Where communities thrive


  • Join over 1.5M+ people
  • Join over 100K+ communities
  • Free without limits
  • Create your own community
People
Repo info
Activity
  • Jun 10 04:10
    AbhyudayaSharma commented #75
  • Jun 09 17:33
    Komodoro commented #75
  • Jun 09 17:33
    Komodoro commented #75
  • Jun 09 16:50
    AbhyudayaSharma review_requested #75
  • Jun 09 16:44
    AbhyudayaSharma unlabeled #75
  • Jun 09 16:44
    AbhyudayaSharma labeled #75
  • Jun 09 16:44
    AbhyudayaSharma labeled #75
  • Jun 09 16:02
    Komodoro opened #75
  • Jun 07 05:54
    dependabot[bot] review_requested #160
  • Jun 07 05:54
    dependabot[bot] review_requested #160
  • Jun 07 05:54
    dependabot[bot] labeled #160
  • Jun 07 05:54
    dependabot[bot] opened #160
  • Jun 07 05:54

    dependabot[bot] on maven

    Bump bom-2.222.x from 831.v9814… (compare)

  • Jun 02 04:05
  • May 31 03:43
  • May 30 11:40

    oleg-nenashev on master

    Update RoleBasedAuthorizationSt… Merge pull request #151 from we… (compare)

