Where communities thrive


  • Join over 1.5M+ people
  • Join over 100K+ communities
  • Free without limits
  • Create your own community
People
Repo info
Activity
  • 15:23
    thomasnemer commented #154
  • 06:11

    dependabot[bot] on maven

    (compare)

  • 06:11
    dependabot[bot] closed #156
  • 06:11
    dependabot[bot] commented #156
  • 06:11
    dependabot[bot] review_requested #158
  • 06:11
    dependabot[bot] review_requested #158
  • 06:11
    dependabot[bot] labeled #158
  • 06:11
    dependabot[bot] opened #158
  • 06:11

    dependabot[bot] on maven

    Bump configuration-as-code.vers… (compare)

  • 06:03

    dependabot[bot] on maven

    (compare)

  • 06:03
    dependabot[bot] closed #73
  • 06:03
    dependabot[bot] commented #73
  • 06:03
    dependabot[bot] review_requested #74
  • 06:03
    dependabot[bot] review_requested #74
  • 06:03
    dependabot[bot] labeled #74
  • 06:03
    dependabot[bot] opened #74
  • 06:03

    dependabot[bot] on maven

    Bump configuration-as-code.vers… (compare)

  • May 08 08:30
    whyuenaclefebvre starred jenkinsci/role-strategy-plugin
  • May 07 10:45
    res0nance opened #157
Thiago C. D'Ávila
@staticdev
I am having some trouble making this plugin get roles assigned via LDAP...
Abhyudaya Sharma
@AbhyudayaSharma
@staticdev Hi! Yes, this is the room for folder-auth plugin.
Can you please confirm that you are assigned the correct group from LDAP? You can check it at JENKINS_URL/whoAmI
image.png
It should be present in the authorities section
Thiago C. D'Ávila
@staticdev
Thanks for checking!
Thiago C. D'Ávila
@staticdev
@AbhyudayaSharma I double checked.. under whoAmI Authorities I have: "CI_TestRole" and "authenticated"
what I did is created a global role called "CI_TestRole" with overall/read and a folder role with the same name and permissions to a specific folder
Abhyudaya Sharma
@AbhyudayaSharma
@staticdev you need to assign the role you created to CI_TestRole
Thiago C. D'Ávila
@staticdev
how so?
Thiago C. D'Ávila
@staticdev
this is what I need to manage on the LDAP
I shouldn't have to assign the user again
that is basically what is my LDAP for
Abhyudaya Sharma
@AbhyudayaSharma
Once the role is assigned to the LDAP group, all users in it will get access to the given permissions
Thiago C. D'Ávila
@staticdev
you say I have to assign the role name instead of the user?
I will try that
Abhyudaya Sharma
@AbhyudayaSharma
No, you need to assign the LDAP group to the role
Thiago C. D'Ávila
@staticdev
yes, they have the same name
I will do tests here and come back
Abhyudaya Sharma
@AbhyudayaSharma
Oh okay
For future reference, SID can be either the username or the group name
Thiago C. D'Ávila
@staticdev
@AbhyudayaSharma you are totally correct, it works. I would just add that information in the documentation session you sent me.
You can close my bug report.. not really a bug.
More of missing documentation details for this case.
Thanks a lot, have a nice holiday.
Abhyudaya Sharma
@AbhyudayaSharma
Thanks a lot @staticdev!
sahilsethi12
@sahilsethi12
Hello All , I have installed role-strategy-plugin in the disconnected openshift environment , but i'm getting class cast exception ERROR : - class com.michelin.cio.hudson.plugins.rolestrategy.rolebasedauthorizationstrategy cannot be cast to hudson.security.globalmatrixauthorizationstrategy
Abhyudaya Sharma
@AbhyudayaSharma
@sahilsethi12 Looks like you are using Matrix Authorization but the stored configuration is for Role strategy. You need to ensure that the authorization strategy is set to use Role strategy plugin.
sahilsethi12
@sahilsethi12
@AbhyudayaSharma , I have checked Role strategy only as Authorization
Abhyudaya Sharma
@AbhyudayaSharma
@sahilsethi12 I may be completely wrong here since I don't know much about OpenShift but I think if you are running the Jenkins master in a container, the settings are configured using configuration-as-code. Any changes made from the UI are overridden after a restart of the master. If you could share your configurations, I might be able to offer more help.
Thiago C. D'Ávila
@staticdev
@AbhyudayaSharma I have a question about folder auth. There is a folder containing production credentials and only some people should have access to these credentials. But there are other users I want to enable running pipelines to deploy to production (using these credentials) but they can't have access to it. Is it possible?
Abhyudaya Sharma
@AbhyudayaSharma
@staticdev I guess you can give users who need to build a project the Item/Build permissions. You can give the Credential/Create and Credential/View permissions to users who can modify/see the credentials.
Thiago C. D'Ávila
@staticdev
Thanks again for the answer @AbhyudayaSharma, I will do some test with this setup.
Thiago C. D'Ávila
@staticdev
@AbhyudayaSharma when you say Item/Build you mean Job/Build? I don't have item build in my options here. Or a need another plugin for that?
harvesterofbeer
@harvesterofbeer:matrix.org
[m]
Hello. Is there a way to do subtractive permissions? For example: we want to have most jobs buildable by anyone who is authenticated. However, a few jobs need to be restricted.
Oleg Nenashev
@oleg-nenashev
@harvesterofbeer:matrix.org no, it is not possible in this plugin
harvesterofbeer
@harvesterofbeer:matrix.org
[m]
Ok, that's a problem for us...there are hundreds of jobs and folders. No way to cleanly, reliably map things without either being able to override global role permissions, or do subtractive. Not having the priority of roles increase as assignments gets more specific makes this really, really hard.
Oleg Nenashev
@oleg-nenashev
I understand
Substractive permissions might have a serious impact on performance. It might be okay with the current caching engine, but I cannot say for sure
You could also emulate substracrive mode via Groovy system scripts. Not fancy but doable
harvesterofbeer
@harvesterofbeer:matrix.org
[m]
Thanks for the quick response @oleg-nenashev . Could you please explain a little more about the system scripts you mention? Or point to docs? Thanks.
harvesterofbeer
@harvesterofbeer:matrix.org
[m]
Is there a way to see what role(s) are active for a user at any given time? For example, I'm viewing a particular job and want to check that the roles I think I should have are actually the ones being set for me.
Abhyudaya Sharma
@AbhyudayaSharma
@harvesterofbeer:matrix.org you can see the active roles at JENKINS_URL/whoAmI
harvesterofbeer
@harvesterofbeer:matrix.org
[m]
Unfortunately that only shows the group names the user has (from LDAP in our case). I need to see the names of the roles which apply to that user at that location (applicable roles can change depending on the item the user is at).
swaroopv2
@swaroopv2
Hello, I am trying to setup SAML 2.0 authentication and Role based strategy plugin for Authorization. I am having an issue where I am unable to use the group names defined in the SAML 2.0. I am trying to understand how to configure SAML group attributes. The first thing i am trying to find out is what format is required for the role information.
swaroopv2
@swaroopv2
I am in particularly looking for how to get the username attribute and groupname attribute from the SAML response.