Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-67422

Role-strategy compatibility with matrix-auth 3.0

    • Icon: Bug Bug
    • Resolution: Fixed
    • Icon: Critical Critical
    • role-strategy-plugin
    • None
    • Jenkins 2.319.1
      Role-based Authorization Strategy plugin 3.2.0
      Azure AD plugin upgraded from 185.v3b416408dcb1 to 188.v2369adb95a31
      Matrix Authorization Strategy plugin upgraded from 2.6.11 to 3.0

    • 484.v8a_a_e4b_d785fd

      Upgrading the Azure AD plugin to 188.v2369adb95a31 and the Matrix Authorization Strategy plugin to 3.0 stopped Role-based Authorization Strategy from recognizing me as a Jenkins administrator.

      Reproduction steps

      The Configuration as Code jenkins.yaml file included:

      jenkins:
        authorizationStrategy:
          roleBased:
            roles:
              global:
              - assignments:
                - "REDACTED@REDACTED.com" # my Azure AD account without any "USER:" or "GROUP:" prefix
                name: "admin"
                pattern: ".*"
                permissions:
                - "Job/Create"
                - "Overall/Administer"
      

      jenkins.yaml also defined a few more global roles and item roles, but those should only be able to grant more permissions rather than remove any, so they don't seem relevant to this issue.

      Before the upgrade, I was able to log in as REDACTED@REDACTED.com and get administrator access to Jenkins.

      I then upgraded Jenkins plugins:

      • matrix-auth from 2.6.11 to 3.0
      • azure-ad from 185.v3b416408dcb1 to 188.v2369adb95a31

      restarted Jenkins, and logged in.

      Expected result

      Should still have been able to log in and have administrator access to Jenkins.

      Actual result

      I was able to log in again but no longer had administrator access.

      I edited jenkins.yaml, added the "USER:" prefix to the email address, and restarted Jenkins again. I was still able to log in but did not have administrator access.

      I downloaded the previous versions of azure-ad.hpi and matrix-auth.hpi from https://plugins.jenkins.io/, copied them to JENKINS_HOME/plugins as described in https://www.jenkins.io/doc/book/managing/plugins/#on-the-controller, restored jenkins.yaml, and restarted Jenkins. I was able to log in and got administrator access again.

      Notes

      According to JENKINS-67387 and https://github.com/jenkinsci/azure-ad-plugin/issues/179#issuecomment-999004161, role-strategy is not yet compatible with matrix-auth 3.0. I didn't find any other role-strategy-plugin issue about this incompatibility (JENKINS-67413, JENKINS-67393, and JENKINS-67406 describe less serious problems), so I'm filing this one.

          [JENKINS-67422] Role-strategy compatibility with matrix-auth 3.0

          Kalle Niemitalo created issue -
          Kalle Niemitalo made changes -
          Description Original: Upgrading the Azure AD plugin to 188.v2369adb95a31 and the Matrix Authorization Strategy plugin to 3.0 stopped Matrix Authorization Strategy from recognizing me as a Jenkins administrator.

          h2. Reproduction steps

          The _Configuration as Code_ {{jenkins.yaml}} file included:

          {code:none}
          jenkins:
            authorizationStrategy:
              roleBased:
                roles:
                  global:
                  - assignments:
                    - "REDACTED@REDACTED.com" # my Azure AD account without any "USER:" or "GROUP:" prefix
                    name: "admin"
                    pattern: ".*"
                    permissions:
                    - "Job/Create"
                    - "Overall/Administer"
          {code}

          {{jenkins.yaml}} also defined a few more global roles and item roles, but those should only be able to grant more permissions rather than remove any, so they don't seem relevant to this issue.

          Before the upgrade, I was able to log in as REDACTED@REDACTED.com and get administrator access to Jenkins.

          I then upgraded Jenkins plugins:

           - matrix-auth from 2.6.11 to 3.0
           - azure-ad from 185.v3b416408dcb1 to 188.v2369adb95a31

          restarted Jenkins, and logged in.

          h2. Expected result

          Should still have been able to log in and have administrator access to Jenkins.

          h2. Actual result

          I was able to log in again but no longer had administrator access.

          I edited jenkins.yaml, added the "USER:" prefix to the email address, and restarted Jenkins again. I was still able to log in but did not have administrator access.

