Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Access Denied- missing the Overall/Read permission #420

Open
AmulyaRameshKumar opened this issue Jun 6, 2023 · 2 comments
Open

Access Denied- missing the Overall/Read permission #420

AmulyaRameshKumar opened this issue Jun 6, 2023 · 2 comments
Labels
bug

Comments

@AmulyaRameshKumar
Copy link

Jenkins and plugins versions report

Environment 
Paste the output here

What Operating System are you using (both controller, and any agents involved in the problem)?

Ubuntu 16lts

Reproduction steps

We have a Jenkins instance which is successfully using Azure Active Directory authenticated users. We had not updated the Azure-ad-plugin and related plugins for a long time. Therefore, our users had no USER or GROUP prefix. This setup was working fine.
We recently updated Jenkins to 2.401.1 including all the plug-ins. After migration the existing users still do not have prefixes. In global Azure Active Directory Matrix-based security settings we get a warning and in project security the EITHER: prefix is added as per the UI.
When we now try to add new users with the following steps-

  1. Added Azure User with overall Read permission and job Read permissions.
  2. The user is added to the config.xml with USER: prefix twice (one for the user itself and one for read permission), which is fine.
  3. User unable to access Jenkins even though they are successfully authenticated with the below error-
    Sending AzureAuthenticationToken{azureAdUser=AzureAdUser{name='***', uniqueName='***', tenantID='***', objectID='***', email='***', groups='[]', authorities=[authenticated, ***, ***]}} to access denied handler since access is denied hudson.security.AccessDeniedException3: *** is missing the Overall/Read permission at hudson.security.ACL.checkPermission(ACL.java:80) at hudson.security.AccessControlled.checkPermission(AccessControlled.java:52) at jenkins.model.Jenkins.getTarget(Jenkins.java:5078)

Note: Our Active Directory does not return groups.

However, if we select 'Add group' instead of 'Add user' in Jenkins UI the user gets added with GROUP: prefix and is successfully access Jenkins Dashboard.

The same thing happens at project level configuration.

Why is the GROUP prefix working and the USER prefix not?

Expected Results

New user needs to be authorized to access Jenkins when they are added by selecting Add user option.

Actual Results

Only new GROUPs are authorized to access Jenkins.

Anything else?

No response
@zhuanyang
Copy link

I got the same issue.
Jenkins version: 2.401.2
Azure AD Plugin Version: 349.vc02b_a_0b_142a_8
Role-based Authorization Strategy Version: 665.v4d4f871dc768

@zhuanyang
Copy link

Add "Object ID" to the new user. Can log in Jenkins, again.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@zhuanyang @AmulyaRameshKumar