Lost administrator role in azure-ad 3.0 upgrade with role-strategy 3.2.0

[KalleOlaviNiemitalo]

Version report

Jenkins and plugins versions report:

Jenkins: 2.319.1
OS: Windows Server 2012 R2 - 6.3
---
Office-365-Connector:4.15.2
ace-editor:1.1
analysis-model-api:10.8.1
antisamy-markup-formatter:2.5
apache-httpcomponents-client-4-api:4.5.13-1.0
atlassian-bitbucket-server-integration:3.1.0
authentication-tokens:1.4
authorize-project:1.4.0
azure-ad:188.v2369adb95a31 ⭐ upgraded from 185.v3b416408dcb1
azure-sdk:70.v63f6a95999a7
basic-branch-build-strategies:1.3.2
bitbucket-server-checks:1.0-SNAPSHOT (private-49d94041-kalle) ⭐ private plugin
bootstrap4-api:4.6.0-3
bootstrap5-api:5.1.3-4
bouncycastle-api:2.25
branch-api:2.7.0
buildtriggerbadge:2.11
caffeine-api:2.9.2-29.v717aac953ff3
checks-api:1.7.2
cloudbees-bitbucket-branch-source:734.v2f848c5e6ea2
cloudbees-disk-usage-simple:0.10
cloudbees-folder:6.17
command-launcher:1.2
compress-artifacts:1.10
configuration-as-code:1.55
copyartifact:1.46.2
credentials:1055.v1346ba467ba1
credentials-binding:1.27
custom-tools-plugin:0.8
data-tables-api:1.11.3-6
display-url-api:2.3.5
dtkit-api:3.0.0
durable-task:493.v195aefbb0ff2
echarts-api:5.2.2-2
extended-choice-parameter:0.82
extended-read-permission:3.2
fast-track:1.0.0
folder-auth:1.3
font-awesome-api:5.15.4-5
forensics-api:1.7.0
git:4.10.1
git-client:3.10.0
git-forensics:1.3.0
git-server:1.10
handlebars:3.0.8
handy-uri-templates-2-api:2.1.8-1.0
hudson-wsclean-plugin:1.0.8
jackson2-api:2.13.1-242.v1a45bad25ceb
jaxb:2.3.0.1
jdk-tool:1.0
jira:3.6
job-restrictions:0.8
jquery:1.12.4-1
jquery3-api:3.6.0-2
jsch:0.1.55.2
junit:1.53
lockable-resources:2.12
mailer:1.34
matrix-auth:3.0 ⭐ upgraded from 2.6.11
matrix-project:1.19
momentjs:1.1.1
mstest:1.0.0
next-build-number:1.7
nunit:0.27
okhttp-api:4.9.3-105.vb96869f8ac3a
pipeline-build-step:2.15
pipeline-graph-analysis:1.12
pipeline-graph-view:47.v91726240f7a6
pipeline-input-step:427.va6441fa17010
pipeline-milestone-step:1.3.2
pipeline-model-api:1.9.3
pipeline-model-definition:1.9.3
pipeline-model-extensions:1.9.3
pipeline-rest-api:2.19
pipeline-stage-step:2.5
pipeline-stage-tags-metadata:1.9.3
pipeline-stage-view:2.19
pipeline-utility-steps:2.11.0
plain-credentials:1.7
plugin-util-api:2.8.0
popper-api:1.16.1-2
popper2-api:2.11.0-1
prism-api:1.25.0-1
resource-disposer:0.16
role-strategy:3.2.0
scm-api:2.6.5
script-security:1118.vba21ca2e3286
sidebar-link:1.12.1
sidebar-update-notification:1.1.0
snakeyaml-api:1.29.1
ssh-credentials:1.19
sshd:3.1.0
structs:308.v852b473a2b8c
timestamper:1.15
token-macro:267.vcdaea6462991
trilead-api:1.0.13
vstestrunner:1.0.8
warnings-ng:9.10.2
windows-slaves:1.0
workflow-aggregator:2.6
workflow-api:1108.v57edf648f5d4
workflow-basic-steps:2.24
workflow-cps:2648.va9433432b33c
workflow-cps-global-lib:552.vd9cc05b8a2e1
workflow-durable-task-step:1107.v5dab75aaccbd
workflow-job:1145.v7f2433caa07f
workflow-multibranch:2.26
workflow-scm-step:2.13
workflow-step-api:615.vb09dac339255
workflow-support:804.vba10a18a1476
ws-cleanup:0.39
xunit:3.0.5

• What Operating System are you using (both controller, and any agents involved in the problem)?

Windows Server 2012 R2

Reproduction steps

The Configuration as Code jenkins.yaml file included:

jenkins:
  authorizationStrategy:
    roleBased:
      roles:
        global:
        - assignments:
          - "REDACTED@REDACTED.com" # my Azure AD account without any "USER:" or "GROUP:" prefix
          name: "admin"
          pattern: ".*"
          permissions:
          - "Job/Create"
          - "Overall/Administer"

jenkins.yaml also defined a few more global roles and item roles, but those should only be able to grant more permissions rather than remove any, so they don't seem relevant to this issue.

Before the upgrade, I was able to log in as REDACTED@REDACTED.com and get administrator access to Jenkins.

I then upgraded Jenkins plugins:

• matrix-auth from 2.6.11 to 3.0
• azure-ad from 185.v3b416408dcb1 to 188.v2369adb95a31

restarted Jenkins, and logged in.

Results

Expected result:

Should still have been able to log in and have administrator access to Jenkins.

Actual result:

I was able to log in again but no longer had administrator access.

I edited jenkins.yaml, added the "USER:" prefix to the email address, and restarted Jenkins again. I was still able to log in but did not have administrator access.

I downloaded the previous versions of azure-ad.hpi and matrix-auth.hpi from https://plugins.jenkins.io/, copied them to JENKINS_HOME/plugins as described in https://www.jenkins.io/doc/book/managing/plugins/#on-the-controller and restarted Jenkins. I was able to log in and got administrator access again.

[timja]

Matrix auth 3.0 and role strategy are not compatible currently, likely nothing to do in this plugin I’ll add a warning to release notes when I’m back to computer

[KalleOlaviNiemitalo]

Thank you for confirming.

[KalleOlaviNiemitalo]

I should file an issue on Role-based Authorization Strategy, then. The previously filed issues don't seem to cover this incompatibility:

• JENKINS-67413 is about compiler warnings.
• JENKINS-67393 and JENKINS-67406 are about icons.

[timja]

There’s been a couple of issues raised against matrix auth (and closed since) and on places like community.Jenkins.io I believe but yes if there’s no open issue then please do

[KalleOlaviNiemitalo]

JENKINS-67387 on matrix-auth-plugin seems pretty close, but it also says that adding USER: fixed the problem, which doesn't match what I experienced.

[KalleOlaviNiemitalo]

Filed JENKINS-67422 on role-strategy-plugin, and https://github.com/jenkins-infra/jenkins.io/issues/4778 on the manual plugin installation instructions.