Update 194.v70a6d5203ce4 breaks my jenkins azurea d

[monwolf]

Jenkins and plugins versions report

Jenkins: 2.332.2
OS: Linux - 3.10.0-1160.25.1.el7.x86_64
---
Office-365-Connector:4.16.1
ace-editor:1.1
ant:1.13
antisamy-markup-formatter:2.7
apache-httpcomponents-client-4-api:4.5.13-1.0
authentication-tokens:1.4
authorize-project:1.4.0
azure-ad:191.vfc8019068670
azure-sdk:106.v552de1e64d56
bitbucket:223.vd12f2bca5430
blueocean:1.25.3
blueocean-autofavorite:1.2.5
blueocean-bitbucket-pipeline:1.25.3
blueocean-commons:1.25.3
blueocean-config:1.25.3
blueocean-core-js:1.25.3
blueocean-dashboard:1.25.3
blueocean-display-url:2.4.1
blueocean-events:1.25.3
blueocean-git-pipeline:1.25.3
blueocean-github-pipeline:1.25.3
blueocean-i18n:1.25.3
blueocean-jira:1.25.3
blueocean-jwt:1.25.3
blueocean-personalization:1.25.3
blueocean-pipeline-api-impl:1.25.3
blueocean-pipeline-editor:1.25.3
blueocean-pipeline-scm-api:1.25.3
blueocean-rest:1.25.3
blueocean-rest-impl:1.25.3
blueocean-web:1.25.3
bootstrap4-api:4.6.0-3
bootstrap5-api:5.1.3-6
bouncycastle-api:2.25
branch-api:2.1044.v2c007e51b_87f
build-token-root:1.9
build-token-trigger:1.0.0
build-with-parameters:1.6
built-on-column:1.1
caffeine-api:2.9.2-29.v717aac953ff3
checks-api:1.7.2
cloudbees-bitbucket-branch-source:765.v5a_2d6a_23c01d
cloudbees-folder:6.714.v79e858ef76a_2
command-launcher:1.6
conditional-buildstep:1.4.2
config-file-provider:3.9.0
credentials:1087.1089.v2f1b_9a_b_040e4
credentials-binding:1.27.1
custom-view-tabs:1.3
dashboard-view:2.432.va_712ce35862d
display-url-api:2.3.6
docker-commons:1.19
docker-java-api:3.2.13-37.vf3411c9828b9
docker-plugin:1.2.6
docker-workflow:1.28
downstream-buildview:1.9
durable-task:495.v29cd95ec10f2
echarts-api:5.3.2-1
email-ext:2.87
envinject:2.854.vfa_1657078c97
envinject-api:1.199.v3ce31253ed13
extended-read-permission:3.2
external-monitor-job:191.v363d0d1efdf8
ez-templates:1.3.4
favorite:2.4.1
font-awesome-api:6.0.0-1
generic-webhook-trigger:1.84
git:4.11.0
git-client:3.11.0
git-parameter:0.9.16
git-server:1.10
github:1.34.3
github-api:1.303-400.v35c2d8258028
github-branch-source:1598.v91207e9f9b_4a_
h2-api:1.4.199
handlebars:3.0.8
handy-uri-templates-2-api:2.1.8-22.v77d5b_75e6953
htmlpublisher:1.29
jackson2-api:2.13.2.20220328-273.v11d70a_b_a_1a_52
javadoc:217.v905b_86277a_2a_
javax-activation-api:1.2.0-2
javax-mail-api:1.6.2-5
jaxb:2.3.0.1
jdk-tool:1.5
jenkins-design-language:1.25.3
jenkins-integration:19.7.2
jenkins-multijob-plugin:1.36
jira:3.7.1
jjwt-api:0.11.2-9.c8b45b8bb173
jnr-posix-api:3.1.7-3
job-dsl:1.79
jquery:1.12.4-1
jquery-detached:1.2.1
jquery3-api:3.6.0-2
jsch:0.1.55.2
junit:1.59
kubernetes:3580.v78271e5631dc
kubernetes-client-api:5.12.1-187.v577c3e368fb_6
kubernetes-credentials:0.9.0
ldap:2.8
lockable-resources:2.14
m2release:0.16.3
mailer:408.vd726a_1130320
mapdb-api:1.0.9.0
matrix-auth:3.1
matrix-project:758.v7a_ea_491852f3
maven-plugin:3.18
mercurial:2.16
metrics:4.1.6.2
momentjs:1.1.1
nested-view:1.24
nodejs:1.5.1
okhttp-api:4.9.3-105.vb96869f8ac3a
openJDK-native-plugin:1.5
pam-auth:1.7
parameterized-trigger:2.44
pipeline-build-step:2.17
pipeline-graph-analysis:188.v3a01e7973f2c
pipeline-input-step:447.v95e5a_6e3502a_
pipeline-maven:3.10.0
pipeline-milestone-step:100.v60a_03cd446e1
pipeline-model-api:2.2075.vce74e77b_ce40
pipeline-model-definition:2.2075.vce74e77b_ce40
pipeline-model-extensions:2.2075.vce74e77b_ce40
pipeline-rest-api:2.23
pipeline-stage-step:291.vf0a8a7aeeb50
pipeline-stage-tags-metadata:2.2075.vce74e77b_ce40
pipeline-stage-view:2.23
pipeline-utility-steps:2.12.0
plain-credentials:1.8
plugin-usage-plugin:2.2
plugin-util-api:2.16.0
popper-api:1.16.1-2
popper2-api:2.11.5-1
postgresql-api:42.3.3
publish-over:0.22
publish-over-cifs:0.16
pubsub-light:1.16
resource-disposer:0.18
role-strategy:3.2.0
run-condition:1.5
scm-api:602.v6a_81757a_31d2
script-security:1145.vb_cf6cf6ed960
slack:608.v19e3b_44b_b_9ff
snakeyaml-api:1.30.1
sonar:2.14
sse-gateway:1.25
ssh:2.6.1
ssh-agent:1.24.1
ssh-credentials:1.19
ssh-slaves:1.806.v2253cedd3295
sshd:3.228.v4c9f9e652c86
stashNotifier:1.27
structs:308.v852b473a2b8c
timestamper:1.17
token-macro:285.vff7645a_56ff0
trilead-api:1.57.v6e90e07157e1
uno-choice:2.6.1
variant:1.4
veracode-jenkins-plugin:18.5.5.7
windows-slaves:1.8
workflow-aggregator:2.7
workflow-api:1143.v2d42f1e9dea_5
workflow-basic-steps:941.vdfe1b_a_132c64
workflow-cps:2686.v7c37e0578401
workflow-cps-global-lib:570.v21311f4951f8
workflow-durable-task-step:1128.v8c259d125340
workflow-job:1174.vdcb_d054cf74a_
workflow-multibranch:711.vdfef37cda_816
workflow-scm-step:2.13
workflow-step-api:622.vb_8e7c15b_c95a_
workflow-support:818.v4eb_969241b_c7
ws-cleanup:0.41

What Operating System are you using (both controller, and any agents involved in the problem)?

Centos 7.6

Reproduction steps

After update from 191.vfc8019068670 to 194.v70a6d5203ce4, jenkins stopped to authenticate saying missing permissions Global/Read. I had to rollback to the previous version.

Expected Results

Users can log in as done before the update

Actual Results

Global/Read permissions missing for all users.

Anything else?

No response

[timja]

Can you provide a bit more detail?

What does your authentication config look like?

Are you using users individually or groups?

cc @AdrianFarmadin

[monwolf]

Hey,
Sorry for the lack of information, of course let me try to answer your questions.

My config looks like:

  <authorizationStrategy class="com.michelin.cio.hudson.plugins.rolestrategy.RoleBasedAuthorizationStrategy">
    <roleMap type="projectRoles">
      <role name="ARM" pattern="ARM.*">
        <permissions>
          <permission>com.cloudbees.plugins.credentials.CredentialsProvider.Update</permission>
          <permission>hudson.model.Item.Release</permission>
          <permission>hudson.model.Item.Create</permission>
          <permission>hudson.model.Run.Delete</permission>
          <permission>hudson.model.Item.Workspace</permission>
          <permission>com.cloudbees.plugins.credentials.CredentialsProvider.Delete</permission>
          <permission>com.cloudbees.plugins.credentials.CredentialsProvider.ManageDomains</permission>
          <permission>hudson.model.Run.Replay</permission>
          <permission>hudson.model.Item.Configure</permission>
          <permission>hudson.model.Item.Cancel</permission>
          <permission>hudson.model.Item.Delete</permission>
          <permission>hudson.model.Item.Read</permission>
          <permission>com.cloudbees.plugins.credentials.CredentialsProvider.Create</permission>
          <permission>hudson.model.Item.Build</permission>
          <permission>hudson.scm.SCM.Tag</permission>
          <permission>hudson.model.Item.Discover</permission>
          <permission>hudson.model.Run.Update</permission>
        </permissions>
        <assignedSIDs>
          <sid>jenkins-aeaarm</sid>
        </assignedSIDs>
      </role>
    </roleMap>
    <roleMap type="globalRoles">
      <role name="admin" pattern=".*">
        <permissions>
          <permission>hudson.model.View.Delete</permission>
          <permission>hudson.model.Computer.Connect</permission>
          <permission>hudson.model.Run.Delete</permission>
          <permission>com.cloudbees.plugins.credentials.CredentialsProvider.ManageDomains</permission>
          <permission>hudson.model.Computer.Create</permission>
          <permission>hudson.model.View.Configure</permission>
          <permission>hudson.model.Computer.Build</permission>
          <permission>hudson.model.Item.Configure</permission>
          <permission>hudson.model.Hudson.Administer</permission>
          <permission>hudson.model.Item.Cancel</permission>
          <permission>hudson.model.Item.Read</permission>
          <permission>com.cloudbees.plugins.credentials.CredentialsProvider.View</permission>
          <permission>hudson.model.Computer.Delete</permission>
          <permission>hudson.model.Item.Build</permission>
          <permission>hudson.scm.SCM.Tag</permission>
          <permission>hudson.model.Item.Move</permission>
          <permission>hudson.model.Item.Discover</permission>
          <permission>hudson.model.Hudson.Read</permission>
          <permission>com.cloudbees.plugins.credentials.CredentialsProvider.Update</permission>
          <permission>hudson.model.Item.Release</permission>
          <permission>hudson.model.Item.Create</permission>
          <permission>hudson.model.Item.Workspace</permission>
          <permission>com.cloudbees.plugins.credentials.CredentialsProvider.Delete</permission>
          <permission>hudson.model.Computer.Provision</permission>
          <permission>hudson.model.Run.Replay</permission>
          <permission>hudson.model.View.Read</permission>
          <permission>hudson.model.View.Create</permission>
          <permission>hudson.model.Item.Delete</permission>
          <permission>hudson.model.Computer.Configure</permission>
          <permission>com.cloudbees.plugins.credentials.CredentialsProvider.Create</permission>
          <permission>hudson.model.Computer.Disconnect</permission>
          <permission>hudson.model.Run.Update</permission>
        </permissions>
        <assignedSIDs>
          <sid>78680@xxxxx.com</sid>
          <sid>jenkins-aeaadmin</sid>
        </assignedSIDs>
      </role>
      <role name="developers" pattern=".*">
        <permissions>
          <permission>hudson.model.Hudson.Read</permission>
          <permission>hudson.model.View.Create</permission>
          <permission>hudson.model.View.Delete</permission>
          <permission>hudson.model.View.Configure</permission>
          <permission>hudson.model.View.Read</permission>
        </permissions>
        <assignedSIDs>
          <sid>jenkins-aeaarm</sid>
        </assignedSIDs>
      </role>

    </roleMap>
    <roleMap type="slaveRoles"/>
  </authorizationStrategy>
  <securityRealm class="com.microsoft.jenkins.azuread.AzureSecurityRealm">
    <clientid>XXXX</clientid>
    <clientsecret>XXXX</clientsecret>
    <tenant>XXXXXXXX</tenant>
    <cacheduration>0</cacheduration>
    <fromrequest>false</fromrequest>
    <environmentName>Azure</environmentName>
    <disableGraphIntegration>false</disableGraphIntegration>
  </securityRealm>

Most of users are in groups but my user is assigned in a role too, it's happening for both kind of users.

[KalleOlaviNiemitalo]

RoleBasedAuthorizationStrategy is not compatible yet… see https://issues.jenkins.io/browse/JENKINS-67422

[monwolf]

I've been using newer versions of this plugins since today:

• Matrix Authorization Strategy Plugin: 3.1
• Azure AD: 191.vfc8019068670
• role-strategy: 3.2.0

Once I restored azure-ad plugin jenkins started working again.

[AdrianFarmadin]

This should be fixed in commit 8555a0b

No release to this commit yet

[monwolf]

Thanks! I'll be waiting the release to test it

[timja]

Running here:
https://github.com/jenkinsci/azure-ad-plugin/runs/6114348289?check_suite_focus=true

[timja]

https://github.com/jenkinsci/azure-ad-plugin/releases/tag/195.v8555a0bf0d22

[monwolf]

Still not working, the same message

78680@xxxxxx.com no tiene el permiso Global/Read

I rolled back again

[gtbuchanan]

I just ran into the same issue. We use Project-based Matrix Authentication Strategy. I can confirm rolling back to 191.vfc8019068670 resolves the issue.

[AdrianFarmadin]

The role-strategy plugin is checking the permissions based on SID. It works if user is assigned to role as Azure Object ID or in <Name> (<Object ID>) form.

The groups are not working, because of a change on line: https://github.com/jenkinsci/azure-ad-plugin/blob/master/src/main/java/com/microsoft/jenkins/azuread/AzureAdGroup.java#L23

Group authority is now group Object ID. It is better for azure-ad plugin, because it is mapping Object ID to FullSid in https://github.com/jenkinsci/azure-ad-plugin/blob/master/src/main/java/com/microsoft/jenkins/azuread/ObjId2FullSidMap.java.

This change caused that you have to define the group in role-strategy plugin as Object ID.

I will revert the change on https://github.com/jenkinsci/azure-ad-plugin/blob/master/src/main/java/com/microsoft/jenkins/azuread/AzureAdGroup.java#L23 and the groups may be defined as name or Object ID in role-strategy plugin.

In azure-ad plugin the behavior will remain the same as the group authorities are listed as string Object ID and AzureAdGroup object.

@monwolf Would you check if 78680@xxxxxx.com user is in jenkins-aeaadmin group, please ?

@gtbuchanan Would you post you authorization configuration, please?

[monwolf]

The user is in the group.

[gtbuchanan]

@AdrianFarmadin Based on your response it sounds like the issue is we are using the group name rather than Object ID. Here is our config:

  <authorizationStrategy class="hudson.security.ProjectMatrixAuthorizationStrategy">
    <permission>GROUP:com.cloudbees.plugins.credentials.CredentialsProvider.Create:JenkinsAdmin</permission>
    <permission>GROUP:com.cloudbees.plugins.credentials.CredentialsProvider.Delete:JenkinsAdmin</permission>
    <permission>GROUP:com.cloudbees.plugins.credentials.CredentialsProvider.ManageDomains:JenkinsAdmin</permission>
    <permission>GROUP:com.cloudbees.plugins.credentials.CredentialsProvider.Update:JenkinsAdmin</permission>
    <permission>GROUP:com.cloudbees.plugins.credentials.CredentialsProvider.View:JenkinsAdmin</permission>
    <permission>GROUP:hudson.model.Computer.Build:JenkinsAdmin</permission>
    <permission>GROUP:hudson.model.Computer.Configure:JenkinsAdmin</permission>
    <permission>GROUP:hudson.model.Computer.Connect:JenkinsAdmin</permission>
    <permission>GROUP:hudson.model.Computer.Create:JenkinsAdmin</permission>
    <permission>GROUP:hudson.model.Computer.Delete:JenkinsAdmin</permission>
    <permission>GROUP:hudson.model.Computer.Disconnect:JenkinsAdmin</permission>
    <permission>GROUP:hudson.model.Hudson.Administer:JenkinsAdmin</permission>
    <permission>GROUP:hudson.model.Hudson.Read:authenticated</permission>
    <permission>GROUP:hudson.model.Hudson.Read:JenkinsAdmin</permission>
    <permission>GROUP:hudson.model.Hudson.Read:JenkinsUsers</permission>
    <permission>GROUP:hudson.model.Item.Build:JenkinsAdmin</permission>
    <permission>GROUP:hudson.model.Item.Build:JenkinsUsers</permission>
    <permission>GROUP:hudson.model.Item.Cancel:JenkinsAdmin</permission>
    <permission>GROUP:hudson.model.Item.Configure:JenkinsAdmin</permission>
    <permission>GROUP:hudson.model.Item.Create:JenkinsAdmin</permission>
    <permission>GROUP:hudson.model.Item.Delete:JenkinsAdmin</permission>
    <permission>GROUP:hudson.model.Item.Discover:JenkinsAdmin</permission>
    <permission>GROUP:hudson.model.Item.Move:JenkinsAdmin</permission>
    <permission>GROUP:hudson.model.Item.Read:authenticated</permission>
    <permission>GROUP:hudson.model.Item.Read:JenkinsAdmin</permission>
    <permission>GROUP:hudson.model.Item.Read:JenkinsUsers</permission>
    <permission>GROUP:hudson.model.Item.Workspace:JenkinsAdmin</permission>
    <permission>GROUP:hudson.model.Run.Delete:JenkinsAdmin</permission>
    <permission>GROUP:hudson.model.Run.Replay:JenkinsAdmin</permission>
    <permission>GROUP:hudson.model.Run.Update:JenkinsAdmin</permission>
    <permission>GROUP:hudson.model.View.Configure:JenkinsAdmin</permission>
    <permission>GROUP:hudson.model.View.Create:JenkinsAdmin</permission>
    <permission>GROUP:hudson.model.View.Delete:JenkinsAdmin</permission>
    <permission>GROUP:hudson.model.View.Read:authenticated</permission>
    <permission>GROUP:hudson.model.View.Read:JenkinsAdmin</permission>
    <permission>GROUP:hudson.model.View.Read:JenkinsUsers</permission>
    <permission>GROUP:hudson.scm.SCM.Tag:JenkinsAdmin</permission>
    <permission>GROUP:org.jenkins.plugins.lockableresources.LockableResourcesManager.Reserve:JenkinsAdmin</permission>
    <permission>GROUP:org.jenkins.plugins.lockableresources.LockableResourcesManager.Unlock:JenkinsAdmin</permission>
    <permission>GROUP:org.jenkins.plugins.lockableresources.LockableResourcesManager.View:JenkinsAdmin</permission>
  </authorizationStrategy>
  <securityRealm class="com.microsoft.jenkins.azuread.AzureSecurityRealm">
    <clientid>REDACTED</clientid>
    <clientsecret>REDACTED</clientsecret>
    <tenant>REDACTED</tenant>
    <cacheduration>3600</cacheduration>
    <fromrequest>false</fromrequest>
    <environmentName>Azure</environmentName>
    <disableGraphIntegration>false</disableGraphIntegration>
  </securityRealm>

[timja]

Right you shouldn't really do that because AAD group names are not unique.

Someone else could configure that group name.

There should be two valid options for groups.

1. Object ID.
2. Object ID (Display name) <- format may be the other way round, not sure off the top of my head

If you configure the plugin with the Azure AD matrix auth strategy then there's a user / group picker which will populate it appropriately and you can check the config to get the right values

[gtbuchanan]

I was able to get upgraded but I had to make manual changes to config.xml due to #182 (comment).

[timja]

@monwolf is this resolved for you?

[timja]

Duplicate of #190