Add button doesnt work for Azure Active Directory Matrix-based security

edvegas commented 3 years ago

Version report

Jenkins and plugins versions report:

Jenkins: 2.277.1
OS: Linux - 4.14.209-160.339.amzn2.x86_64
---
gradle:1.36
authorize-project:1.4.0
cloudbees-folder:6.15
ws-cleanup:0.39
durable-task:1.35
plain-credentials:1.7
pipeline-stage-view:2.19
github:1.33.1
ant:1.11
bouncycastle-api:2.20
maven-plugin:3.10
workflow-job:2.40
pipeline-model-api:1.8.4
bitbucket-oauth:0.10
workflow-step-api:2.23
timestamper:1.12
workflow-aggregator:2.6
ldap:2.5
docker-commons:1.17
authentication-tokens:1.4
configuration-as-code:1.47
pipeline-model-extensions:1.8.4
okhttp-api:3.14.9
pipeline-stage-tags-metadata:1.8.4
plugin-util-api:2.1.0
echarts-api:5.0.2-1
workflow-multibranch:2.23
azure-ad:154.v12e17a5f9ea3
aws-java-sdk:1.11.995
apache-httpcomponents-client-4-api:4.5.13-1.0
ssh-credentials:1.18.1
matrix-project:1.18
ssh-slaves:1.31.5
bootstrap4-api:4.6.0-3
run-condition:1.5
variant:1.4
lockable-resources:2.10
workflow-support:3.8
branch-api:2.6.3
display-url-api:2.3.4
conditional-buildstep:1.4.1
popper-api:1.16.1-2
pam-auth:1.6
momentjs:1.1.1
ace-editor:1.1
workflow-durable-task-step:2.38
workflow-cps-global-lib:2.18
pipeline-stage-step:2.5
token-macro:2.15
docker-workflow:1.26
git-client:3.7.1
azure-commons:1.1.3
git-server:1.9
jsch:0.1.55.2
checks-api:1.7.0
javadoc:1.6
structs:1.22
pipeline-rest-api:2.19
git:4.7.1
matrix-auth:2.6.6
build-timeout:1.20
handlebars:3.0.8
antisamy-markup-formatter:2.1
jdk-tool:1.5
workflow-scm-step:2.12
pipeline-milestone-step:1.3.2
github-branch-source:2.10.2
snakeyaml-api:1.27.0
pipeline-build-step:2.13
pipeline-input-step:2.12
oauth-credentials:0.4
trilead-api:1.0.13
font-awesome-api:5.15.2-2
role-strategy:3.1.1
workflow-api:2.42
jackson2-api:2.12.2
github-api:1.123
ssh-agent:1.22
script-security:1.76
jquery3-api:3.6.0-1
mailer:1.34
pipeline-github-lib:1.0
scm-api:2.6.4
pipeline-model-definition:1.8.4
junit:1.49
email-ext:2.82
aws-credentials:1.29
simple-theme-plugin:0.6
pipeline-graph-analysis:1.10
jjwt-api:0.11.2-9.c8b45b8bb173
workflow-basic-steps:2.23
credentials-binding:1.24
resource-disposer:0.15
command-launcher:1.5
parameterized-trigger:2.40
credentials:2.3.17
amazon-ecs:1.37
workflow-cps:2.90

Reproduction steps

I'm able to search and find users and groups, but when I select them and press "Add" button in Azure Active Directory Matrix-based security authorization, nothing happens. No errors in jenkins logs and browser console.

Go to Jenkins -> Manage Jenkins -> Configure Global Security
In Authorization section, choose Azure Active Directory Matrix-based security
Start typing username (or groupname), select it
Click Add

Results

Expected result:

Selected user or group is added to matrix

Actual result:

Nothing happens

timja commented 3 years ago

Can you use the issue template please (this includes things like the plugin version and Jenkins version)?

Is there any errors in your browser console?

edvegas commented 3 years ago

thanks @timja , updated

timja commented 3 years ago

I can't reproduce this.

Does 'Verify application' work?

Is there anything in the browser console?

Have you saved the authentication settings and refreshed the page once before trying to set the authorization settings?

edvegas commented 3 years ago

Yes, I successfully verified application (including principal ID which you added in recent version).

I saved authentication settings and refreshed the page, even fully restarted jenkins.

I can only see following info log in jenkins logs:

Azure Identity => getToken() result for scopes [https://graph.microsoft.com/.default]: SUCCESS

No logs in console once I press "Add" button, I even tried to reinstall jenkins, no success. Is it possible to enable detailed logs somehow?

If not, I'll use Matrix-based authorization and add each user manually after their first login

timja commented 3 years ago

Any chance you can record a short video showing it?

Just so I understand exactly what you're doing

and I assume all your plugins are up to date?

jacquelinejms95 commented 3 years ago

Greetings, We are also experiencing problems,I show my versions: Jenkins version: 2.288 Azure ad plugin: 154.v12e17a5f9ea3 Also all plugins are up to date.

The verification/connection with Azure is correct, the authenticated users are still logged in with their permissions specified in Matrix, plus the admin users, but I want to add a new admin user and simply the "Add" button does not work, when I search for the user I get the list of users, I select it but when I hit the "Add" button, it simply does nothing, there are no errors in the browser console. Thanks for your help

edvegas commented 3 years ago

@timja can't do video, but here is 3 screenshots with steps

all plugins (i have new installation with only Azure AD and Matrix-based security plugins) are up to date

connection - verifying connection ok

search - search and autocompletion ok

problem - select user and press Add - no reaction from UI

timja commented 3 years ago

Thanks, I'll try reproduce again later on. I'm wondering if adding the role strategy plugin has something to do with it =/

What browser are you using?

kokkerhout commented 3 years ago

I have exactly the same problem. Jenkins 2.288 Azure AD Plugin 154.v12e17a5f9ea3 Azure Commons Plugin 1.1.3

timja commented 3 years ago

What browser?

kokkerhout commented 3 years ago

Both on Firefox and Google Chrome. Running Ubuntu 20.04.2

timja commented 3 years ago

Re-produced it with the above plugin set, can't reproduce in isolation, looking into it.

kokkerhout commented 3 years ago

As an extra; I was also unable to get the grouplisting for AD groups. I had to add 'Azure Active Directory Graph' permission. After that I was able to get AD grouplists again. But the problem with the 'Add' button still existed

timja commented 3 years ago

You need 'User.Read.All' and 'Group.Read.All' from Microsoft Graph

kokkerhout commented 3 years ago

We now have this

kokkerhout commented 3 years ago

We modified like you advised. But for the "add" button issue it didn't make any difference. But that's probably not expected anyway by you

josebenitez681 commented 3 years ago

We are having the same problem with the "Add" button.

Thanks for your help

timja commented 3 years ago

I've reproduced you can add a :+1: to the top comment rather than adding more comments

timja commented 3 years ago

Caused by https://github.com/jenkinsci/azure-ad-plugin/pull/119

Haven't managed to isolate the specific problem yet

timja commented 3 years ago

Fix in https://github.com/jenkinsci/azure-ad-plugin/pull/122, should be released in the next hour or less depending on how long CI takes

timja commented 3 years ago

https://github.com/jenkinsci/azure-ad-plugin/releases/tag/155.v745ce80af7ea released

edvegas commented 3 years ago

awesome! confirm button works now

jacquelinejms95 commented 3 years ago

It's working again Thank you!

kokkerhout commented 3 years ago

I indeed can use the 'add' button again. But it's still throwing errors.

2021-04-15 17:28:23.587+0000 [id=9] SEVERE c.m.graph.logger.DefaultLogger#logError: CoreHttpProvider[sendRequestInternal] - 386Error message: Resource 'xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx' does not exist or one of its queried reference-property objects are not present. 2021-04-15 17:28:23.588+0000 [id=9] SEVERE c.m.graph.logger.DefaultLogger#logError: CoreHttpProvider[sendRequestInternal] - 386 2021-04-15 17:28:23.588+0000 [id=9] SEVERE c.m.graph.logger.DefaultLogger#logError: CoreHttpProvider[sendRequestInternal] - 386GET https://graph.microsoft.com/v1.0/users/xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx 2021-04-15 17:28:23.588+0000 [id=9] SEVERE c.m.graph.logger.DefaultLogger#logError: CoreHttpProvider[sendRequestInternal] - 386SdkVersion : graph-java/v3.2.0 2021-04-15 17:28:23.589+0000 [id=9] SEVERE c.m.graph.logger.DefaultLogger#logError: CoreHttpProvider[sendRequestInternal] - 386 2021-04-15 17:28:23.589+0000 [id=9] SEVERE c.m.graph.logger.DefaultLogger#logError: CoreHttpProvider[sendRequestInternal] - 386 2021-04-15 17:28:23.590+0000 [id=9] SEVERE c.m.graph.logger.DefaultLogger#logError: CoreHttpProvider[sendRequestInternal] - 386404 : Not Found 2021-04-15 17:28:23.590+0000 [id=9] SEVERE c.m.graph.logger.DefaultLogger#logError: CoreHttpProvider[sendRequestInternal] - 386[...] 2021-04-15 17:28:23.591+0000 [id=9] SEVERE c.m.graph.logger.DefaultLogger#logError: CoreHttpProvider[sendRequestInternal] - 386 2021-04-15 17:28:23.591+0000 [id=9] SEVERE c.m.graph.logger.DefaultLogger#logError: CoreHttpProvider[sendRequestInternal] - 386[Some information was truncated for brevity, enable debug logging for more details] 2021-04-15 17:28:23.591+0000 [id=9] SEVERE c.m.graph.logger.DefaultLogger#logError: Throwable detail: com.microsoft.graph.http.GraphServiceException: Error code: Request_ResourceNotFound Error message: Resource 'xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx' does not exist or one of its queried reference-property objects are not present.

GET https://graph.microsoft.com/v1.0/users/xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx SdkVersion : graph-java/v3.2.0

timja commented 3 years ago

If that's in your server logs then that's a known issue where we don't know if it's a user or a group, so we have to lookup both, and it logs a 404 as severe. Either an SDK issue or some customising needs doing. unrelated to this issue

jenkinsci / azure-ad-plugin