Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-67422

Role-strategy compatibility with matrix-auth 3.0

    XMLWordPrintable

Details

    • Bug
    • Status: Closed (View Workflow)
    • Critical
    • Resolution: Fixed
    • role-strategy-plugin
    • None
    • Jenkins 2.319.1
      Role-based Authorization Strategy plugin 3.2.0
      Azure AD plugin upgraded from 185.v3b416408dcb1 to 188.v2369adb95a31
      Matrix Authorization Strategy plugin upgraded from 2.6.11 to 3.0

    • 484.v8a_a_e4b_d785fd

    Description

      Upgrading the Azure AD plugin to 188.v2369adb95a31 and the Matrix Authorization Strategy plugin to 3.0 stopped Role-based Authorization Strategy from recognizing me as a Jenkins administrator.

      Reproduction steps

      The Configuration as Code jenkins.yaml file included:

      jenkins:
        authorizationStrategy:
          roleBased:
            roles:
              global:
              - assignments:
                - "REDACTED@REDACTED.com" # my Azure AD account without any "USER:" or "GROUP:" prefix
                name: "admin"
                pattern: ".*"
                permissions:
                - "Job/Create"
                - "Overall/Administer"
      

      jenkins.yaml also defined a few more global roles and item roles, but those should only be able to grant more permissions rather than remove any, so they don't seem relevant to this issue.

      Before the upgrade, I was able to log in as REDACTED@REDACTED.com and get administrator access to Jenkins.

      I then upgraded Jenkins plugins:

      • matrix-auth from 2.6.11 to 3.0
      • azure-ad from 185.v3b416408dcb1 to 188.v2369adb95a31

      restarted Jenkins, and logged in.

      Expected result

      Should still have been able to log in and have administrator access to Jenkins.

      Actual result

      I was able to log in again but no longer had administrator access.

      I edited jenkins.yaml, added the "USER:" prefix to the email address, and restarted Jenkins again. I was still able to log in but did not have administrator access.

      I downloaded the previous versions of azure-ad.hpi and matrix-auth.hpi from https://plugins.jenkins.io/, copied them to JENKINS_HOME/plugins as described in https://www.jenkins.io/doc/book/managing/plugins/#on-the-controller, restored jenkins.yaml, and restarted Jenkins. I was able to log in and got administrator access again.

      Notes

      According to JENKINS-67387 and https://github.com/jenkinsci/azure-ad-plugin/issues/179#issuecomment-999004161, role-strategy is not yet compatible with matrix-auth 3.0. I didn't find any other role-strategy-plugin issue about this incompatibility (JENKINS-67413, JENKINS-67393, and JENKINS-67406 describe less serious problems), so I'm filing this one.

      Attachments

        Issue Links

          Activity

            kon Kalle Niemitalo created issue -
            kon Kalle Niemitalo made changes -
            Field Original Value New Value
            Description Upgrading the Azure AD plugin to 188.v2369adb95a31 and the Matrix Authorization Strategy plugin to 3.0 stopped Matrix Authorization Strategy from recognizing me as a Jenkins administrator.

            h2. Reproduction steps

            The _Configuration as Code_ {{jenkins.yaml}} file included:

            {code:none}
            jenkins:
              authorizationStrategy:
                roleBased:
                  roles:
                    global:
                    - assignments:
                      - "REDACTED@REDACTED.com" # my Azure AD account without any "USER:" or "GROUP:" prefix
                      name: "admin"
                      pattern: ".*"
                      permissions:
                      - "Job/Create"
                      - "Overall/Administer"
            {code}

            {{jenkins.yaml}} also defined a few more global roles and item roles, but those should only be able to grant more permissions rather than remove any, so they don't seem relevant to this issue.

            Before the upgrade, I was able to log in as REDACTED@REDACTED.com and get administrator access to Jenkins.

            I then upgraded Jenkins plugins:

             - matrix-auth from 2.6.11 to 3.0
             - azure-ad from 185.v3b416408dcb1 to 188.v2369adb95a31

            restarted Jenkins, and logged in.

            h2. Expected result

            Should still have been able to log in and have administrator access to Jenkins.

            h2. Actual result

            I was able to log in again but no longer had administrator access.

            I edited jenkins.yaml, added the "USER:" prefix to the email address, and restarted Jenkins again. I was still able to log in but did not have administrator access.

