Where communities thrive


  • Join over 1.5M+ people
  • Join over 100K+ communities
  • Free without limits
  • Create your own community
People
Repo info
Activity
Abhyudaya Sharma
@AbhyudayaSharma
@jcraft-accenture Do the users have the Overall/View permission?
@seeramzan https://github.com/jenkinsci/role-strategy-plugin/blob/2dd5b92e2e86f80af9051d4fcac87d039e720d81/src/main/java/com/michelin/cio/hudson/plugins/rolestrategy/RoleBasedAuthorizationStrategy.java#L262-L275
Abhyudaya Sharma
@AbhyudayaSharma
@seeramzan
API method to add roles
example: curl -X POST localhost:8080/role-strategy/strategy/addRole --data "type=globalRoles&roleName=ADM& permissionIds=hudson.model.Item.Discover,hudson.model.Item.ExtendedRead&overwrite=true"
You will also need to authenticate: https://wiki.jenkins.io/display/JENKINS/Authenticating+scripted+clients
Chaitanya Prakash Bapat
@ChaiBapchya

After failed attempt at scavenging on internet, turning to gitter for help

Is it possible to assign a role in Jenkins on a per-PR basis?
How to do that?

Use-case : I want to assign a trigger job role to PR Authors

https://stackoverflow.com/questions/60353561/assign-a-trigger-role-in-jenkins-to-pr-authors

Thanks in advance.

Oleg Nenashev
@oleg-nenashev
@ChaiBapchya dynamic roles like that would require a new RoleStrategy macro to match projects. It is quite straightforward, but a new plugin is needed.
Ownership plugin has ownership assignment strategy which could address some bits, but again a new ectension point implementatiob would be needed
Chaitanya Prakash Bapat
@ChaiBapchya
Thanks for reply.. which new plugin are we talking about?
https://plugins.jenkins.io/ownership/ ?
Could you help me with this new extension point implementation that you're talking about?
Oleg Nenashev
@oleg-nenashev
Yes, the plugin can also serve as a RoleStrategy macro example
Regardig the elp,
... help, I might have some bandwidth in a week or two
Chaitanya Prakash Bapat
@ChaiBapchya
Alright thanks
sriram
@rahulsriram123_twitter
Hello we are using Role-based Authorization Strategy plugin for Jenkins. Based on CloudBees categorization of tiers, this plugin not belong to any of the Tier. How can we enable this for Verified?
Marc Samendinger
@msamendinger

Hi,
we have two jenkins servers where we're managing our permissions with the Role strategy plugin. They both have Jenkins ver. 2.190.1 and role-strategy: 2.16.

On one server everything works as expected. The other one does apply changes for item roles only after a Jenkins restart. global roles are working fine and changes are reflected instantly. It doesn't matter if settings are changed over the ui or api. The changes are visible in ui and api but are not effective.

Can anyone point me into the right direction on how to further debug?

Oleg Nenashev
@oleg-nenashev
Looks like we have some issues with caching @msamendinger . I will investigate
Marc Samendinger
@msamendinger
Thanks @oleg-nenashev if you need any further infos just let me know
Oleg Nenashev
@oleg-nenashev
Sorry, I have not got to it yet
Michael Köppl
@calmandniceperson
@AbhyudayaSharma Hello! I'm using the Folder-based Authorization plugin's API to assign users to roles. It seems that there's no way to see which SIDs are assigned to a role right now (I would need it to compare), so instead I wanted to delete the role and re-create it. However, to do that, I need to set the permissions again every time. Is there somewhere I can see all permissions that are available (their IDs)?
Abhyudaya Sharma
@AbhyudayaSharma
@calmandniceperson You can use the Groovy Script console to get the current roles: https://jenkins.io/doc/book/managing/script-console/ 
import jenkins.model.Jenkins;
import io.jenkins.plugins.folderauth.*;

FolderBasedAuthorizationStrategy strategy = (FolderBasedAuthorizationStrategy) Jenkins.getInstance().getAuthorizationStrategy();
strategy.getGlobalRoles();
strategy.getAgentRoles();
strategy.getFolderRoles();
This should do it
Abhyudaya Sharma
@AbhyudayaSharma
Another hacky idea: get the details from Configuration-as-Code export: https://github.com/jenkinsci/configuration-as-code-plugin/blob/master/docs/features/configExport.md
Abhyudaya Sharma
@AbhyudayaSharma
@msamendinger I was unable to replicate your issue. The was getting the updated permissions. Can you please let us know what you're trying to do? Are you creating a new role or updating or assigning one to a user?
Marc Samendinger
@msamendinger

@AbhyudayaSharma our problem happens when we assign a user to a item role or remove it from a item role. We use item roles with patterns to grant access to top level folders.
I'm assigning an user to a existing role, the ui and the api show that the user is assigned to the role.
But the user does not see the folders he should have access to. Different browsers, deleting cache, new login does not help.
After restarting Jenkins, without changing anything else, and a new login of the user the user sees what its supposed to see. Same if I unassign a user.

If I assing or unassign to/from global roles, the user has immediate access respectively access gets immediately revoked.

This only happens on one of our Jenkins servers, even though they have the same Jenkins and role-strategy versions.

TurinTuramba
@TurinTuramba
Hello, I can confirm the problem mentioned from @msamendinger . If I assign an usergroup to a role, the ui shows the correct assignment, but this settings will be active after a restart/reload of Jenkins server.
Chaitanya Prakash Bapat
@ChaiBapchya
Is there an API to get members of a particular role in Jenkins?
Marc Samendinger
@msamendinger
@ChaiBapchya if you mean the role strategy plugin there is getRole
Chaitanya Prakash Bapat
@ChaiBapchya
And how does the authentication work?
Chaitanya Prakash Bapat
@ChaiBapchya
I tried to use username, password I use for jenkins login but that seems to not work (gives me "signed in an anonymous")
Marc Samendinger
@msamendinger
You have to use a API token https://stackoverflow.com/questions/45466090/how-to-get-the-api-token-for-jenkins
Chaitanya Prakash Bapat
@ChaiBapchya
yes I am using the token still being named "anonymous" while I checked on Jenkins URL (of our server) - my role is admin..
Marc Samendinger
@msamendinger
How are you connecting to the API, have you used curl for tests? I can access our Jenkins servers that way
curl  -X GET "https://${JENKINS_USER}:${JENKINS_TOKEN}@${JENKINS_SERVER}/role-strategy/strategy/getRole?type=globalRoles&roleName=admin
Chaitanya Prakash Bapat
@ChaiBapchya
still gives me an error..
Permission you need to have (but didn't): hudson.model.Hudson.Administer
Chaitanya Prakash Bapat
@ChaiBapchya
any idea why?
@msamendinger
Marc Samendinger
@msamendinger
But you are a global admin? In the UI, https://jenkins-server/role-strategy/manage-roles
global roles -> Overall -> Administer
Thats hudson.model.Hudson.Administer
Chaitanya Prakash Bapat
@ChaiBapchya
I see..
thanks for pointing out..
I am a global admin..
Chaitanya Prakash Bapat
@ChaiBapchya
so why does it still fail
Marc Samendinger
@msamendinger
Sorry, im lost here, maybe some kind of csrf protection? Hopefully someone else can step in and help.
Chaitanya Prakash Bapat
@ChaiBapchya
Anyone else got some idea?
Anil Saini
@anilsaini4u_twitter
Hi, Can anyone provide information for folder authorization strategy...
i have implemented the required changes but its not working as expected
Oleg Nenashev
@oleg-nenashev
@anilsaini4u_twitter could you please report an issue with reproduction steps?
I mean Jenkins Jira