Where communities thrive


  • Join over 1.5M+ people
  • Join over 100K+ communities
  • Free without limits
  • Create your own community
People
Repo info
Activity
  • 10:09

    mawinter69 on master

    [JENKINS-69102] disable implied… (compare)

  • 10:09
    mawinter69 closed #234
  • Aug 14 18:15
    mawinter69 review_requested #234
  • Aug 14 18:15
    mawinter69 opened #234
  • Aug 14 12:44
    Gopal8962 forked
    Gopal8962/role-strategy-plugin
  • Aug 14 08:55

    mawinter69 on master

    [JENKINS-69101] update pattern … (compare)

  • Aug 14 08:55
    mawinter69 closed #233
  • Aug 14 08:43
    mawinter69 unlabeled #233
  • Aug 14 08:42
    mawinter69 labeled #233
  • Aug 13 16:15
    mawinter69 edited #233
  • Aug 13 12:08
    mawinter69 review_requested #233
  • Aug 13 12:08
    mawinter69 opened #233
  • Aug 13 00:27

    mawinter69 on master

    manage roles cleanup move comm… (compare)

  • Aug 13 00:27
    mawinter69 closed #232
  • Aug 12 23:50
    mawinter69 review_requested #232
  • Aug 12 23:50
    mawinter69 labeled #232
  • Aug 12 23:50
    mawinter69 opened #232
  • Aug 12 23:08

    mawinter69 on master

    Bump git from 4.11.2 to 4.11.4 … (compare)

  • Aug 12 23:08

    mawinter69 on maven

    (compare)

  • Aug 12 23:08
    mawinter69 closed #231
sahilsethi12
@sahilsethi12
Hello All , I have installed role-strategy-plugin in the disconnected openshift environment , but i'm getting class cast exception ERROR : - class com.michelin.cio.hudson.plugins.rolestrategy.rolebasedauthorizationstrategy cannot be cast to hudson.security.globalmatrixauthorizationstrategy
Abhyudaya Sharma
@AbhyudayaSharma
@sahilsethi12 Looks like you are using Matrix Authorization but the stored configuration is for Role strategy. You need to ensure that the authorization strategy is set to use Role strategy plugin.
sahilsethi12
@sahilsethi12
@AbhyudayaSharma , I have checked Role strategy only as Authorization
Abhyudaya Sharma
@AbhyudayaSharma
@sahilsethi12 I may be completely wrong here since I don't know much about OpenShift but I think if you are running the Jenkins master in a container, the settings are configured using configuration-as-code. Any changes made from the UI are overridden after a restart of the master. If you could share your configurations, I might be able to offer more help.
Thiago C. D'Ávila
@staticdev
@AbhyudayaSharma I have a question about folder auth. There is a folder containing production credentials and only some people should have access to these credentials. But there are other users I want to enable running pipelines to deploy to production (using these credentials) but they can't have access to it. Is it possible?
Abhyudaya Sharma
@AbhyudayaSharma
@staticdev I guess you can give users who need to build a project the Item/Build permissions. You can give the Credential/Create and Credential/View permissions to users who can modify/see the credentials.
Thiago C. D'Ávila
@staticdev
Thanks again for the answer @AbhyudayaSharma, I will do some test with this setup.
Thiago C. D'Ávila
@staticdev
@AbhyudayaSharma when you say Item/Build you mean Job/Build? I don't have item build in my options here. Or a need another plugin for that?
harvesterofbeer
@harvesterofbeer:matrix.org
[m]
Hello. Is there a way to do subtractive permissions? For example: we want to have most jobs buildable by anyone who is authenticated. However, a few jobs need to be restricted.
Oleg Nenashev
@oleg-nenashev
@harvesterofbeer:matrix.org no, it is not possible in this plugin
harvesterofbeer
@harvesterofbeer:matrix.org
[m]
Ok, that's a problem for us...there are hundreds of jobs and folders. No way to cleanly, reliably map things without either being able to override global role permissions, or do subtractive. Not having the priority of roles increase as assignments gets more specific makes this really, really hard.
Oleg Nenashev
@oleg-nenashev
I understand
Substractive permissions might have a serious impact on performance. It might be okay with the current caching engine, but I cannot say for sure
You could also emulate substracrive mode via Groovy system scripts. Not fancy but doable
harvesterofbeer
@harvesterofbeer:matrix.org
[m]
Thanks for the quick response @oleg-nenashev . Could you please explain a little more about the system scripts you mention? Or point to docs? Thanks.
Oleg Nenashev
@oleg-nenashev
@harvesterofbeer:matrix.org https://www.jenkins.io/doc/book/managing/script-console/, https://www.jenkins.io/doc/book/managing/groovy-hook-scripts/ or https://plugins.jenkins.io/groovy/ for ways to run system scripts.
Oleg Nenashev
@oleg-nenashev
RT https://twitter.com/CloudBees/status/1387380156822601730 ?
harvesterofbeer
@harvesterofbeer:matrix.org
[m]
Is there a way to see what role(s) are active for a user at any given time? For example, I'm viewing a particular job and want to check that the roles I think I should have are actually the ones being set for me.
Abhyudaya Sharma
@AbhyudayaSharma
@harvesterofbeer:matrix.org you can see the active roles at JENKINS_URL/whoAmI
harvesterofbeer
@harvesterofbeer:matrix.org
[m]
Unfortunately that only shows the group names the user has (from LDAP in our case). I need to see the names of the roles which apply to that user at that location (applicable roles can change depending on the item the user is at).
2 replies
swaroopv2
@swaroopv2
Hello, I am trying to setup SAML 2.0 authentication and Role based strategy plugin for Authorization. I am having an issue where I am unable to use the group names defined in the SAML 2.0. I am trying to understand how to configure SAML group attributes. The first thing i am trying to find out is what format is required for the role information.
swaroopv2
@swaroopv2
I am in particularly looking for how to get the username attribute and groupname attribute from the SAML response.
svbar
@svbar_gitlab

Hi All
I have two questions.

  1. Is it possible to remove 'anonymous' role ? I tried and it coming back.

  2. I want to be able to log the information from the plugin and get useful information like when someone is assigned a role, or changes to authorisation.

I tried creating a Logger with almost all classes but it is not logging the activities.

Classes I tried but it did not work . Logger is not logging anything at all

com.michelin.cio.hudson.plugins.rolestrategy.Role;
com.michelin.cio.hudson.plugins.rolestrategy.RoleBasedAuthorizationStrategy;
com.synopsys.arc.jenkins.plugins.rolestrategy.RoleType

1 reply
Abhyudaya Sharma
@AbhyudayaSharma

Hello, I am trying to setup SAML 2.0 authentication and Role based strategy plugin for Authorization. I am having an issue where I am unable to use the group names defined in the SAML 2.0. I am trying to understand how to configure SAML group attributes. The first thing i am trying to find out is what format is required for the role information.

@swaroopv2 You can visit /whoAmI to find out about the groups a user is being assigned

you4su
@you4su
Hi All,
you4su
@you4su
Is it possible to move from Role-Based Strategy to Folder Authorized Strategy without impacting existing users permissions because I had an issue while doing so where my Active Directory group which had admin permissions in Role-Based Strategy was not visible anymore under any roles when I changed to Folder Authorized Strategy, instead my own id which is part of the Active Directory group that has admin permissions was the only one showing up under Global Roles after changing to Folder Authorized Strategy.
you4su
@you4su

Is it possible to move from Role-Based Strategy to Folder Authorized Strategy without impacting existing users permissions because I had an issue while doing so where my Active Directory group which had admin permissions in Role-Based Strategy was not visible anymore under any roles when I changed to Folder Authorized Strategy, instead my own id which is part of the Active Directory group that has admin permissions was the only one showing up under Global Roles after changing to Folder Authorized Strategy.

It looks like changing from Role-Based Strategy to Folder Authorized Strategy results in the logged in user being added to the Folder Authorized Strategy Global role with admin permissions and all other roles from the Role-Based Strategy are wiped out --- any way around this?

Tim Jacomb
@timja
swap the permissions via configuration as code
Abhyudaya Sharma
@AbhyudayaSharma
@you4su that is the intended behaviour. The logged in user is made the admin. There is no automatic conversion of roles from Role Strategy to folder auth because role strategy is more flexible (but slower).
you4su
@you4su
@timja any pointers on how it could be achieved?
Abhyudaya Sharma
@AbhyudayaSharma
@you4su https://github.com/jenkinsci/folder-auth-plugin/blob/master/docs/usage.md#jenkins-configuration-as-code-support
But you'll have to map the roles manually
BertuNet
@BertuNet
Hi All,
may u help me to understand why with role-strategy plugin (3.2) and keycloak login i've a problem with roles.
On keycloak i configure User X with role ADMIN, the same on jenkins.
If i assign roles to ADMIN with specific permission it seems doesn't read it :/ if i assing USER X to specific permission, no problem.
what i've to configure ?
If i get whoAmI, the authorities are correct :/
Thank u,
Regards
Muhammad Jamil Akhtar
@jamilakhtar
In the Folder-based Authorization Strategy, how can I get a list of all the available roles for a given user? Do we have any rest API? If not, how can I get that functionality?
zakharovdi
@zakharovdi
hi all.
We have tried to use role-based strategy plugin but we can't login with error about absent Overall/Read permissions if we apply our roles to users. It works fine if we apply it to groups. Did someone face such problem and how we can solve it? Unfortunately plugin doesn't provide logs at all and we have no extra information about a problem
njaved
@njaved
Hello All. We have been using role-base strategy plugin to grant access to folders and users. We are now trying to see if we can restrict it to a Cloud Agent Label. For example, allow a dev only access to dev Cloud Agents. Is there a way to do that with this plugin?
mtj
@mtj:matrix.org
[m]
hi folks, can someone confirm if its possible to have 'item roles' rules, that override 'global roles' rules?
i currently have a jenkins that has anonymous users that can see all builds - but i need to hide a small group of private builds from anon users
...would this situation be possible with the 'role-strategy' plugin?
mtj
@mtj:matrix.org
[m]
if the anon 'global role' currently has read/view perms set - is it possible to somehow override/remove those perms for some builds via an 'item role' rule?
hmm... "Global roles apply to any item in Jenkins and override anything you specify in the Project Roles. That is, when you give a role the right to Job-Read in the Global Roles, then this role is allowed to read all Jobs, no matter what you specify in the Project Roles."
mnsn1408
@mnsn1408
hey any one has the groovy scrip to create the roles under folder via folder authorization stratergy plugin?
Abhyudaya Sharma
@AbhyudayaSharma
@mnsn1408 You can use the public API https://javadoc.jenkins.io/plugin/folder-auth/io/jenkins/plugins/folderauth/FolderAuthorizationStrategyAPI.html
However, I highly recommend using configuration as code https://github.com/jenkinsci/folder-auth-plugin/blob/master/docs/usage.md#jenkins-configuration-as-code-support
mnsn1408
@mnsn1408
@AbhyudayaSharma we are moving to CacS but not now if you have some sample scripts to create the folder role via groovy can you please share it with me
mnsn1408
@mnsn1408
Hi every one does the folder auth strategy plugin has the job level restrictions is there a chance that we can make restrictions to job?
Jeroen Schepens
@edmeister

Hi, I started setting up the "Folder Auth" plugin, but I don't seem to manage to assign permissions for child jobs. When people with that permission log in, they just see a blank list page. I expected them to be able to follow the tree to the jobs they are allowed to see/build.

Is this a known limitation?

Abhyudaya Sharma
@AbhyudayaSharma
@edmeister Hi. I have replied on your JIRA ticket.
Korsie Ballesteros
@kjballes:matrix.org
[m]
Hi, is there a convenient way of getting a list of all available roles and the roles for each user?
Abhyudaya Sharma
@AbhyudayaSharma
@kjballes:matrix.org https://github.com/jenkinsci/role-strategy-plugin/blob/123aa93de910400fe27a711d555de3f024181d08/src/main/java/com/michelin/cio/hudson/plugins/rolestrategy/RoleBasedAuthorizationStrategy.java#L470-L479
1 reply
Getting the roles for each user might be a bit more complicated. You would have to use the scripting console.