            I downloaded the previous versions of azure-ad.hpi and matrix-auth.hpi from [https://plugins.jenkins.io/], copied them to JENKINS_HOME/plugins as described in [https://www.jenkins.io/doc/book/managing/plugins/#on-the-controller] and restarted Jenkins. I was able to log in and got administrator access again.

            h2. Notes

            According to JENKINS-67387 and [https://github.com/jenkinsci/azure-ad-plugin/issues/179#issuecomment-999004161], role-strategy is not yet compatible with matrix-auth 3.0. I didn't find any other role-strategy-plugin issue about this incompatibility (JENKINS-67413, JENKINS-67393, and JENKINS-67406 describe less serious problems), so I'm filing this one.

            Upgrading the Azure AD plugin to 188.v2369adb95a31 and the Matrix Authorization Strategy plugin to 3.0 stopped Role-based Authorization Strategy from recognizing me as a Jenkins administrator.

            h2. Reproduction steps

            The _Configuration as Code_ {{jenkins.yaml}} file included:

            {code:none}
            jenkins:
              authorizationStrategy:
                roleBased:
                  roles:
                    global:
                    - assignments:
                      - "REDACTED@REDACTED.com" # my Azure AD account without any "USER:" or "GROUP:" prefix
                      name: "admin"
                      pattern: ".*"
                      permissions:
                      - "Job/Create"
                      - "Overall/Administer"
            {code}

            {{jenkins.yaml}} also defined a few more global roles and item roles, but those should only be able to grant more permissions rather than remove any, so they don't seem relevant to this issue.

            Before the upgrade, I was able to log in as REDACTED@REDACTED.com and get administrator access to Jenkins.

            I then upgraded Jenkins plugins:

             - matrix-auth from 2.6.11 to 3.0
             - azure-ad from 185.v3b416408dcb1 to 188.v2369adb95a31

            restarted Jenkins, and logged in.

            h2. Expected result

            Should still have been able to log in and have administrator access to Jenkins.

            h2. Actual result

            I was able to log in again but no longer had administrator access.

            I edited jenkins.yaml, added the "USER:" prefix to the email address, and restarted Jenkins again. I was still able to log in but did not have administrator access.

            I downloaded the previous versions of azure-ad.hpi and matrix-auth.hpi from [https://plugins.jenkins.io/], copied them to JENKINS_HOME/plugins as described in [https://www.jenkins.io/doc/book/managing/plugins/#on-the-controller] and restarted Jenkins. I was able to log in and got administrator access again.

            h2. Notes

            According to JENKINS-67387 and [https://github.com/jenkinsci/azure-ad-plugin/issues/179#issuecomment-999004161], role-strategy is not yet compatible with matrix-auth 3.0. I didn't find any other role-strategy-plugin issue about this incompatibility (JENKINS-67413, JENKINS-67393, and JENKINS-67406 describe less serious problems), so I'm filing this one.

            kon Kalle Niemitalo made changes -
            Link This issue is related to JENKINS-67387 [ JENKINS-67387 ]
            timja Tim Jacomb added a comment - - edited See also: https://community.jenkins.io/t/matrix-authorization-strategy-3-0-no-type-prefix/1043/4 https://issues.jenkins.io/browse/JENKINS-67387 https://github.com/jenkinsci/matrix-auth-plugin/pull/110#issuecomment-995192829 Lots of clicks from community.jenkins.io fyi runzexia
            timja Tim Jacomb made changes -
            Summary Lost administrator role in azure-ad 3.0 upgrade with role-strategy 3.2.0 Role-strategy compatibility with matrix-auth 3.0
            timja Tim Jacomb made changes -
            Priority Minor [ 4 ] Critical [ 2 ]
            kon Kalle Niemitalo made changes -
            Description Upgrading the Azure AD plugin to 188.v2369adb95a31 and the Matrix Authorization Strategy plugin to 3.0 stopped Role-based Authorization Strategy from recognizing me as a Jenkins administrator.

            h2. Reproduction steps

            The _Configuration as Code_ {{jenkins.yaml}} file included:

            {code:none}
            jenkins:
              authorizationStrategy:
                roleBased:
                  roles:
                    global:
                    - assignments:
                      - "REDACTED@REDACTED.com" # my Azure AD account without any "USER:" or "GROUP:" prefix
                      name: "admin"
                      pattern: ".*"
                      permissions:
                      - "Job/Create"
                      - "Overall/Administer"
            {code}

            {{jenkins.yaml}} also defined a few more global roles and item roles, but those should only be able to grant more permissions rather than remove any, so they don't seem relevant to this issue.

            Before the upgrade, I was able to log in as REDACTED@REDACTED.com and get administrator access to Jenkins.

            I then upgraded Jenkins plugins:

             - matrix-auth from 2.6.11 to 3.0
             - azure-ad from 185.v3b416408dcb1 to 188.v2369adb95a31

            restarted Jenkins, and logged in.

            h2. Expected result

            Should still have been able to log in and have administrator access to Jenkins.

            h2. Actual result

            I was able to log in again but no longer had administrator access.

            I edited jenkins.yaml, added the "USER:" prefix to the email address, and restarted Jenkins again. I was still able to log in but did not have administrator access.

            I downloaded the previous versions of azure-ad.hpi and matrix-auth.hpi from [https://plugins.jenkins.io/], copied them to JENKINS_HOME/plugins as described in [https://www.jenkins.io/doc/book/managing/plugins/#on-the-controller] and restarted Jenkins. I was able to log in and got administrator access again.

            h2. Notes

            According to JENKINS-67387 and [https://github.com/jenkinsci/azure-ad-plugin/issues/179#issuecomment-999004161], role-strategy is not yet compatible with matrix-auth 3.0. I didn't find any other role-strategy-plugin issue about this incompatibility (JENKINS-67413, JENKINS-67393, and JENKINS-67406 describe less serious problems), so I'm filing this one.

            Upgrading the Azure AD plugin to 188.v2369adb95a31 and the Matrix Authorization Strategy plugin to 3.0 stopped Role-based Authorization Strategy from recognizing me as a Jenkins administrator.

            h2. Reproduction steps

            The _Configuration as Code_ {{jenkins.yaml}} file included:

            {code:none}
            jenkins:
              authorizationStrategy:
                roleBased:
                  roles:
                    global:
                    - assignments:
                      - "REDACTED@REDACTED.com" # my Azure AD account without any "USER:" or "GROUP:" prefix
                      name: "admin"
                      pattern: ".*"
                      permissions:
                      - "Job/Create"
                      - "Overall/Administer"
            {code}

            {{jenkins.yaml}} also defined a few more global roles and item roles, but those should only be able to grant more permissions rather than remove any, so they don't seem relevant to this issue.

            Before the upgrade, I was able to log in as REDACTED@REDACTED.com and get administrator access to Jenkins.

            I then upgraded Jenkins plugins:

             - matrix-auth from 2.6.11 to 3.0
             - azure-ad from 185.v3b416408dcb1 to 188.v2369adb95a31

            restarted Jenkins, and logged in.

            h2. Expected result

            Should still have been able to log in and have administrator access to Jenkins.

            h2. Actual result

            I was able to log in again but no longer had administrator access.

            I edited jenkins.yaml, added the "USER:" prefix to the email address, and restarted Jenkins again. I was still able to log in but did not have administrator access.

            I downloaded the previous versions of azure-ad.hpi and matrix-auth.hpi from [https://plugins.jenkins.io/], copied them to JENKINS_HOME/plugins as described in [https://www.jenkins.io/doc/book/managing/plugins/#on-the-controller], restored {{jenkins.yaml}}, and restarted Jenkins. I was able to log in and got administrator access again.

            h2. Notes

            According to JENKINS-67387 and [https://github.com/jenkinsci/azure-ad-plugin/issues/179#issuecomment-999004161], role-strategy is not yet compatible with matrix-auth 3.0. I didn't find any other role-strategy-plugin issue about this incompatibility (JENKINS-67413, JENKINS-67393, and JENKINS-67406 describe less serious problems), so I'm filing this one.

            webminster Alan Sparks added a comment -

            I experienced this issue as well with Jenkins 2.319.2 and the 3.0 matrix plugin and current (3.2.0) version of RBAS plugin. Had to regress Matrix plugin to pre-3.0 to fix.

            webminster Alan Sparks added a comment - I experienced this issue as well with Jenkins 2.319.2 and the 3.0 matrix plugin and current (3.2.0) version of RBAS plugin. Had to regress Matrix plugin to pre-3.0 to fix.

            I won't be easily able to test fixes for this issue, because I already switched the Jenkins instance to a different authorization strategy.

            kon Kalle Niemitalo added a comment - I won't be easily able to test fixes for this issue, because I already switched the Jenkins instance to a different authorization strategy.
            kon Kalle Niemitalo made changes -
            Link This issue is duplicated by JENKINS-67760 [ JENKINS-67760 ]
            webminster Alan Sparks added a comment -

            This is open now 4 months and we can't update the plugin. How do we get attention?

            webminster Alan Sparks added a comment - This is open now 4 months and we can't update the plugin. How do we get attention?
            maxdegraaf Max de Graaf added a comment -

            Same concerns here Alan. Still running Jenkins 2.331 over here. Not even sure if i can update to the most recent version 2.343 with a fix on this.

            maxdegraaf Max de Graaf added a comment - Same concerns here Alan. Still running Jenkins 2.331 over here. Not even sure if i can update to the most recent version 2.343 with a fix on this.
            alexanderstohr Alexander Stohr made changes -
            Link This issue is related to JENKINS-68241 [ JENKINS-68241 ]
            alexanderstohr Alexander Stohr made changes -
            Link This issue is related to JENKINS-67760 [ JENKINS-67760 ]

            We are on Jenkins 2.332.3 and unfortunately have the updated Matrix Authorization Strategy Plugin Version 3.1.2 too.
            Usually you guys make sure that plugins are either in line or aren't installable anyways (e.g. when the Jenkins version does not match).

            While it still works as of now - I won't make any configuration changes yet, not sure if that breaks anything.
            But seeing that the topic is open for nearly 5 months is a let-down.

            dageissl Daniel Geißler added a comment - We are on Jenkins 2.332.3 and unfortunately have the updated Matrix Authorization Strategy Plugin Version 3.1.2 too. Usually you guys make sure that plugins are either in line or aren't installable anyways (e.g. when the Jenkins version does not match). While it still works as of now - I won't make any configuration changes yet, not sure if that breaks anything. But seeing that the topic is open for nearly 5 months is a let-down.
            kon Kalle Niemitalo made changes -
            Remote Link This issue links to "remove dependency to matrix-auth plugin by mawinter69 · Pull Request #172 · jenkinsci/role-strategy-plugin (Web Link)" [ 27780 ]
            ngg1 NGG added a comment -

            Work has already been started to resolve this in https://github.com/jenkinsci/role-strategy-plugin/pull/172

            ngg1 NGG added a comment - Work has already been started to resolve this in https://github.com/jenkinsci/role-strategy-plugin/pull/172
            notmyfault Alexander Brandes made changes -
            Link This issue duplicates JENKINS-68241 [ JENKINS-68241 ]
            notmyfault Alexander Brandes made changes -
            Link This issue duplicates JENKINS-67760 [ JENKINS-67760 ]
            notmyfault Alexander Brandes made changes -
            Released As 484.v8a_a_e4b_d785fd
            Resolution Fixed [ 1 ]
            Status Open [ 1 ] Closed [ 6 ]
            luka5 Lukas Hauser added a comment -

            I've tried it today with azure-ad:218.v90f6a_980b_a_61role-strategy:488.v0634ce149b_8c and matrix-auth:3.1.2 on a Jenkins 2.332.3 but still no success. Can someone confirm that this bug is fixed and tell how to make use of it? Thanks!

            luka5 Lukas Hauser added a comment - I've tried it today with azure-ad:218.v90f6a_980b_a_61 ,  role-strategy:488.v0634ce149b_8c and matrix-auth:3.1.2 on a Jenkins 2.332.3 but still no success. Can someone confirm that this bug is fixed and tell how to make use of it? Thanks!
            maxdegraaf Max de Graaf added a comment -

            Running Jenkins 2.345 with LDAP 2.10, Role-based Authorization Strategy 3.2.0 and Matrix Authorization Strategy 3.1.2 and do have this problem. Still considering if i should update or not. Read stories about guys who were not able to logon anymore at all with and LDAP/AD account. That would basically lock us out of Jenkins entirely.

            maxdegraaf Max de Graaf added a comment - Running Jenkins 2.345 with LDAP 2.10, Role-based Authorization Strategy 3.2.0 and Matrix Authorization Strategy 3.1.2 and do have this problem. Still considering if i should update or not. Read stories about guys who were not able to logon anymore at all with and LDAP/AD account. That would basically lock us out of Jenkins entirely.

            People

              oleg_nenashev Oleg Nenashev
              kon Kalle Niemitalo
              Votes:
              36 Vote for this issue
              Watchers:
              48 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: