[JENKINS-67411] Job DSL Authorization does not add USER/GROUP from Matrix Authorization 3.0

Reinhold Füreder added a comment - 2021-12-23 14:59

Hm, I may miss your point, but adding the new type prefix works for us in Job DSL scripts – note however, that this only worked when I added the non-default group search filter for LDAP configuration, cf. ~~JENKINS-67410~~; maybe try to test LDAP server settings if group retrieval/search works:

folder('FolderName') { 
  properties {
    authorizationMatrix {
      inheritanceStrategy {
          nonInheriting()
      }
      permissions([
          // Readonly user    
          'GROUP:Job/Read:group-from-ldap', 
...

Reinhold Füreder added a comment - 2021-12-23 14:59 Hm, I may miss your point, but adding the new type prefix works for us in Job DSL scripts – note however, that this only worked when I added the non-default group search filter for LDAP configuration, cf. JENKINS-67410 ; maybe try to test LDAP server settings if group retrieval/search works: folder( 'FolderName' ) { properties { authorizationMatrix { inheritanceStrategy { nonInheriting() } permissions([ // Readonly user 'GROUP:Job/Read:group-from-ldap' , ...

Roland Gärtner added a comment - 2021-12-25 08:11

reinholdfuereder: Thanks for the hint with the "properties/authorizationMatrix"; this also works in our setup and could be a solution.

We use Active Directory instead of LDAP, so the "Group not found" issue does not apply.

In the Job DSL scripts, we have used the following so far:

folder('FolderName') {
  authorization {
    permissionAll(user-from-AD)
    permissions(user-from-AD, [ 'hudson.model.Item.Read', 'hudson.model.Item.Build', 'hudson.model.Item.Workspace'])
    ...
  }
...

I hoped that the permission commands have been/could be extended with an argument for GROUP/USER, so we do not have to rework our scripts too much, but we have to touch them anyway.

For the "properties/authorizationMatrix" is there a way to have a "permissionAll" or is it working just like one permission for one group/user per line?

Roland Gärtner added a comment - 2021-12-25 08:11 reinholdfuereder : Thanks for the hint with the "properties/authorizationMatrix"; this also works in our setup and could be a solution. We use Active Directory instead of LDAP, so the "Group not found" issue does not apply. In the Job DSL scripts, we have used the following so far: folder( 'FolderName' ) { authorization { permissionAll(user-from-AD) permissions(user-from-AD, [ 'hudson.model.Item.Read' , 'hudson.model.Item.Build' , 'hudson.model.Item.Workspace' ]) ... } ... I hoped that the permission commands have been/could be extended with an argument for GROUP/USER, so we do not have to rework our scripts too much, but we have to touch them anyway. For the "properties/authorizationMatrix" is there a way to have a "permissionAll" or is it working just like one permission for one group/user per line?

Daniel Beck added a comment - 2022-01-13 12:06

https://github.com/jenkinsci/job-dsl-plugin/blob/b3bd3488f6c7389be8df0c7e473d0144c364a6ad/job-dsl-core/src/main/groovy/javaposse/jobdsl/dsl/Job.groovy#L296-L308 appears to be specific functionality related to matrix-auth in job-dsl, operating directly on the serialized XML of the configuration.

Unfortunately, this approach means that job-dsl plugin does not declare a dependency (even optional) on matrix-auth, so it doesn't show up in https://plugins.jenkins.io/matrix-auth/#dependencies at all and I was unaware this existed.

Note how this directive has been working with obsolete configurations for quite a while — blocksInheritance was replaced with a more powerful inheritance management in matrix-auth 2.0 (Oct 2017).

So there's nothing matrix-auth can do about this — job-dsl works directly on serialized configuration XML.

Daniel Beck added a comment - 2022-01-13 12:06 https://github.com/jenkinsci/job-dsl-plugin/blob/b3bd3488f6c7389be8df0c7e473d0144c364a6ad/job-dsl-core/src/main/groovy/javaposse/jobdsl/dsl/Job.groovy#L296-L308 appears to be specific functionality related to matrix-auth in job-dsl , operating directly on the serialized XML of the configuration. Unfortunately, this approach means that job-dsl plugin does not declare a dependency (even optional) on matrix-auth , so it doesn't show up in https://plugins.jenkins.io/matrix-auth/#dependencies at all and I was unaware this existed. Note how this directive has been working with obsolete configurations for quite a while — blocksInheritance was replaced with a more powerful inheritance management in matrix-auth 2.0 (Oct 2017). So there's nothing matrix-auth can do about this — job-dsl works directly on serialized configuration XML.

Rich added a comment - 2022-03-03 20:17 - edited

Is there a solution to this yet ? I am facing same issue with matrix auth 3.0.

Following works fine, but results in a warning on UI:

_authorization

{ permissions(this.myADGroup, ['hudson.model.Item.Read','hudson.model.Item.Configure'])}

_

When I try changing it to:

_authorization

{ permissions(this.myADGroup, ['GROUP:hudson.model.Item.Read','GROUP:hudson.model.Item.Configure'])}

_

I get error:

ERROR: (unknown source) permission must be one of com.cloudbees.plugins.credentials.CredentialsProvider.Create,com.cloudbees.plugins.credentials.CredentialsProvider.Delete,com.cloudbees.plugins.credentials.CredentialsProvider.ManageDomains,com.cloudbees.plugins.credentials.CredentialsProvider.Update,com.cloudbees.plugins.credentials.CredentialsProvider.View,hudson.model.Item.Build,hudson.model.Item.Cancel,hudson.model.Item.Configure,hudson.model.Item.Delete,hudson.model.Item.Discover,hudson.model.Item.Move,hudson.model.Item.Read,hudson.model.Item.Workspace,hudson.model.Run.Delete,hudson.model.Run.Replay,hudson.model.Run.Update,hudson.scm.SCM.Tag

Rich added a comment - 2022-03-03 20:17 - edited Is there a solution to this yet ? I am facing same issue with matrix auth 3.0. Following works fine, but results in a warning on UI: _authorization { permissions(this.myADGroup, ['hudson.model.Item.Read','hudson.model.Item.Configure'])} _ When I try changing it to: _authorization { permissions(this.myADGroup, ['GROUP:hudson.model.Item.Read','GROUP:hudson.model.Item.Configure'])} _ I get error: ERROR: (unknown source) permission must be one of com.cloudbees.plugins.credentials.CredentialsProvider.Create,com.cloudbees.plugins.credentials.CredentialsProvider.Delete,com.cloudbees.plugins.credentials.CredentialsProvider.ManageDomains,com.cloudbees.plugins.credentials.CredentialsProvider.Update,com.cloudbees.plugins.credentials.CredentialsProvider.View,hudson.model.Item.Build,hudson.model.Item.Cancel,hudson.model.Item.Configure,hudson.model.Item.Delete,hudson.model.Item.Discover,hudson.model.Item.Move,hudson.model.Item.Read,hudson.model.Item.Workspace,hudson.model.Run.Delete,hudson.model.Run.Replay,hudson.model.Run.Update,hudson.scm.SCM.Tag

Precision Support added a comment - 2022-03-03 21:46 - edited

richmond I struggled with this workaround too and got the same error as you. The key is to not use the permissions() method off of authorization, because that's a method defined by the DSL which is not updated to support the new syntax. You have to start at the job level and get all the way to the the authorizationMatrix. The other problem might be the way you specify the permission because this is technically a different permissions() method.

You want to try something more like this but you'll have to replace jobvar with whatever your variable that represents the job is:

jobvar.properties {
  authorizationMatrix {
    permissions([ "GROUP:Job/Read:${this.myADGroup}", "GROUP:Job/Configure:${this.myADGroup}" ])
  }
}

Precision Support added a comment - 2022-03-03 21:46 - edited richmond I struggled with this workaround too and got the same error as you. The key is to not use the permissions() method off of authorization, because that's a method defined by the DSL which is not updated to support the new syntax. You have to start at the job level and get all the way to the the authorizationMatrix. The other problem might be the way you specify the permission because this is technically a different permissions() method. You want to try something more like this but you'll have to replace jobvar with whatever your variable that represents the job is: jobvar.properties { authorizationMatrix { permissions([ "GROUP:Job/Read:${ this .myADGroup}" , "GROUP:Job/Configure:${ this .myADGroup}" ]) } }

Erik Purins added a comment - 2022-11-30 22:14

Hit this a month ago (linux container host version 2.332.3 with job dsl plugin 1.79) and just got around to hacking together a fix for my pipelines. I wasn't able to get the simple permissions( ) list to work with the versions of plugins I have, and ended up writing configure blocks to manipulate the auth xml blocks.

def matrix = it / 'properties' /'hudson.security.AuthorizationMatrixProperty'
matrix / inheritanceStrategy(class: "org.jenkinsci.plugins.matrixauth.inheritance.InheritParentStrategy")
matrix.appendNode('permission', "GROUP:com.cloudbees.plugins.credentials.CredentialsProvider.Create:${myADGroup}".toString())

It's gross but worked.

Erik Purins added a comment - 2022-11-30 22:14 Hit this a month ago (linux container host version 2.332.3 with job dsl plugin 1.79) and just got around to hacking together a fix for my pipelines. I wasn't able to get the simple permissions( ) list to work with the versions of plugins I have, and ended up writing configure blocks to manipulate the auth xml blocks. def matrix = it / 'properties' /'hudson.security.AuthorizationMatrixProperty' matrix / inheritanceStrategy(class: "org.jenkinsci.plugins.matrixauth.inheritance.InheritParentStrategy") matrix.appendNode('permission', "GROUP:com.cloudbees.plugins.credentials.CredentialsProvider.Create:${myADGroup}".toString()) It's gross but worked.

Adam Krapfl added a comment - 2023-02-21 21:55

My team was able to work around this just recently with the following syntax, which does not delve into the messy configure blocks:

properties {
authorizationMatrix {
users.each

{ user -> permissionMatrix.add("USER:hudson.model.Item.Build:$user") permissionMatrix.add("USER:hudson.model.Item.Workspace:$user") permissionMatrix.add("USER:hudson.model.Item.Configure:$user") }

groups.each

{ group -> permissionMatrix.add("GROUP:hudson.model.Item.Build:$group") permissionMatrix.add("GROUP:hudson.model.Item.Workspace:$group") permissionMatrix.add("GROUP:hudson.model.Item.Configure:$group") }

permissionMatrix.add("GROUP:hudson.model.Item.Read:authenticated")
permissions(permissionMatrix)
}

}

Anyone want to confirm that the *authorizationMatrix{ permissions

{[]}

}* works for them?

Adam Krapfl added a comment - 2023-02-21 21:55 My team was able to work around this just recently with the following syntax, which does not delve into the messy configure blocks: properties { authorizationMatrix { users.each { user -> permissionMatrix.add("USER:hudson.model.Item.Build:$user") permissionMatrix.add("USER:hudson.model.Item.Workspace:$user") permissionMatrix.add("USER:hudson.model.Item.Configure:$user") } groups.each { group -> permissionMatrix.add("GROUP:hudson.model.Item.Build:$group") permissionMatrix.add("GROUP:hudson.model.Item.Workspace:$group") permissionMatrix.add("GROUP:hudson.model.Item.Configure:$group") } permissionMatrix.add("GROUP:hudson.model.Item.Read:authenticated") permissions(permissionMatrix) } } Anyone want to confirm that the *authorizationMatrix{ permissions {[]} }* works for them?

Mateusz added a comment - 2023-02-28 14:48

I can, properly sets permissions and removes warning

    multibranchPipelineJob(jobName) {
        properties {
            authorizationMatrix {
                permissions(['GROUP:hudson.model.Item.Build:authenticated'])
            }
        }
...

Mateusz added a comment - 2023-02-28 14:48 I can, properly sets permissions and removes warning multibranchPipelineJob(jobName) { properties { authorizationMatrix { permissions([ 'GROUP:hudson.model.Item.Build:authenticated' ]) } } ...

Dirk Heinrichs added a comment - 2023-10-24 13:57 - edited

For the "properties/authorizationMatrix" is there a way to have a "permissionAll" or is it working just like one permission for one group/user per line?

I guess this can be achieved by granting "Overall/Administer", right?

Dirk Heinrichs added a comment - 2023-10-24 13:57 - edited For the "properties/authorizationMatrix" is there a way to have a "permissionAll" or is it working just like one permission for one group/user per line? I guess this can be achieved by granting "Overall/Administer", right?

Dirk Heinrichs added a comment - 2023-10-27 09:49

Could someone please translate the (Job-DSL) example from akrapfl above into the new "entries {}" based syntax? I tried

 properties {
  authorizationMatrix {
    entries {
      config['authorization'].each { entry ->
        if (entry['type'] == 'group') {
          group {
            name(entry['name'])
            permissions(entry['permissions'])
          }
        }
        else {
          user {
            name(entry['name'])
            permissions(entry['permissions'])
          }
        }
      }
    }
    inheritanceStrategy {
      nonInheriting()
    }
  }
}

but that only results in the two empty default entries for "anonymous" and "authenticated" being added to the job.

Dirk Heinrichs added a comment - 2023-10-27 09:49 Could someone please translate the (Job-DSL) example from akrapfl above into the new "entries {}" based syntax? I tried properties { authorizationMatrix { entries { config[ 'authorization' ].each { entry -> if (entry[ 'type' ] == 'group' ) { group { name(entry[ 'name' ]) permissions(entry[ 'permissions' ]) } } else { user { name(entry[ 'name' ]) permissions(entry[ 'permissions' ]) } } } } inheritanceStrategy { nonInheriting() } } } but that only results in the two empty default entries for "anonymous" and "authenticated" being added to the job.

Dirk Heinrichs added a comment - 2023-10-31 13:38

See ~~JENKINS-72263~~ for a follow-up on my previous comment.

Dirk Heinrichs added a comment - 2023-10-31 13:38 See JENKINS-72263 for a follow-up on my previous comment.

Basil Crow added a comment - 2024-08-27 14:57

Fixed in jenkinsci/job-dsl-plugin#1415. Released in 1.88.

Basil Crow added a comment - 2024-08-27 14:57 Fixed in jenkinsci/job-dsl-plugin#1415 . Released in 1.88 .

Jenkins

Details

Description

Attachments

Issue Links

Activity

Collapse comment: Reinhold Füreder added a comment - 2021-12-23 14:59

Expand comment: Reinhold Füreder added a comment - 2021-12-23 14:59

Collapse comment: Roland Gärtner added a comment - 2021-12-25 08:11

Expand comment: Roland Gärtner added a comment - 2021-12-25 08:11

Collapse comment: Daniel Beck added a comment - 2022-01-13 12:06

Expand comment: Daniel Beck added a comment - 2022-01-13 12:06

Collapse comment: Rich added a comment - 2022-03-03 20:17, Edited by Rich - 2022-03-03 20:17

Expand comment: Rich added a comment - 2022-03-03 20:17, Edited by Rich - 2022-03-03 20:17

Collapse comment: Precision Support added a comment - 2022-03-03 21:46, Edited by Precision Support - 2022-03-03 21:47

Expand comment: Precision Support added a comment - 2022-03-03 21:46, Edited by Precision Support - 2022-03-03 21:47

Collapse comment: Erik Purins added a comment - 2022-11-30 22:14

Expand comment: Erik Purins added a comment - 2022-11-30 22:14

Collapse comment: Adam Krapfl added a comment - 2023-02-21 21:55

Expand comment: Adam Krapfl added a comment - 2023-02-21 21:55

Collapse comment: Mateusz added a comment - 2023-02-28 14:48

Expand comment: Mateusz added a comment - 2023-02-28 14:48

Collapse comment: Dirk Heinrichs added a comment - 2023-10-24 13:57, Edited by Dirk Heinrichs - 2023-10-26 13:39

Expand comment: Dirk Heinrichs added a comment - 2023-10-24 13:57, Edited by Dirk Heinrichs - 2023-10-26 13:39

Collapse comment: Dirk Heinrichs added a comment - 2023-10-27 09:49

Expand comment: Dirk Heinrichs added a comment - 2023-10-27 09:49

Collapse comment: Dirk Heinrichs added a comment - 2023-10-31 13:38

Expand comment: Dirk Heinrichs added a comment - 2023-10-31 13:38

Collapse comment: Basil Crow added a comment - 2024-08-27 14:57

Expand comment: Basil Crow added a comment - 2024-08-27 14:57

People

Dates