  • May 30 11:40
    oleg-nenashev closed #151
  • May 30 11:40
    oleg-nenashev edited #151
  • May 30 11:39
    oleg-nenashev labeled #151
Abhyudaya Sharma
@AbhyudayaSharma
Can you please confirm that you are assigned the correct group from LDAP? You can check it at JENKINS_URL/whoAmI
image.png
It should be present in the authorities section
Thiago C. D'Ávila
@staticdev
Thanks for checking!
Thiago C. D'Ávila
@staticdev
@AbhyudayaSharma I double checked.. under whoAmI Authorities I have: "CI_TestRole" and "authenticated"
what I did is created a global role called "CI_TestRole" with overall/read and a folder role with the same name and permissions to a specific folder
Abhyudaya Sharma
@AbhyudayaSharma
@staticdev you need to assign the role you created to CI_TestRole
Thiago C. D'Ávila
@staticdev
how so?
Thiago C. D'Ávila
@staticdev
this is what I need to manage on the LDAP
I shouldn't have to assign the user again
that is basically what is my LDAP for
Abhyudaya Sharma
@AbhyudayaSharma
Once the role is assigned to the LDAP group, all users in it will get access to the given permissions
Thiago C. D'Ávila
@staticdev
you say I have to assign the role name instead of the user?
I will try that
Abhyudaya Sharma
@AbhyudayaSharma
No, you need to assign the LDAP group to the role
Thiago C. D'Ávila
@staticdev
yes, they have the same name
I will do tests here and come back
Abhyudaya Sharma
@AbhyudayaSharma
Oh okay
For future reference, SID can be either the username or the group name
Thiago C. D'Ávila
@staticdev
@AbhyudayaSharma you are totally correct, it works. I would just add that information in the documentation session you sent me.
You can close my bug report.. not really a bug.
More of missing documentation details for this case.
Thanks a lot, have a nice holiday.
Abhyudaya Sharma
@AbhyudayaSharma
Thanks a lot @staticdev!
sahilsethi12
@sahilsethi12
Hello All , I have installed role-strategy-plugin in the disconnected openshift environment , but i'm getting class cast exception ERROR : - class com.michelin.cio.hudson.plugins.rolestrategy.rolebasedauthorizationstrategy cannot be cast to hudson.security.globalmatrixauthorizationstrategy
Abhyudaya Sharma
@AbhyudayaSharma
@sahilsethi12 Looks like you are using Matrix Authorization but the stored configuration is for Role strategy. You need to ensure that the authorization strategy is set to use Role strategy plugin.
sahilsethi12
@sahilsethi12
@AbhyudayaSharma , I have checked Role strategy only as Authorization
Abhyudaya Sharma
@AbhyudayaSharma
@sahilsethi12 I may be completely wrong here since I don't know much about OpenShift but I think if you are running the Jenkins master in a container, the settings are configured using configuration-as-code. Any changes made from the UI are overridden after a restart of the master. If you could share your configurations, I might be able to offer more help.
Thiago C. D'Ávila
@staticdev
@AbhyudayaSharma I have a question about folder auth. There is a folder containing production credentials and only some people should have access to these credentials. But there are other users I want to enable running pipelines to deploy to production (using these credentials) but they can't have access to it. Is it possible?
Abhyudaya Sharma
@AbhyudayaSharma
@staticdev I guess you can give users who need to build a project the Item/Build permissions. You can give the Credential/Create and Credential/View permissions to users who can modify/see the credentials.
Thiago C. D'Ávila
@staticdev
Thanks again for the answer @AbhyudayaSharma, I will do some test with this setup.
Thiago C. D'Ávila
@staticdev
@AbhyudayaSharma when you say Item/Build you mean Job/Build? I don't have item build in my options here. Or a need another plugin for that?
harvesterofbeer
@harvesterofbeer:matrix.org
[m]
Hello. Is there a way to do subtractive permissions? For example: we want to have most jobs buildable by anyone who is authenticated. However, a few jobs need to be restricted.
Oleg Nenashev
@oleg-nenashev
@harvesterofbeer:matrix.org no, it is not possible in this plugin
harvesterofbeer
@harvesterofbeer:matrix.org
[m]
Ok, that's a problem for us...there are hundreds of jobs and folders. No way to cleanly, reliably map things without either being able to override global role permissions, or do subtractive. Not having the priority of roles increase as assignments gets more specific makes this really, really hard.
Oleg Nenashev
@oleg-nenashev
I understand
Substractive permissions might have a serious impact on performance. It might be okay with the current caching engine, but I cannot say for sure
You could also emulate substracrive mode via Groovy system scripts. Not fancy but doable
harvesterofbeer
@harvesterofbeer:matrix.org
[m]
Thanks for the quick response @oleg-nenashev . Could you please explain a little more about the system scripts you mention? Or point to docs? Thanks.
harvesterofbeer
@harvesterofbeer:matrix.org
[m]
Is there a way to see what role(s) are active for a user at any given time? For example, I'm viewing a particular job and want to check that the roles I think I should have are actually the ones being set for me.
Abhyudaya Sharma
@AbhyudayaSharma
@harvesterofbeer:matrix.org you can see the active roles at JENKINS_URL/whoAmI
harvesterofbeer
@harvesterofbeer:matrix.org
[m]
Unfortunately that only shows the group names the user has (from LDAP in our case). I need to see the names of the roles which apply to that user at that location (applicable roles can change depending on the item the user is at).
swaroopv2
@swaroopv2
Hello, I am trying to setup SAML 2.0 authentication and Role based strategy plugin for Authorization. I am having an issue where I am unable to use the group names defined in the SAML 2.0. I am trying to understand how to configure SAML group attributes. The first thing i am trying to find out is what format is required for the role information.
swaroopv2
@swaroopv2
I am in particularly looking for how to get the username attribute and groupname attribute from the SAML response.
svbar
@svbar_gitlab

Hi All
I have two questions.

  1. Is it possible to remove 'anonymous' role ? I tried and it coming back.

  2. I want to be able to log the information from the plugin and get useful information like when someone is assigned a role, or changes to authorisation.

I tried creating a Logger with almost all classes but it is not logging the activities.

Classes I tried but it did not work . Logger is not logging anything at all

com.michelin.cio.hudson.plugins.rolestrategy.Role;
com.michelin.cio.hudson.plugins.rolestrategy.RoleBasedAuthorizationStrategy;
com.synopsys.arc.jenkins.plugins.rolestrategy.RoleType

1 reply
Abhyudaya Sharma
@AbhyudayaSharma

Hello, I am trying to setup SAML 2.0 authentication and Role based strategy plugin for Authorization. I am having an issue where I am unable to use the group names defined in the SAML 2.0. I am trying to understand how to configure SAML group attributes. The first thing i am trying to find out is what format is required for the role information.

@swaroopv2 You can visit /whoAmI to find out about the groups a user is being assigned