Where communities thrive


  • Join over 1.5M+ people
  • Join over 100K+ communities
  • Free without limits
  • Create your own community
People
Repo info
Activity
  • Sep 20 15:01

    dependabot[bot] on maven

    (compare)

  • Sep 20 15:01
    dependabot[bot] closed #77
  • Sep 20 15:01
    dependabot[bot] commented #77
  • Sep 20 15:01
    dependabot[bot] review_requested #78
  • Sep 20 15:01
    dependabot[bot] review_requested #78
  • Sep 20 15:01
    dependabot[bot] labeled #78
  • Sep 20 15:01
    dependabot[bot] opened #78
  • Sep 20 15:01

    dependabot[bot] on maven

    Bump configuration-as-code.vers… (compare)

  • Sep 20 06:18
    AbhyudayaSharma commented #58
  • Sep 19 08:18
    vonEdfa commented #58
  • Sep 13 15:23
    thomasnemer synchronize #154
  • Sep 13 12:37
    AbhyudayaSharma synchronize #58
  • Sep 13 06:31
    AbhyudayaSharma commented #69
  • Sep 13 06:22
    AbhyudayaSharma commented #58
  • Sep 12 14:26
    vonEdfa commented #58
  • Sep 12 12:44
    AbhyudayaSharma commented #58
  • Sep 11 14:59
    vonEdfa commented #58
  • Sep 02 18:50
    OOP-778 starred jenkinsci/role-strategy-plugin
  • Sep 02 02:40
    yipo starred jenkinsci/role-strategy-plugin
  • Aug 28 09:15
    mahendra-s20 forked
    mahendra-s20/role-strategy-plugin
Thiago C. D'Ávila
@staticdev
how so?
Abhyudaya Sharma
@AbhyudayaSharma
https://github.com/jenkinsci/folder-auth-plugin/blob/master/docs/usage.md#assigning-roles-to-users
Thiago C. D'Ávila
@staticdev
this is what I need to manage on the LDAP
I shouldn't have to assign the user again
that is basically what is my LDAP for
Abhyudaya Sharma
@AbhyudayaSharma
Once the role is assigned to the LDAP group, all users in it will get access to the given permissions
Thiago C. D'Ávila
@staticdev
you say I have to assign the role name instead of the user?
I will try that
Abhyudaya Sharma
@AbhyudayaSharma
No, you need to assign the LDAP group to the role
Thiago C. D'Ávila
@staticdev
yes, they have the same name
I will do tests here and come back
Abhyudaya Sharma
@AbhyudayaSharma
Oh okay
For future reference, SID can be either the username or the group name
Thiago C. D'Ávila
@staticdev
@AbhyudayaSharma you are totally correct, it works. I would just add that information in the documentation session you sent me.
You can close my bug report.. not really a bug.
More of missing documentation details for this case.
Thanks a lot, have a nice holiday.
Abhyudaya Sharma
@AbhyudayaSharma
Thanks a lot @staticdev!
sahilsethi12
@sahilsethi12
Hello All , I have installed role-strategy-plugin in the disconnected openshift environment , but i'm getting class cast exception ERROR : - class com.michelin.cio.hudson.plugins.rolestrategy.rolebasedauthorizationstrategy cannot be cast to hudson.security.globalmatrixauthorizationstrategy
Abhyudaya Sharma
@AbhyudayaSharma
@sahilsethi12 Looks like you are using Matrix Authorization but the stored configuration is for Role strategy. You need to ensure that the authorization strategy is set to use Role strategy plugin.
sahilsethi12
@sahilsethi12
@AbhyudayaSharma , I have checked Role strategy only as Authorization
Abhyudaya Sharma
@AbhyudayaSharma
@sahilsethi12 I may be completely wrong here since I don't know much about OpenShift but I think if you are running the Jenkins master in a container, the settings are configured using configuration-as-code. Any changes made from the UI are overridden after a restart of the master. If you could share your configurations, I might be able to offer more help.
Thiago C. D'Ávila
@staticdev
@AbhyudayaSharma I have a question about folder auth. There is a folder containing production credentials and only some people should have access to these credentials. But there are other users I want to enable running pipelines to deploy to production (using these credentials) but they can't have access to it. Is it possible?
Abhyudaya Sharma
@AbhyudayaSharma
@staticdev I guess you can give users who need to build a project the Item/Build permissions. You can give the Credential/Create and Credential/View permissions to users who can modify/see the credentials.
Thiago C. D'Ávila
@staticdev
Thanks again for the answer @AbhyudayaSharma, I will do some test with this setup.
Thiago C. D'Ávila
@staticdev
@AbhyudayaSharma when you say Item/Build you mean Job/Build? I don't have item build in my options here. Or a need another plugin for that?
harvesterofbeer
@harvesterofbeer:matrix.org
[m]
Hello. Is there a way to do subtractive permissions? For example: we want to have most jobs buildable by anyone who is authenticated. However, a few jobs need to be restricted.
Oleg Nenashev
@oleg-nenashev
@harvesterofbeer:matrix.org no, it is not possible in this plugin
harvesterofbeer
@harvesterofbeer:matrix.org
[m]
Ok, that's a problem for us...there are hundreds of jobs and folders. No way to cleanly, reliably map things without either being able to override global role permissions, or do subtractive. Not having the priority of roles increase as assignments gets more specific makes this really, really hard.
Oleg Nenashev
@oleg-nenashev
I understand
Substractive permissions might have a serious impact on performance. It might be okay with the current caching engine, but I cannot say for sure
You could also emulate substracrive mode via Groovy system scripts. Not fancy but doable
harvesterofbeer
@harvesterofbeer:matrix.org
[m]
Thanks for the quick response @oleg-nenashev . Could you please explain a little more about the system scripts you mention? Or point to docs? Thanks.
Oleg Nenashev
@oleg-nenashev
@harvesterofbeer:matrix.org https://www.jenkins.io/doc/book/managing/script-console/, https://www.jenkins.io/doc/book/managing/groovy-hook-scripts/ or https://plugins.jenkins.io/groovy/ for ways to run system scripts.
Oleg Nenashev
@oleg-nenashev
RT https://twitter.com/CloudBees/status/1387380156822601730 ?
harvesterofbeer
@harvesterofbeer:matrix.org
[m]
Is there a way to see what role(s) are active for a user at any given time? For example, I'm viewing a particular job and want to check that the roles I think I should have are actually the ones being set for me.
Abhyudaya Sharma
@AbhyudayaSharma
@harvesterofbeer:matrix.org you can see the active roles at JENKINS_URL/whoAmI
harvesterofbeer
@harvesterofbeer:matrix.org
[m]
Unfortunately that only shows the group names the user has (from LDAP in our case). I need to see the names of the roles which apply to that user at that location (applicable roles can change depending on the item the user is at).
swaroopv2
@swaroopv2
Hello, I am trying to setup SAML 2.0 authentication and Role based strategy plugin for Authorization. I am having an issue where I am unable to use the group names defined in the SAML 2.0. I am trying to understand how to configure SAML group attributes. The first thing i am trying to find out is what format is required for the role information.
swaroopv2
@swaroopv2
I am in particularly looking for how to get the username attribute and groupname attribute from the SAML response.
svbar
@svbar_gitlab

Hi All
I have two questions.

  1. Is it possible to remove 'anonymous' role ? I tried and it coming back.

  2. I want to be able to log the information from the plugin and get useful information like when someone is assigned a role, or changes to authorisation.

I tried creating a Logger with almost all classes but it is not logging the activities.

Classes I tried but it did not work . Logger is not logging anything at all

com.michelin.cio.hudson.plugins.rolestrategy.Role;
com.michelin.cio.hudson.plugins.rolestrategy.RoleBasedAuthorizationStrategy;
com.synopsys.arc.jenkins.plugins.rolestrategy.RoleType

1 reply
Abhyudaya Sharma
@AbhyudayaSharma

Hello, I am trying to setup SAML 2.0 authentication and Role based strategy plugin for Authorization. I am having an issue where I am unable to use the group names defined in the SAML 2.0. I am trying to understand how to configure SAML group attributes. The first thing i am trying to find out is what format is required for the role information.

@swaroopv2 You can visit /whoAmI to find out about the groups a user is being assigned

you4su
@you4su
Hi All,
you4su
@you4su
Is it possible to move from Role-Based Strategy to Folder Authorized Strategy without impacting existing users permissions because I had an issue while doing so where my Active Directory group which had admin permissions in Role-Based Strategy was not visible anymore under any roles when I changed to Folder Authorized Strategy, instead my own id which is part of the Active Directory group that has admin permissions was the only one showing up under Global Roles after changing to Folder Authorized Strategy.
you4su
@you4su

Is it possible to move from Role-Based Strategy to Folder Authorized Strategy without impacting existing users permissions because I had an issue while doing so where my Active Directory group which had admin permissions in Role-Based Strategy was not visible anymore under any roles when I changed to Folder Authorized Strategy, instead my own id which is part of the Active Directory group that has admin permissions was the only one showing up under Global Roles after changing to Folder Authorized Strategy.

It looks like changing from Role-Based Strategy to Folder Authorized Strategy results in the logged in user being added to the Folder Authorized Strategy Global role with admin permissions and all other roles from the Role-Based Strategy are wiped out --- any way around this?

Tim Jacomb
@timja
swap the permissions via configuration as code
Abhyudaya Sharma
@AbhyudayaSharma
@you4su that is the intended behaviour. The logged in user is made the admin. There is no automatic conversion of roles from Role Strategy to folder auth because role strategy is more flexible (but slower).
you4su
@you4su
@timja any pointers on how it could be achieved?
Abhyudaya Sharma
@AbhyudayaSharma
@you4su https://github.com/jenkinsci/folder-auth-plugin/blob/master/docs/usage.md#jenkins-configuration-as-code-support
But you'll have to map the roles manually