explicit within the release notes. I've updated https://plugins.jenkins.io/matrix-auth/#releases weeks ago to include the following: Role-based Authorization Strategy has already been reported as incompatible with this release ( JENKINS-67393 ). How much more explicit do you want it?

            danielbeck Daniel Beck
            martinjost Martin Jost
            Votes:
            0 Vote for this issue
            Watchers:
            8 Start watching this issue

              Created:
              Updated:
              Resolved: