Permission issues with version 158.v437429002c6b

[BenjaminBarnel]

When i upscale AZURE AD pluggin from 155.v745ce80af7ea to 158.v437429002c6b We have many permissions problem :

• Azure graph-java permission 404 for the first automatic build
• Jenkins ssh server permission for the jenkins-cli
• Images permission in logout return 500. (see below details)

Version report

Jenkins and plugins versions report:

Jenkins : 2.289.1
SSH Credentials Plugin (ssh-credentials): 1.19
LDAP Plugin (ldap): 2.7
Display URL API (display-url-api): 2.3.5
Pipeline: Build Step (pipeline-build-step): 2.13
Pipeline: Nodes and Processes (workflow-durable-task-step): 2.39
Token Macro Plugin (token-macro): 2.15
Azure AD Plugin (azure-ad): 158.v437429002c6b
Workspace Cleanup Plugin (ws-cleanup): 0.39
REST Implementation for Blue Ocean (blueocean-rest-impl): 1.24.7
Display URL for Blue Ocean (blueocean-display-url): 2.4.1
TestNG Results Plugin (testng-plugin): 1.15
Bootstrap 4 API Plugin (bootstrap4-api): 4.6.0-3
GitHub Branch Source Plugin (github-branch-source): 2.11.1
Checks API plugin (checks-api): 1.7.0
Docker Commons Plugin (docker-commons): 1.17
Pipeline: Input Step (pipeline-input-step): 2.12
SCM API Plugin (scm-api): 2.6.4
Autofavorite for Blue Ocean (blueocean-autofavorite): 1.2.4
Pipeline: Stage Step (pipeline-stage-step): 2.5
OWASP Markup Formatter Plugin (antisamy-markup-formatter): 2.1
Pipeline: API (workflow-api): 2.44
Server Sent Events (SSE) Gateway Plugin (sse-gateway): 1.24
Basic Branch Build Strategies Plugin (basic-branch-build-strategies): 1.3.2
Plugin Utilities API Plugin (plugin-util-api): 2.2.0
Pipeline: Shared Groovy Libraries (workflow-cps-global-lib): 2.19
Run Condition Plugin (run-condition): 1.5
Pub-Sub "light" Bus (pubsub-light): 1.14
GitHub plugin (github): 1.33.1
REST API for Blue Ocean (blueocean-rest): 1.24.7
JavaScript GUI Lib: ACE Editor bundle plugin (ace-editor): 1.1
Oracle Java SE Development Kit Installer Plugin (jdk-tool): 1.5
Common API for Blue Ocean (blueocean-commons): 1.24.7
Azure SDK API Plugin (azure-sdk): 12.vc102aedd3c66
PAM Authentication plugin (pam-auth): 1.6
JQuery3 API Plugin (jquery3-api): 3.6.0-1
Git client plugin (git-client): 3.7.2
Blue Ocean Pipeline Editor (blueocean-pipeline-editor): 1.24.7
Pipeline: Multibranch (workflow-multibranch): 2.24
Clover plugin (clover): 4.12.0
Command Agent Launcher Plugin (command-launcher): 1.6
Credentials Plugin (credentials): 2.5
Next Build Number Plugin (next-build-number): 1.6
Pipeline: Stage Tags Metadata (pipeline-stage-tags-metadata): 1.8.5
Plot plugin (plot): 2.1.9
Mailer Plugin (mailer): 1.34
Blue Ocean (blueocean): 1.24.7
Git plugin (git): 4.7.2
Backup plugin (backup): 1.6.1
Authentication Tokens API Plugin (authentication-tokens): 1.4
Pipeline Graph Analysis Plugin (pipeline-graph-analysis): 1.11
Code Coverage API Plugin (code-coverage-api): 1.3.2
Java JSON Web Token (JJWT) Plugin (jjwt-api): 0.11.2-9.c8b45b8bb173
HTML Publisher plugin (htmlpublisher): 1.25
Folders Plugin (cloudbees-folder): 6.15
Green Balls (greenballs): 1.15.1
JIRA Integration for Blue Ocean (blueocean-jira): 1.24.7
JWT for Blue Ocean (blueocean-jwt): 1.24.7
skip-certificate-check (skip-certificate-check): 1.0
Config API for Blue Ocean (blueocean-config): 1.24.7
Popper.js API Plugin (popper-api): 1.16.1-2
Pipeline: Basic Steps (workflow-basic-steps): 2.23
Git Pipeline for Blue Ocean (blueocean-git-pipeline): 1.24.7
Branch API Plugin (branch-api): 2.6.4
Pipeline: Job (workflow-job): 2.41
Azure VM Agents (azure-vm-agents): 781.v5877a4d99d28
GitHub Pipeline for Blue Ocean (blueocean-github-pipeline): 1.24.7
i18n for Blue Ocean (blueocean-i18n): 1.24.7
Resource Disposer Plugin (resource-disposer): 0.15
Matrix Project Plugin (matrix-project): 1.19
Pipeline implementation for Blue Ocean (blueocean-pipeline-api-impl): 1.24.7
Docker Pipeline (docker-workflow): 1.26
Office 365 Connector (Office-365-Connector): 4.15.0
Matrix Authorization Strategy Plugin (matrix-auth): 2.6.7
Bitbucket Branch Source Plugin (cloudbees-bitbucket-branch-source): 2.9.9
Slack Notification Plugin (slack): 2.48
Web for Blue Ocean (blueocean-web): 1.24.7
Pipeline Utility Steps (pipeline-utility-steps): 2.8.0
SSH Build Agents plugin (ssh-slaves): 1.32.0
GIT server Plugin (git-server): 1.9
Jackson 2 API Plugin (jackson2-api): 2.12.3
Email Extension Template Plugin (emailext-template): 1.2
Variant Plugin (variant): 1.4
Cloud Statistics Plugin (cloud-stats): 0.27
Ant Plugin (ant): 1.11
SSH server (sshd): 3.0.3
Handy Uri Templates 2.x API Plugin (handy-uri-templates-2-api): 2.1.8-1.0
Pipeline: SCM Step (workflow-scm-step): 2.12
Email Extension Plugin (email-ext): 2.83
bouncycastle API Plugin (bouncycastle-api): 2.20
Structs Plugin (structs): 1.23
Bitbucket Pipeline for Blue Ocean (blueocean-bitbucket-pipeline): 1.24.7
JSch dependency plugin (jsch): 0.1.55.2
Pipeline SCM API for Blue Ocean (blueocean-pipeline-scm-api): 1.24.7
Maven Integration plugin (maven-plugin): 3.11
Design Language (jenkins-design-language): 1.24.7
Apache HttpComponents Client 4.x API Plugin (apache-httpcomponents-client-4-api): 4.5.13-1.0
jQuery plugin (jquery): 1.12.4-1
Extended Read Permission Plugin (extended-read-permission): 3.2
OkHttp Plugin (okhttp-api): 3.14.9
Plain Credentials Plugin (plain-credentials): 1.7
Javadoc Plugin (javadoc): 1.6
Pipeline: Model API (pipeline-model-api): 1.8.5
Font Awesome API Plugin (font-awesome-api): 5.15.3-2
Pipeline: Declarative Extension Points API (pipeline-model-extensions): 1.8.5
Pipeline: Groovy (workflow-cps): 2.92
Mercurial plugin (mercurial): 2.15
Extended Choice Parameter Plug-In (extended-choice-parameter): 0.82
Keychains and Provisioning Profiles Management (kpp-management-plugin): 1.0.0
OWASP Dependency-Check Plugin (dependency-check-jenkins-plugin): 5.1.1
Events API for Blue Ocean (blueocean-events): 1.24.7
Pipeline: Milestone Step (pipeline-milestone-step): 1.3.2
Blue Ocean Core JS (blueocean-core-js): 1.24.7
WMI Windows Agents Plugin (windows-slaves): 1.8
Caffeine API Plugin (caffeine-api): 2.9.1-23.v51c4e2c879c8
GitHub API Plugin (github-api): 1.123
Durable Task Plugin (durable-task): 1.37
JUnit Plugin (junit): 1.50
Snakeyaml API Plugin (snakeyaml-api): 1.27.0
Azure Credentials (azure-credentials): 182.v3ccd4a755864
Conditional BuildStep (conditional-buildstep): 1.4.1
Favorite (favorite): 2.3.3
Personalization for Blue Ocean (blueocean-personalization): 1.24.7
JavaScript GUI Lib: jQuery bundles (jQuery and jQuery UI) plugin (jquery-detached): 1.2.1
OpenID4Java API (openid4java): 0.9.8.0
Cobertura Plugin (cobertura): 1.16
Jira plugin (jira): 3.3
Pipeline: Step API (workflow-step-api): 2.23
Copy Artifact Plugin (copyartifact): 1.46.1
Trilead API Plugin (trilead-api): 1.0.13
Pipeline: Declarative (pipeline-model-definition): 1.8.5
Azure Commons Plugin (azure-commons): 1.1.3
Dashboard for Blue Ocean (blueocean-dashboard): 1.24.7
External Monitor Job Type Plugin (external-monitor-job): 1.7
ECharts API Plugin (echarts-api): 5.1.0-2
Credentials Binding Plugin (credentials-binding): 1.25
Pipeline: Supporting APIs (workflow-support): 3.8
Script Security Plugin (script-security): 1.77

Operating System

 Ubuntu 18.04.1 LTS (GNU/Linux 5.4.0-1047-azure x86_64)

Reproduction steps

Upscale Azure AD pluggin from 155.v745ce80af7ea TO 158.v437429002c6b

• Logout and empty application cache all images of Jenkins on dashboard respond 500
• Local ssh agent authorization is failed : ssh -l jenkins -p 50002 (Response : Permission denied (publickey).)
• After a Commit on github and Webwook schedule automatically a first build on a new branch, we have Microsoft Graph error

GitHub has been notified of this commit’s build result

com.microsoft.graph.http.GraphServiceException: Error code: Authorization_RequestDenied Error message: Insufficient privileges to complete the operation.

GET https://graph.microsoft.com/v1.0/users/xxxxxxx SdkVersion : graph-java/v3.4.0

403 : Forbidden [...]

[Some information was truncated for brevity, enable debug logging for more details] at com.microsoft.graph.http.GraphServiceException.createFromResponse(GraphServiceException.java:419) at com.microsoft.graph.http.GraphServiceException.createFromResponse(GraphServiceException.java:378) at com.microsoft.graph.http.CoreHttpProvider.handleErrorResponse(CoreHttpProvider.java:503) at com.microsoft.graph.http.CoreHttpProvider.processResponse(CoreHttpProvider.java:432) at com.microsoft.graph.http.CoreHttpProvider.sendRequestInternal(CoreHttpProvider

workaround :

I have rollback plugin to previous version 155.v745ce80af7ea and these 3 issues are solved.

[timja]

The ssh one is a known issue, https://github.com/jenkinsci/azure-ad-plugin/issues/128

I assume it's something in https://github.com/jenkinsci/azure-ad-plugin/pull/125 but I can't see anything jumping out at me

[timja]

I don't know what's going on for SSH as it works just fine for me: https://github.com/jenkinsci/azure-ad-plugin/issues/128

[timja]

What permissions does your Jenkins app registration have?

See recommended ones at https://github.com/jenkinsci/azure-ad-plugin#setup-azure-ad-permissions-optional-but-recommended

[BenjaminBarnel]

Hello,

All seems fine on my side.

On Azure :

And Jenkins MATRIX

[timja]

Can you confirm you've downloaded a fresh version of the CLI on 2.289.1 and not a stored version from a previous version of Jenkins?

[BenjaminBarnel]

yes right : ssh -l jenkins -p 50002 blibli.qapa.fr version 2.289.1

[timja]

Any more details you can share about how it's setup?

Are you using project based Authorization?

Anything interesting you can think of?

What type of job is it? Can you provide a jobdsl snippet or config.xml?

[BenjaminBarnel]

1./ Perhaps one yes, wen I use Test on pluggin I have this error :

Same error with Object ID

2./ When Job failed Logs is :

The recommended git tool is: git

using credential xxxx

Cloning the remote Git repository

Cloning with configured refspecs honoured and without tags

Cloning repository https://github.com/xx/xx.git

git init /home/jenkins/HomeJenkinsSlave/workspace/xxxxx # timeout=10

Fetching upstream changes from https://github.com/xx/xx.git

git --version # timeout=10

git --version # 'git version 2.17.1'

using GIT_ASKPASS to set credentials Organisation Plugin

git fetch --no-tags --progress -- https://github.com/xxx/xxx.git +refs/heads/xxxx:refs/remotes/origin/xxxx # timeout=10

Avoid second fetch

Checking out Revision 50c78b591f40c02b40eaf376c129319be81142fc (xxxx)

git config remote.origin.url https://github.com/xxxx/xxxx.git # timeout=10

git config --add remote.origin.fetch +refs/heads/xxxx/refs/remotes/origin/xxxx9 # timeout=10

git config core.sparsecheckout # timeout=10

git checkout -f 50c78b591f40c02b40eaf376c129319be81142fc # timeout=10

Commit message: "blabla"

First time build. Skipping changelog.

git --version # timeout=10

git --version # 'git version 2.17.1'

com.microsoft.graph.http.GraphServiceException: Error code: Authorization_RequestDenied

Error message: Insufficient privileges to complete the operation.

GET https://graph.microsoft.com/v1.0/users/Benjamin%20Barnel

SdkVersion : graph-java/v3.4.0

403 : Forbidden

[...]

[Some information was truncated for brevity, enable debug logging for more details]

[timja]

Display name isn't a upn or object id, but you would get not found not insufficient permissions if that was the issue.

It sounds like there's something wrong with your app registration,

One suggestion would be to create a new one and step through the guide at https://github.com/jenkinsci/azure-ad-plugin#setup-in-azure-active-directory to see if that fixes it.

[BenjaminBarnel]

ok i will

[toomer]

We are hitting the same problem after the upgrade. Please let me know if re-registering the app help here?

[toomer]

@BenjaminBarnel

It's not a plugin issue. It looks like in the new plugin version the "Graph API permissions" are mandatory. In the Microsoft Graph you need to give "Application permissions" for 'User.Read.All', 'Group.Read.All' and 'People.Read'

After I done that, everything works as before and I didn't get that error.

[BenjaminBarnel]

Hello .. juste try It with new configuration and ​all application permissions .. and don't work on my side Wit.h GRAPH

But I juste install the last version 171.v9ef20c94d336 and now we have the possibility to disable Graph api permissions. This option solved my issue.

[maragunde93]

Im facing the same issue and the "Disable graph Integration" fixed it, yet I can't manage to enable that option through the configuration-as-code plugin, I added the snippet as this:

securityRealm:
  azure:
    cacheDuration: 36000
    clientId: ****
    ...
    ...
    disableGraphIntegration: true

But when the configuration is loaded the checkbox is not checked. Was anyone able to make it work with cas plugin?

Thanks!

[timja]

best to create a new issue, from a quick read of the code it all looks correct though

[maragunde93]

Thanks for the quick reply @timja, after checking again, it seems it was related to an error on our end. I will create a new issue if it keeps happening.