          I downloaded the previous versions of azure-ad.hpi and matrix-auth.hpi from [https://plugins.jenkins.io/], copied them to JENKINS_HOME/plugins as described in [https://www.jenkins.io/doc/book/managing/plugins/#on-the-controller] and restarted Jenkins. I was able to log in and got administrator access again.

          h2. Notes

          According to JENKINS-67387 and [https://github.com/jenkinsci/azure-ad-plugin/issues/179#issuecomment-999004161], role-strategy is not yet compatible with matrix-auth 3.0. I didn't find any other role-strategy-plugin issue about this incompatibility (JENKINS-67413, JENKINS-67393, and JENKINS-67406 describe less serious problems), so I'm filing this one.

          New: Upgrading the Azure AD plugin to 188.v2369adb95a31 and the Matrix Authorization Strategy plugin to 3.0 stopped Role-based Authorization Strategy from recognizing me as a Jenkins administrator.

          h2. Reproduction steps

          The _Configuration as Code_ {{jenkins.yaml}} file included:

          {code:none}
          jenkins:
            authorizationStrategy:
              roleBased:
                roles:
                  global:
                  - assignments:
                    - "REDACTED@REDACTED.com" # my Azure AD account without any "USER:" or "GROUP:" prefix
                    name: "admin"
                    pattern: ".*"
                    permissions:
                    - "Job/Create"
                    - "Overall/Administer"
          {code}

          {{jenkins.yaml}} also defined a few more global roles and item roles, but those should only be able to grant more permissions rather than remove any, so they don't seem relevant to this issue.

          Before the upgrade, I was able to log in as REDACTED@REDACTED.com and get administrator access to Jenkins.

          I then upgraded Jenkins plugins:

           - matrix-auth from 2.6.11 to 3.0
           - azure-ad from 185.v3b416408dcb1 to 188.v2369adb95a31

          restarted Jenkins, and logged in.

          h2. Expected result

          Should still have been able to log in and have administrator access to Jenkins.

          h2. Actual result

          I was able to log in again but no longer had administrator access.

          I edited jenkins.yaml, added the "USER:" prefix to the email address, and restarted Jenkins again. I was still able to log in but did not have administrator access.

          I downloaded the previous versions of azure-ad.hpi and matrix-auth.hpi from [https://plugins.jenkins.io/], copied them to JENKINS_HOME/plugins as described in [https://www.jenkins.io/doc/book/managing/plugins/#on-the-controller] and restarted Jenkins. I was able to log in and got administrator access again.

          h2. Notes

          According to JENKINS-67387 and [https://github.com/jenkinsci/azure-ad-plugin/issues/179#issuecomment-999004161], role-strategy is not yet compatible with matrix-auth 3.0. I didn't find any other role-strategy-plugin issue about this incompatibility (JENKINS-67413, JENKINS-67393, and JENKINS-67406 describe less serious problems), so I'm filing this one.

          Kalle Niemitalo made changes -
          Link New: This issue is related to JENKINS-67387 [ JENKINS-67387 ]
          Tim Jacomb made changes -
          Summary Original: Lost administrator role in azure-ad 3.0 upgrade with role-strategy 3.2.0 New: Role-strategy compatibility with matrix-auth 3.0
          Tim Jacomb made changes -
          Priority Original: Minor [ 4 ] New: Critical [ 2 ]
          Kalle Niemitalo made changes -
          Description Original: Upgrading the Azure AD plugin to 188.v2369adb95a31 and the Matrix Authorization Strategy plugin to 3.0 stopped Role-based Authorization Strategy from recognizing me as a Jenkins administrator.

          h2. Reproduction steps

          The _Configuration as Code_ {{jenkins.yaml}} file included:

          {code:none}
          jenkins:
            authorizationStrategy:
              roleBased:
                roles:
                  global:
                  - assignments:
                    - "REDACTED@REDACTED.com" # my Azure AD account without any "USER:" or "GROUP:" prefix
                    name: "admin"
                    pattern: ".*"
                    permissions:
                    - "Job/Create"
                    - "Overall/Administer"
          {code}

          {{jenkins.yaml}} also defined a few more global roles and item roles, but those should only be able to grant more permissions rather than remove any, so they don't seem relevant to this issue.

          Before the upgrade, I was able to log in as REDACTED@REDACTED.com and get administrator access to Jenkins.

