Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Unable to add groups based on display name when using role-based strategy #536

Open
bsloan-icl opened this issue Jan 31, 2024 · 3 comments
Open

Unable to add groups based on display name when using role-based strategy #536

bsloan-icl opened this issue Jan 31, 2024 · 3 comments
Labels
bug

Comments

@bsloan-icl
Copy link

bsloan-icl commented Jan 31, 2024
edited
Loading

Jenkins and plugins versions report

Environment 
Jenkins: 2.426.3
OS: Linux - 5.15.0-1052-azure
Java: 11.0.21 - Eclipse Adoptium (OpenJDK 64-Bit Server VM)
---
ansicolor:1.0.4
antisamy-markup-formatter:162.v0e6ec0fcfcf6
apache-httpcomponents-client-4-api:4.5.14-208.v438351942757
atlassian-jira-software-cloud:2.0.12
audit-trail:361.v82cde86c784e
authentication-tokens:1.53.v1c90fd9191a_b_
authorize-project:1.7.1
azure-ad:449.v92b_39a_d8e523
azure-credentials:312.v0f3973cd1e59
azure-keyvault:237.v301692369180
azure-sdk:157.v855da_0b_eb_dc2
azure-vm-agents:901.ved986df424b_3
bitbucket:241.v6d24a_57f9359
bitbucket-oauth:0.13
bootstrap5-api:5.3.2-3
bouncycastle-api:2.30.1.77-225.v26ea_c9455fd9
branch-api:2.1144.v1425d1c3d5a_7
build-timeout:1.32
caffeine-api:3.1.8-133.v17b_1ff2e0599
checks-api:2.0.2
cloud-stats:336.v788e4055508b_
cloudbees-bitbucket-branch-source:866.vdea_7dcd3008e
cloudbees-folder:6.858.v898218f3609d
command-launcher:107.v773860566e2e
commons-lang3-api:3.13.0-62.v7d18e55f51e2
commons-text-api:1.11.0-95.v22a_d30ee5d36
configuration-as-code:1775.v810dc950b_514
credentials:1311.vcf0a_900b_37c2
credentials-binding:657.v2b_19db_7d6e6d
dark-theme:416.v535839b_c4e88
display-url-api:2.200.vb_9327d658781
durable-task:543.v262f6a_803410
echarts-api:5.4.3-2
email-ext:2.104
extended-read-permission:53.v6499940139e5
favorite:2.208.v91d65b_7792a_c
folder-properties:1.2.1
font-awesome-api:6.5.1-2
git:5.2.1
git-client:4.6.0
github:1.37.3.1
github-api:1.318-461.v7a_c09c9fa_d63
github-branch-source:1772.va_69eda_d018d4
groovy:457.v99900cb_85593
gson-api:2.10.1-15.v0d99f670e0a_7
handy-uri-templates-2-api:2.1.8-30.v7e777411b_148
instance-identity:185.v303dc7c645f9
ionicons-api:56.v1b_1c8c49374e
jackson2-api:2.16.1-373.ve709c6871598
jakarta-activation-api:2.0.1-3
jakarta-mail-api:2.0.1-3
javax-activation-api:1.2.0-6
javax-mail-api:1.6.2-9
jaxb:2.3.9-1
jdk-tool:73.vddf737284550
jersey2-api:2.41-133.va_03323b_a_1396
jira:3.12
jjwt-api:0.11.5-77.v646c772fddb_0
job-dsl:1.87
jobConfigHistory:1229.v3039470161a_d
joda-time-api:2.12.6-21.vca_fd74418fb_7
jquery3-api:3.7.1-1
jsch:0.2.16-86.v42e010d9484b_
json-api:20231013-17.v1c97069404b_e
json-path-api:2.9.0-33.v2527142f2e1d
junit:1256.v002534a_5f33e
kubernetes:4179.v3b_88431df708
kubernetes-client-api:6.10.0-240.v57880ce8b_0b_2
kubernetes-credentials:0.11
kubernetes-credentials-provider:1.258.v95949f923a_a_e
ldap:711.vb_d1a_491714dc
mailer:463.vedf8358e006b_
matrix-auth:3.2.1
matrix-project:822.824.v14451b_c0fd42
mercurial:1260.vdfb_723cdcc81
metrics:4.2.21-449.v6960d7c54c69
mina-sshd-api-common:2.12.0-90.v9f7fb_9fa_3d3b_
mina-sshd-api-core:2.12.0-90.v9f7fb_9fa_3d3b_
naginator:1.436.vb_e769dcb_cdf6
okhttp-api:4.11.0-157.v6852a_a_fa_ec11
parameterized-scheduler:255.v73827fcdf618
pipeline-build-step:540.vb_e8849e1a_b_d8
pipeline-graph-analysis:202.va_d268e64deb_3
pipeline-groovy-lib:704.vc58b_8890a_384
pipeline-input-step:477.v339683a_8d55e
pipeline-milestone-step:111.v449306f708b_7
pipeline-model-api:2.2175.v76a_fff0a_2618
pipeline-model-definition:2.2175.v76a_fff0a_2618
pipeline-model-extensions:2.2175.v76a_fff0a_2618
pipeline-rest-api:2.34
pipeline-stage-step:305.ve96d0205c1c6
pipeline-stage-tags-metadata:2.2175.v76a_fff0a_2618
pipeline-stage-view:2.34
plain-credentials:143.v1b_df8b_d3b_e48
plugin-usage-plugin:4.2
plugin-util-api:3.8.0
prism-api:1.29.0-10
resource-disposer:0.23
role-strategy:689.v731678c3e0eb_
scm-api:683.vb_16722fb_b_80b_
script-security:1313.v7a_6067dc7087
snakeyaml-api:2.2-111.vc6598e30cc65
splunk-devops:1.10.1
splunk-devops-extend:1.10.1
ssh-credentials:308.ve4497b_ccd8f4
ssh-slaves:2.948.vb_8050d697fec
sshd:3.322.v159e91f6a_550
structs:337.v1b_04ea_4df7c8
theme-manager:215.vc1ff18d67920
token-macro:400.v35420b_922dcb_
trilead-api:2.133.vfb_8a_7b_9c5dd1
variant:60.v7290fc0eb_b_cd
versioncolumn:233.v2d198f8212a_2
workflow-aggregator:596.v8c21c963d92d
workflow-api:1289.va_cf779f32df0
workflow-basic-steps:1042.ve7b_140c4a_e0c
workflow-cps:3853.vb_a_490d892963
workflow-durable-task-step:1317.v5337e0c1fe28
workflow-job:1385.vb_58b_86ea_fff1
workflow-multibranch:773.vc4fe1378f1d5
workflow-scm-step:415.v434365564324
workflow-step-api:657.v03b_e8115821b_
workflow-support:865.v43e78cc44e0d
ws-cleanup:0.45

