-
Bug
-
Resolution: Fixed
-
Critical
-
None
-
Jenkins 2.319.1
Role-based Authorization Strategy plugin 3.2.0
Azure AD plugin upgraded from 185.v3b416408dcb1 to 188.v2369adb95a31
Matrix Authorization Strategy plugin upgraded from 2.6.11 to 3.0
-
-
484.v8a_a_e4b_d785fd
Upgrading the Azure AD plugin to 188.v2369adb95a31 and the Matrix Authorization Strategy plugin to 3.0 stopped Role-based Authorization Strategy from recognizing me as a Jenkins administrator.
Reproduction steps
The Configuration as Code jenkins.yaml file included:
jenkins: authorizationStrategy: roleBased: roles: global: - assignments: - "REDACTED@REDACTED.com" # my Azure AD account without any "USER:" or "GROUP:" prefix name: "admin" pattern: ".*" permissions: - "Job/Create" - "Overall/Administer"
jenkins.yaml also defined a few more global roles and item roles, but those should only be able to grant more permissions rather than remove any, so they don't seem relevant to this issue.
Before the upgrade, I was able to log in as REDACTED@REDACTED.com and get administrator access to Jenkins.
I then upgraded Jenkins plugins:
- matrix-auth from 2.6.11 to 3.0
- azure-ad from 185.v3b416408dcb1 to 188.v2369adb95a31
restarted Jenkins, and logged in.
Expected result
Should still have been able to log in and have administrator access to Jenkins.
Actual result
I was able to log in again but no longer had administrator access.
I edited jenkins.yaml, added the "USER:" prefix to the email address, and restarted Jenkins again. I was still able to log in but did not have administrator access.
I downloaded the previous versions of azure-ad.hpi and matrix-auth.hpi from https://plugins.jenkins.io/, copied them to JENKINS_HOME/plugins as described in https://www.jenkins.io/doc/book/managing/plugins/#on-the-controller, restored jenkins.yaml, and restarted Jenkins. I was able to log in and got administrator access again.
Notes
According to JENKINS-67387 and https://github.com/jenkinsci/azure-ad-plugin/issues/179#issuecomment-999004161, role-strategy is not yet compatible with matrix-auth 3.0. I didn't find any other role-strategy-plugin issue about this incompatibility (JENKINS-67413, JENKINS-67393, and JENKINS-67406 describe less serious problems), so I'm filing this one.
- duplicates
-
JENKINS-67760 No Type prefix in Assign Role for Role based strategy
- Closed
-
JENKINS-68241 After upgrading to the latest version of jenkins, the prompt "No type prefix: XXX" appears.
- Closed
- is duplicated by
-
JENKINS-67760 No Type prefix in Assign Role for Role based strategy
- Closed
- is related to
-
JENKINS-67760 No Type prefix in Assign Role for Role based strategy
- Closed
-
JENKINS-67387 "No type prefix: " in "Assign roles:" after updating "Matrix Authorization Strategy" to 3.0
- Closed
-
JENKINS-68241 After upgrading to the latest version of jenkins, the prompt "No type prefix: XXX" appears.
- Closed
- links to