Rights for "Authenticated Users" are overriding individual rights

[aubertaa]

Jenkins and plugins versions report

Environment

```text Jenkins: 2.319.1 OS: Linux - 5.4.0-1060-aws --- Office-365-Connector:4.15.2 PrioritySorter:4.0.1 ace-editor:1.1 active-directory:2.25 amazon-ecr:1.7 analysis-model-api:10.8.1 android-emulator:3.1.3 ansicolor:1.0.1 ant:1.13 antisamy-markup-formatter:2.6 apache-httpcomponents-client-4-api:4.5.13-1.0 authentication-tokens:1.4 aws-credentials:1.33 aws-java-sdk:1.12.131-302.vbef9650c6521 aws-java-sdk-cloudformation:1.12.131-302.vbef9650c6521 aws-java-sdk-codebuild:1.12.131-302.vbef9650c6521 aws-java-sdk-ec2:1.12.131-302.vbef9650c6521 aws-java-sdk-ecr:1.12.131-302.vbef9650c6521 aws-java-sdk-ecs:1.12.131-302.vbef9650c6521 aws-java-sdk-elasticbeanstalk:1.12.131-302.vbef9650c6521 aws-java-sdk-iam:1.12.131-302.vbef9650c6521 aws-java-sdk-logs:1.12.131-302.vbef9650c6521 aws-java-sdk-minimal:1.12.131-302.vbef9650c6521 aws-java-sdk-ssm:1.12.131-302.vbef9650c6521 azure-ad:189.v2da14dccdb43 azure-sdk:84.v53035e83f3c2 badge:1.9 blueocean:1.25.2 blueocean-autofavorite:1.2.4 blueocean-bitbucket-pipeline:1.25.2 blueocean-commons:1.25.2 blueocean-config:1.25.2 blueocean-core-js:1.25.2 blueocean-dashboard:1.25.2 blueocean-display-url:2.4.1 blueocean-events:1.25.2 blueocean-git-pipeline:1.25.2 blueocean-github-pipeline:1.25.2 blueocean-i18n:1.25.2 blueocean-jira:1.25.2 blueocean-jwt:1.25.2 blueocean-personalization:1.25.2 blueocean-pipeline-api-impl:1.25.2 blueocean-pipeline-editor:1.25.2 blueocean-pipeline-scm-api:1.25.2 blueocean-rest:1.25.2 blueocean-rest-impl:1.25.2 blueocean-web:1.25.2 bootstrap4-api:4.6.0-3 bootstrap5-api:5.1.3-4 bouncycastle-api:2.25 branch-api:2.7.0 build-monitor-plugin:1.13+build.202112271752 build-pipeline-plugin:1.5.8 build-timeout:1.20 build-user-vars-plugin:1.8 built-on-column:1.1 caffeine-api:2.9.2-29.v717aac953ff3 checks-api:1.7.2 claim:2.18.2 cloudbees-bitbucket-branch-source:734.v2f848c5e6ea2 cloudbees-folder:6.17 cobertura:1.17 code-coverage-api:2.0.4 command-launcher:1.6 compress-artifacts:1.10 conditional-buildstep:1.4.1 config-file-provider:3.8.2 configuration-as-code:1.55.1 configuration-as-code-groovy:1.1 configurationslicing:1.52 copyartifact:1.46.2 cors-filter:1.1 credentials:1055.v1346ba467ba1 credentials-binding:1.27 cvs:2.19 cygpath:1.5 dashboard-view:2.18 data-tables-api:1.11.3-6 datadog:3.4.0 delivery-pipeline-plugin:1.4.2 dependency-check-jenkins-plugin:5.1.2 discard-old-build:1.05 display-url-api:2.3.5 docker-commons:1.17 docker-workflow:1.26 doxygen:0.18 dropdown-viewstabbar-plugin:1.7 dtkit-api:3.0.0 durable-task:493.v195aefbb0ff2 ec2:1.66 ec2-fleet:2.4.1 echarts-api:5.2.2-2 email-ext:2.86 embeddable-build-status:2.0.3 envinject:2.4.0 envinject-api:1.8 extended-choice-parameter:0.82 external-monitor-job:1.7 extra-columns:1.25 favorite:2.3.3 file-operations:1.11 font-awesome-api:5.15.4-5 forensics-api:1.7.0 ftppublisher:1.2 gallio:1.8 gatling:1.3.0 git:4.10.1 git-client:3.10.1 git-parameter:0.9.14 git-server:1.10 github:1.34.1 github-api:1.301-378.v9807bd746da5 github-branch-source:2.11.4 gitlab-plugin:1.5.26 global-build-stats:1.5 global-variable-string-parameter:1.2 golang:1.4 google-oauth-plugin:1.0.6 gradle:1.37.1 groovy:2.4 groovy-postbuild:2.5 h2-api:1.4.199 handlebars:3.0.8 handy-uri-templates-2-api:2.1.8-1.0 heavy-job:1.1 htmlpublisher:1.28 http_request:1.12 ignore-committer-strategy:1.0.4 jackson2-api:2.13.1-244.v773c36c5b330 jacoco:3.3.1 javadoc:1.6 javax-activation-api:1.2.0-2 javax-mail-api:1.6.2-5 jaxb:2.3.0.1 jdk-tool:1.5 jenkins-design-language:1.25.2 jenkins-multijob-plugin:1.36 jersey2-api:2.35-3 jira:3.6 jjwt-api:0.11.2-9.c8b45b8bb173 job-import-plugin:3.4 jobConfigHistory:2.31-rc1098.b666422863b2 jquery:1.12.4-1 jquery-detached:1.2.1 jquery3-api:3.6.0-2 jsch:0.1.55.2 junit:1.53 kubernetes-cli:1.10.3 kubernetes-client-api:5.11.1-179.v12037658df90 kubernetes-credentials:0.9.0 ldap:2.7 lockable-resources:2.13 log-parser:2.2 mailer:1.34 mapdb-api:1.0.9.0 mask-passwords:3.0 matrix-auth:3.0 matrix-project:1.19 maven-plugin:3.16 mercurial:2.16 metrics:4.0.2.8 momentjs:1.1.1 monitoring:1.90.0 msbuild:1.30 mstest:1.0.0 mstestrunner:1.3.0 naginator:1.18.1 nant:1.4.3 node-iterator-api:1.5.1 nodejs:1.4.3 nunit:0.27 oauth-credentials:0.5 okhttp-api:4.9.3-105.vb96869f8ac3a pam-auth:1.6.1 parameterized-trigger:2.43 pipeline-build-step:2.15 pipeline-github-lib:1.0 pipeline-graph-analysis:188.v3a01e7973f2c pipeline-input-step:427.va6441fa17010 pipeline-maven:3.10.0 pipeline-milestone-step:1.3.2 pipeline-model-api:1.9.3 pipeline-model-definition:1.9.3 pipeline-model-extensions:1.9.3 pipeline-rest-api:2.20 pipeline-stage-step:291.vf0a8a7aeeb50 pipeline-stage-tags-metadata:1.9.3 pipeline-stage-view:2.20 pipeline-utility-steps:2.11.0 plain-credentials:1.7 plugin-util-api:2.12.0 popper-api:1.16.1-2 popper2-api:2.11.2-1 port-allocator:1.8 postbuild-task:1.9 postbuildscript:3.1.0-348.vaf5cd5c632ce powershell:1.7 preSCMbuildstep:0.3 prism-api:1.25.0-2 publish-over:0.22 publish-over-cifs:0.16 publish-over-ftp:1.16 pubsub-light:1.16 purge-job-history:1.6 radiatorviewplugin:1.29 release:2.13 resource-disposer:0.17 run-condition:1.5 s3:0.12.1 saferestart:0.3 scalable-amazon-ecs:1.0 scm-api:2.6.5 script-security:1118.vba21ca2e3286 scriptler:3.4 seleniumhtmlreport:1.1 simple-theme-plugin:0.7 slack:2.49 sloccount:1.25 snakeyaml-api:1.29.1 snsnotify:2.0 sonar:2.14 sse-gateway:1.24 ssh:2.6.1 ssh-agent:1.23 ssh-credentials:1.19 ssh-slaves:1.33.0 ssh-steps:2.0.0 sshd:3.1.0 statistics-gatherer:2.0.3 strict-crumb-issuer:2.1.0 structs:308.v852b473a2b8c subversion:2.15.1 swarm:3.29 test-results-analyzer:0.3.5 text-finder:1.17 thinBackup:1.10 throttle-concurrents:2.6 timestamper:1.15 token-macro:267.vcdaea6462991 translation:1.16 trilead-api:1.0.13 variant:1.4 view-job-filters:2.3 vstestrunner:1.0.8 windows-slaves:1.8 workflow-aggregator:2.6 workflow-api:1108.v57edf648f5d4 workflow-basic-steps:2.24 workflow-cps:2648.va9433432b33c workflow-cps-global-lib:552.vd9cc05b8a2e1 workflow-durable-task-step:1112.vda00e6febcc1 workflow-job:1145.v7f2433caa07f workflow-multibranch:696.v52535c46f4c9 workflow-scm-step:2.13 workflow-step-api:615.vb09dac339255 workflow-support:804.vba10a18a1476 ws-cleanup:0.40 xcode-plugin:2.0.15 xunit:3.0.5 ```

What Operating System are you using (both controller, and any agents involved in the problem)?

Master is on : OS Linux - 5.4.0-1060-aws No other system involved to reproduce the issue

Reproduction steps

1. configure Jenkins to use "Azure Active Directory Matrix-based security"
2. set no specific rights for "anonymous users" and for "Authenticated users"
3. set all rights for an existing AD user :

I tested this in an isolated context, by creating a new job and choosing "Do not inheirt permissions grants from other ACLs", then setting the permissions as describe thereabove :

4. Then try to read job history by calling :

• YOUJOBURL/api/json?tree=allBuilds[result,number,timestamp,duration,id]&depth=20
• Authentication Basic : your user name / API token

You'll get a 404.

5. Just add "read" permission to "Authenticated users"

6. Try again to read job history by running the API call again, you'll get a valid result.

It seems that giving rights to a specific user is not well considered. Needing to give also rights to a larger group seems to be a regression and not conform to "least privilege" security common practices.

Thanks for your help on that.

Expected Results

Individual rights should override more global ones : extending rights for a specific user should be possible.

Actual Results

Individual rights are overriden by "Authenticated users" ones.

Anything else?

No response

[wolfmah]

I'm experiencing the exact same behaviour.

In our config, we have:

jenkins:
  authorizationStrategy:
    azureAdMatrix:
      permissions:
        - "GROUP:Job/Build:authenticated"
        - "GROUP:Job/Cancel:authenticated"
        - "GROUP:Job/Read:authenticated"
        - "GROUP:Job/Workspace:authenticated"
        - "GROUP:Overall/Administer:Jenkins Admin (33c17c58-2834-4109-ba02-09364679a0e1)"
        - "GROUP:Overall/Read:authenticated"
        - "GROUP:Run/Replay:authenticated"
        - "GROUP:View/Read:authenticated"
        - "USER:Job/Build:Jenkins Bot (b9fec34d-16a5-4a76-9657-e05232dd588c)"
        - "USER:Job/Create:Jenkins Bot (b9fec34d-16a5-4a76-9657-e05232dd588c)"
        - "USER:Run/Delete:Jenkins Bot (b9fec34d-16a5-4a76-9657-e05232dd588c)"

With the above:

• Ordinary developpers that have a valid AD account are correctly assigned their permissions.
• People belonging to the group Jenkins Admin are correctly assigned their permissions.
• The user Jenkins Bot doesn't get it's permission. i.e.: Jenkins Bot is never recognized to have Run/Delete permission. Though, if I add Run/Delete in the group authenticated, Jenkins Bot is allowed to delete runs.

I'm pretty sure it's either those two things:

• The user never gets mapped properly and it's silently defaulting to the group authenticated.
• There's a bug in the code where the group authenticated is overpowering permissions from single user.

[timja]

Thanks will try reproduce in the next few days