What Operating System are you using (both controller, and any agents involved in the problem)?

Controller and agents both deployed on AKS via Jenkins helm chart.

Reproduction steps

  1. Follow documentation to install and configure plugin. Ensuring the Microsoft Entra Graph API permissions have been set and approved
  2. Under Manage Jenkins > Security > Authorization select "Role-Based Strategy" from the list and save
  3. Under Manage Jenkins > Manage and Assign Roles > Assign Roles try to add a group from Microsoft Entra using it's display name
  4. Observe the "Group not found" error

Expected Results

The group should be resolved using it's display name. When searching for the group based on it's object ID, the group is resolved successfully. But not when using other group properties (e.g. email or display name).

Actual Results

When using the display name of the group, the group isn't resolved.
image

image

Using the group display name works when the authorization mode is set to "Azure Active Directory Matrix-based Security". This suggests it's not a permissions issue with the Graph API.
image

The documentation implies it should also work when using other authorization strategies.

image

Anything else?

No response

Are you interested in contributing a fix?

No response
@bsloan-icl bsloan-icl added the bug label Jan 31, 2024
@bostonaqua
Copy link

I can add some updates. Latest versions of the role-based strategy plugin relies only on ObjectId for users and groups if you are using EntraID (azure-ad) security realm (tested plugin version azure-ad:471.vdfa_2441c67a_f). Mention about display name in documentation is true only for Matrix based strategies (as far as I understand). There is inconvenience with role-based strategy plugin is unavailability to show added groups by display name as it does with users added by object-id (tested plugin version role-strategy:689.v731678c3e0eb_).
Conclusion: If you want to use Role-based Authorization Strategy always use ObjectIds of users/groups. Otherwise use Matrix Authorization Strategy

@bostonaqua
Copy link

bostonaqua commented Apr 9, 2024
edited
Loading

The new release of role-strategy-plugin - 717.v6a_69a_fe98974 can make your life easier=)

@bsloan-icl
Copy link
Author

Thanks bostonaqua, we'll give that a try :)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@bostonaqua @bsloan-icl