          I then upgraded Jenkins plugins:

           - matrix-auth from 2.6.11 to 3.0
           - azure-ad from 185.v3b416408dcb1 to 188.v2369adb95a31

          restarted Jenkins, and logged in.

          h2. Expected result

          Should still have been able to log in and have administrator access to Jenkins.

          h2. Actual result

          I was able to log in again but no longer had administrator access.

          I edited jenkins.yaml, added the "USER:" prefix to the email address, and restarted Jenkins again. I was still able to log in but did not have administrator access.

          I downloaded the previous versions of azure-ad.hpi and matrix-auth.hpi from [https://plugins.jenkins.io/], copied them to JENKINS_HOME/plugins as described in [https://www.jenkins.io/doc/book/managing/plugins/#on-the-controller] and restarted Jenkins. I was able to log in and got administrator access again.

          h2. Notes

          According to JENKINS-67387 and [https://github.com/jenkinsci/azure-ad-plugin/issues/179#issuecomment-999004161], role-strategy is not yet compatible with matrix-auth 3.0. I didn't find any other role-strategy-plugin issue about this incompatibility (JENKINS-67413, JENKINS-67393, and JENKINS-67406 describe less serious problems), so I'm filing this one.

          New: Upgrading the Azure AD plugin to 188.v2369adb95a31 and the Matrix Authorization Strategy plugin to 3.0 stopped Role-based Authorization Strategy from recognizing me as a Jenkins administrator.

          h2. Reproduction steps

          The _Configuration as Code_ {{jenkins.yaml}} file included:

          {code:none}
          jenkins:
            authorizationStrategy:
              roleBased:
                roles:
                  global:
                  - assignments:
                    - "REDACTED@REDACTED.com" # my Azure AD account without any "USER:" or "GROUP:" prefix
                    name: "admin"
                    pattern: ".*"
                    permissions:
                    - "Job/Create"
                    - "Overall/Administer"
          {code}

          {{jenkins.yaml}} also defined a few more global roles and item roles, but those should only be able to grant more permissions rather than remove any, so they don't seem relevant to this issue.

          Before the upgrade, I was able to log in as REDACTED@REDACTED.com and get administrator access to Jenkins.

          I then upgraded Jenkins plugins:

           - matrix-auth from 2.6.11 to 3.0
           - azure-ad from 185.v3b416408dcb1 to 188.v2369adb95a31

          restarted Jenkins, and logged in.

          h2. Expected result

          Should still have been able to log in and have administrator access to Jenkins.

          h2. Actual result

          I was able to log in again but no longer had administrator access.

          I edited jenkins.yaml, added the "USER:" prefix to the email address, and restarted Jenkins again. I was still able to log in but did not have administrator access.

          I downloaded the previous versions of azure-ad.hpi and matrix-auth.hpi from [https://plugins.jenkins.io/], copied them to JENKINS_HOME/plugins as described in [https://www.jenkins.io/doc/book/managing/plugins/#on-the-controller], restored {{jenkins.yaml}}, and restarted Jenkins. I was able to log in and got administrator access again.

          h2. Notes

          According to JENKINS-67387 and [https://github.com/jenkinsci/azure-ad-plugin/issues/179#issuecomment-999004161], role-strategy is not yet compatible with matrix-auth 3.0. I didn't find any other role-strategy-plugin issue about this incompatibility (JENKINS-67413, JENKINS-67393, and JENKINS-67406 describe less serious problems), so I'm filing this one.

          Kalle Niemitalo made changes -
          Link New: This issue is duplicated by JENKINS-67760 [ JENKINS-67760 ]
          Alexander Stohr made changes -
          Link New: This issue is related to JENKINS-68241 [ JENKINS-68241 ]
          Alexander Stohr made changes -
          Link New: This issue is related to JENKINS-67760 [ JENKINS-67760 ]
          Kalle Niemitalo made changes -
          Remote Link New: This issue links to "remove dependency to matrix-auth plugin by mawinter69 · Pull Request #172 · jenkinsci/role-strategy-plugin (Web Link)" [ 27780 ]
          Alexander Brandes made changes -
          Link New: This issue duplicates JENKINS-68241 [ JENKINS-68241 ]

            oleg_nenashev Oleg Nenashev
            kon Kalle Niemitalo
            Votes:
            36 Vote for this issue
            Watchers:
            48 Start watching this issue

              Created:
              Updated:
              Resolved: