-
Bug
-
Resolution: Fixed
-
Major
-
None
-
Jenkins: 2.319.1 on Windows
-
-
1.88
When using Job DSL for generating folders (where I have noticed this issue), the authorization permission command does not add the new USER/GROUP prefix from Matrix Authorization 3.0 in the XML files.
- links to
[JENKINS-67411] Job DSL Authorization does not add USER/GROUP from Matrix Authorization 3.0
| Assignee | Original: Daniel Spilker [ daspilker ] | New: Jamie Tanna [ jamietanna ] |
reinholdfuereder: Thanks for the hint with the "properties/authorizationMatrix"; this also works in our setup and could be a solution.
We use Active Directory instead of LDAP, so the "Group not found" issue does not apply.
In the Job DSL scripts, we have used the following so far:
folder('FolderName') { authorization { permissionAll(user-from-AD) permissions(user-from-AD, [ 'hudson.model.Item.Read', 'hudson.model.Item.Build', 'hudson.model.Item.Workspace']) ... } ...
I hoped that the permission commands have been/could be extended with an argument for GROUP/USER, so we do not have to rework our scripts too much, but we have to touch them anyway.
For the "properties/authorizationMatrix" is there a way to have a "permissionAll" or is it working just like one permission for one group/user per line?
https://github.com/jenkinsci/job-dsl-plugin/blob/b3bd3488f6c7389be8df0c7e473d0144c364a6ad/job-dsl-core/src/main/groovy/javaposse/jobdsl/dsl/Job.groovy#L296-L308 appears to be specific functionality related to matrix-auth in job-dsl, operating directly on the serialized XML of the configuration.
Unfortunately, this approach means that job-dsl plugin does not declare a dependency (even optional) on matrix-auth, so it doesn't show up in https://plugins.jenkins.io/matrix-auth/#dependencies at all and I was unaware this existed.
Note how this directive has been working with obsolete configurations for quite a while — blocksInheritance was replaced with a more powerful inheritance management in matrix-auth 2.0 (Oct 2017).
So there's nothing matrix-auth can do about this — job-dsl works directly on serialized configuration XML.
| Component/s | Original: matrix-auth-plugin [ 18131 ] |
Is there a solution to this yet ? I am facing same issue with matrix auth 3.0.
Following works fine, but results in a warning on UI:
_authorization
{ permissions(this.myADGroup, ['hudson.model.Item.Read','hudson.model.Item.Configure'])}_
When I try changing it to:
_authorization
{ permissions(this.myADGroup, ['GROUP:hudson.model.Item.Read','GROUP:hudson.model.Item.Configure'])}_
I get error:
ERROR: (unknown source) permission must be one of com.cloudbees.plugins.credentials.CredentialsProvider.Create,com.cloudbees.plugins.credentials.CredentialsProvider.Delete,com.cloudbees.plugins.credentials.CredentialsProvider.ManageDomains,com.cloudbees.plugins.credentials.CredentialsProvider.Update,com.cloudbees.plugins.credentials.CredentialsProvider.View,hudson.model.Item.Build,hudson.model.Item.Cancel,hudson.model.Item.Configure,hudson.model.Item.Delete,hudson.model.Item.Discover,hudson.model.Item.Move,hudson.model.Item.Read,hudson.model.Item.Workspace,hudson.model.Run.Delete,hudson.model.Run.Replay,hudson.model.Run.Update,hudson.scm.SCM.Tag
richmond I struggled with this workaround too and got the same error as you. The key is to not use the permissions() method off of authorization, because that's a method defined by the DSL which is not updated to support the new syntax. You have to start at the job level and get all the way to the the authorizationMatrix. The other problem might be the way you specify the permission because this is technically a different permissions() method.
You want to try something more like this but you'll have to replace jobvar with whatever your variable that represents the job is:
jobvar.properties {
authorizationMatrix {
permissions([ "GROUP:Job/Read:${this.myADGroup}", "GROUP:Job/Configure:${this.myADGroup}" ])
}
}
Precision Support
added a comment - - edited richmond I struggled with this workaround too and got the same error as you. The key is to not use the permissions() method off of authorization, because that's a method defined by the DSL which is not updated to support the new syntax. You have to start at the job level and get all the way to the the authorizationMatrix. The other problem might be the way you specify the permission because this is technically a different permissions() method.
You want to try something more like this but you'll have to replace jobvar with whatever your variable that represents the job is:
jobvar.properties {
authorizationMatrix {
permissions([ "GROUP:Job/Read:${ this .myADGroup}" , "GROUP:Job/Configure:${ this .myADGroup}" ])
}
}
Hit this a month ago (linux container host version 2.332.3 with job dsl plugin 1.79) and just got around to hacking together a fix for my pipelines. I wasn't able to get the simple permissions( ) list to work with the versions of plugins I have, and ended up writing configure blocks to manipulate the auth xml blocks.
def matrix = it / 'properties' /'hudson.security.AuthorizationMatrixProperty'
matrix / inheritanceStrategy(class: "org.jenkinsci.plugins.matrixauth.inheritance.InheritParentStrategy")
matrix.appendNode('permission', "GROUP:com.cloudbees.plugins.credentials.CredentialsProvider.Create:${myADGroup}".toString())
It's gross but worked.
| Priority | Original: Minor [ 4 ] | New: Major [ 3 ] |
Hm, I may miss your point, but adding the new type prefix works for us in Job DSL scripts – note however, that this only worked when I added the non-default group search filter for LDAP configuration, cf.
JENKINS-67410; maybe try to test LDAP server settings if group retrieval/search works: