Closed kokkerhout closed 2 years ago
https://github.com/jenkinsci/azure-ad-plugin/issues/120#issuecomment-820613645
If that's in your server logs then that's a known issue where we don't know if it's a user or a group, so we have to lookup both, and it logs a 404 as severe. Either an SDK issue or some customising needs doing. unrelated to this issue
The logs bit can be ignored although I'll leave the issue open as there must be a way to fix it.
The group name bit I tried to fix but I hit this code: https://github.com/jenkinsci/matrix-auth-plugin/blob/7b30c73f7d72d0a94827ac618e61ca7ce4740baf/src/main/java/org/jenkinsci/plugins/matrixauth/AuthorizationContainerDescriptor.java#L140-L145
Which just looked up the user first and I couldn't see a way to make it lookup the group, as I'm not allowed to return null from the loadUserByUsername
method.
@daniel-beck am I misunderstanding it? how can I have the group validated in the UI for a matrix authorisation?
@timja Don't know, this seems Azure API internal? If you have a separate API to check whether a user by a given name exists, do that and throw if it doesn't, bypassing the API that causes log messages.
@daniel-beck this issue has 2 parts to it,
@timja Configuration does not explicitly distinguish between object types. It's an improvement I've wanted to do for a while. I recommend you change your plugin to gracefully handle extra requests about users that don't exist. As this is form validation, it'll happen anyway and ideally doesn't result in log spam.
The "older" screenshot looks like it just shows a many years old outdated version of matrix-auth
.
@timja Configuration does not explicitly distinguish between object types. It's an improvement I've wanted to do for a while. I recommend you change your plugin to gracefully handle extra requests about users that don't exist. As this is form validation, it'll happen anyway and ideally doesn't result in log spam.
The plugin handles it gracefully, but the SDK is spamming the logs, there's probably a way to configure it.
What screenshot are you referring to? This plugin used to use old matrix auth UI, I synced it with the upstream plugin in https://github.com/jenkinsci/azure-ad-plugin/pull/119
The plugin handles it gracefully, but the SDK is spamming the logs, there's probably a way to configure it.
Right, this is similar to what I tried to say in
If you have a separate API to check whether a user by a given name exists, do that and throw if it doesn't, bypassing the API that causes log messages.
What screenshot are you referring to? This plugin used to use old matrix auth UI, I synced it with the upstream plugin in #119
Thanks, did not realize this is just copied in, I saw the dependency and thought it was reused.
Thanks, did not realize this is just copied in, I saw the dependency and thought it was reused.
Code is re-used where possible, the UI is a copy though
If you have a separate API to check whether a user by a given name exists, do that and throw if it doesn't, bypassing the API that causes log messages.
I couldn't find one
How specify the group using configuration as code plugin? I don't see any documentation and example about this :(
How specify the group using configuration as code plugin? I don't see any documentation and example about this :(
configure it in the UI and then export it.
here's an example:
Permission:object-id (display name)
@timja clicking on jenkins ui, the result is permission:(display name) object-id, why?
Historical I guess
@timja but what is the correct syntax, the one of the plugin example or the one exported by jenkins?
exported will be correct
Hi @timja, have you found a way to disable SDK logging or do you have another suggestion to prevent log spam?
I'm working on a fix but it requires a change in matrix-auth first so will take some time.
This contains some pre-req work: https://github.com/jenkinsci/azure-ad-plugin/pull/136
I'm updating the PR description as I go, but it's getting closer
The group icon bit is fixed in https://github.com/jenkinsci/azure-ad-plugin/pull/141
Log spam will be fixed later
Right now I am forced to add the uuid of the group after the name of the group.
BGP-Jenkins-Admin (153ee3ff-699b-4e23-aeaf-a0644a179a50)
Right now I am forced to add the uuid of the group after the name of the group.
BGP-Jenkins-Admin (153ee3ff-699b-4e23-aeaf-a0644a179a50)
Group display names aren't unique in AzureAD so you must add the ID anyway
Check. thx
Version report
Jenkins and plugins versions report:
Reproduction steps
Error message: Resource '242f047a-d011-4cac-9a3e-6f54364ec7ed' does not exist or one of its queried reference-property objects are not present. GET https://graph.microsoft.com/v1.0/users/242f047a-d011-4cac-9a3e-6f54364ec7ed
You can see in the "GET" part the url shows 'users' while it's actually a group.
Shouldn't the GET statement be something like: "GET /groups/{id}/members" ??
Results
Expected result:
Actual result:
group-users (242f047a-d011-4cac-9a3e-6f54364ec7ed)
I am not sure if this is a bug and that there is something wrong with the GET statement.