Open Raviyadav409 opened 2 years ago
KalleOlaviNiemitalo
commented
2 years ago You can perhaps work around the problem by checking the "Disable graph integration" box in the Jenkins security settings. That way, Jenkins won't attempt to query all users and groups from Azure AD, and you have to paste the names and IDs as text instead. I do this to minimize the information leaks in case the Jenkins controller is somehow compromised.
hawknewton
commented
2 years ago Stumbled upon a workaround here, I haven't taken the time to dig into the code the figure out why it works, but if you follow these steps I think you'll have a working graph integration:
Logged in users can do anything. Click SaveAzure AD and click the Administrator checkbox next to Authenticated users. Also, click Disable graph integration and click SaveAdministrator checkbox. Click saveDisable graph integration and click saveAt this point the group/user lookup works. I've done this on two distinct jenkins boxes and had the same result. You'll probably want to remove admin from authenticated users and add at least one entry for yourself. I think the bug had something to do with the list of authorized entities being empty, but that's just a guess. I've checked and the fix persists after restart.
Good luck!
tgquan67
commented
2 years ago @hawknewton I have tried your workaround but it did not work in my case.
In your case, is the UPN your email or AAD object ID? According to Jenkins' user profile page, my UPN should be the email, but I can only use the object ID as a valid UPN while testing connection for authentication or putting into the AAD authorization matrix.
EDIT: somehow it worked, but it definitely did not work when I was logged in as admin. It worked when I logged in as an Azure AD user though. So the flow that worked for me is:
admin user, set up the AAD authentication. Save it.Authorization section, select AAD Matrix-based security, and give Administer permission to Authenticated Users. Save it.admin user and log in as an AAD user. Now you should be able to look up users/groups. Add yourself/your group there, give yourself Administer permission and remove Administer permission from Authenticated Users for safety.
Raviyadav409
commented
2 years ago @hawknewton @tgquan67 Hi guys, I tried the Both scenarios but it still not working , In both cases i found the same ACCESS DENIED Issue .
tgquan67
commented
2 years ago @Raviyadav409 when you tried what I posted, was you able to search for users/groups? Notice that you have to enable graph integration to be able to search, otherwise you will have to enter the user manually in a very specific and precise way, or else the user will not be granted anything. Basically in my case there are 2 requirements:
Administer permission to Authenticated Users first before logging out of admin, or else you will be locked out, as admin user will not be available once you enable AAD authentication.Raviyadav409
commented
2 years ago Hi @tgquan67 i have singed as AAD .For your reference i have attached screenshot as below .
And one thing i would like to mention is i'm not able to search for users/groups . We have already make App registration and provided all permissions. U can see all permission here as well .!!
tgquan67
commented
2 years ago On my side the permissions are different
I think you will at least need Directory.Read.All to search for users/groups (refer to https://github.com/jenkinsci/azure-ad-plugin/issues/89).
timja
commented
2 years ago I think you will at least need Directory.Read.All
you shouldn't need that, is there any errors in the browser console or Jenkins logs?
andysworkshop
commented
2 years ago Stumbled upon a workaround here, I haven't taken the time to dig into the code the figure out why it works, but if you follow these steps I think you'll have a working graph integration:
1. Enable Azure AD authentication, make sure you can use the test functionality to lookup your UPN and set access control to `Logged in users can do anything`. Click `Save` 2. Change authorization to `Azure AD` and click the `Administrator` checkbox next to `Authenticated users`. Also, click `Disable graph integration` and click Save 3. Go add some random entry under the matrix, I used my UPN and clicked the `Administrator` checkbox. Click save 4. Finally, go back and uncheck `Disable graph integration` and click saveAt this point the group/user lookup works. I've done this on two distinct jenkins boxes and had the same result. You'll probably want to remove admin from authenticated users and add at least one entry for yourself. I think the bug had something to do with the list of authorized entities being empty, but that's just a guess. I've checked and the fix persists after restart.
Good luck!
This fixed it for me, thanks a lot. The logs were totally silent with no clues as to what the underlying root cause might be.
Raviyadav409
commented
2 years ago Hi @andysworkshop @tgquan67 @hawknewton @KalleOlaviNiemitalo Azure ad matrix based is working now but when we are providing the access the of All read permission to authenticated users managed jenkins is not visible on jenkins home page . And also when we are providing the admin permission to our user even i provide Administer to myself in that case also not able to find the managed jenkins on jenkins page . Here is the attached Screenshot .
in above image u can see i have marked check to the Administer box for myself Yadav ravi and for other user as well .
in the above image clearly u can see managed jenkins is missing for the user having Administer access.
Apart from that i'm facing other issue regarding jenkins login . once i setup the things for azure ad security matrix based after that i'm not able to login in jenkins as admin . Even i'm using correct username and password for the jenkins . here is the screenshot for that .
tgquan67
commented
2 years ago @Raviyadav409 I'm not sure about your first question, but for your second question, once you have set up a different authentication scheme, you will not be able to use admin user from the built-in database (refer to https://issues.jenkins.io/browse/JENKINS-15063 for more detail).
cap-mevans
commented
2 years ago Has anyone tried the update 2.361.2 to see if that resolves this issue?
Raviyadav409
commented
2 years ago Hii @cap-mevans sorry to infrom we haven't get this application update at container level .
U can check ArtifactHub is using 2.361.1 jenkins version
https://artifacthub.io/packages/helm/jenkinsci/jenkins
timja
commented
2 years ago artifact hub is now updated FWIW
Raviyadav409
commented
1 year ago Hi All,
I tested the azure ad matrix based security in latest jenkins version i.e 2.361.2 . In this version i'm also getting the same issue what i have raised earlier . U can find the that issue in below .
Hi @andysworkshop @tgquan67 @hawknewton @KalleOlaviNiemitalo Azure ad matrix based is working now but when we are providing the access the of All read permission to authenticated users managed jenkins is not visible on jenkins home page . And also when we are providing the admin permission to our user even i provide Administer to myself in that case also not able to find the managed jenkins on jenkins page . Here is the attached Screenshot .
in the above image clearly u can see managed jenkins is missing for the user having Administer access.
Apart from that i'm facing other issue regarding jenkins login . once i setup the things for azure ad security matrix based after that i'm not able to login in jenkins as admin . Even i'm using correct username and password for the jenkins . here is the screenshot for that .
tgquan67
commented
1 year ago Did you add those user by selecting from search box (with graph integration enabled) or you just forcefully added them there while graph integration disabled? Because even if the name there is a bit incorrect, the permission will not take effect. In my case, the names there are displayed in My.Email@mydomain.com (user-object-id-in-AD) or groupname (group-object-id-in-AD) format.
In the past I also tried to manually add my name there with graph integration disabled, but it's quite hard to figure out the correct format without seeing the correct it in your particular case at least once.
Raviyadav409
commented
1 year ago @tgquan67 FYI , for me search box is not appearing at azure ad matrix based security . so i just disable graph integration and then i added users manually .
tgquan67
commented
1 year ago One way to know if the name you added is correct is to enable graph integration again. I think when you enable it, any invalid entry you added will be crossed out.
Raviyadav409
commented
1 year ago @tgquan67 FYI , In my case every entry which i have added manaully is correct one and that entry is not getting crossed out . It means my all entries correct and authorized . But Still when i giving the admin access to that entry . That is not working as expected . It means that user or entry is not getting any admin permission .
madhulikap0903
commented
1 year ago Hi @andysworkshop @tgquan67 @hawknewton @KalleOlaviNiemitalo, I too have similar issue. I tested the azure ad matrix based security in latest jenkins version i.e 2.372. while i configure global security, user names are not able to find.
Below is the permission/admin conset on azure,
Any suggestion to fix this Jenkins Azure integration?
tgquan67
commented
1 year ago @madhulikap0903 the only thing I realized in my case is that you have to give all permissions to Authenticated Users, and then log out of admin account and relogin as an AD user. Only then could I search for AD users/groups.
Remember that once you log out of admin user, you won't be able to relogin as admin.
timja
commented
1 year ago You may not need to log out, saving the config and refreshing the page should be enough.
mgrobelinp44
commented
1 year ago I face the same issue within the /manage/configureSecurity/ global configuration page, BUT it works within a jobs configuration page.
Empty results list in global config
Working results list in job config*
Jenkins 2.361.3 Azure AD Plugin 267.v5b_dfb_514d9fd
(*) the first Enable project-based security config section appears to be for the Project-based matrix, the second for the Azure-based matrix
doogalbeez
commented
1 year ago I had this issue when setting the plugin up. All the previous steps were tried, or attempted, as I had to roll back the config to the point before I configured the Azure plugin a few times after getting locked out.
ZamElek
commented
1 year ago Have the same issue on Jenkins 2.346.3 and Azure AD Plugin Version 306.va_7083923fd50 it started working after re-enabling option "Disable graph integration"
lukolszewski
commented
7 months ago I'm having the same issue on Jenkins Jenkins 2.426.1 with latest Azure ad plugin on multiple servers. Disabling and reenabling Graph integration resolves it, but it cannot be done without disruption to group based security permissions. It should be considered priority 1 issue for this plugin.
We are using jenkins latest application version i.e 2.361.1
Jenkins application version :- Jenkins 2.361.1 Helm Version : 4.2.0 Azure AD Plugin Version: 267.v5b_dfb_514d9fd Operating system: Linux/windows Helm Chart Version link :- https://artifacthub.io/packages/helm/jenkinsci/jenkins/4.2.0 Web Browser: Any Cluster- GKE CLUSTER GKE Cluster Version:- v1.21.14-gke.700
Azure AD Authorization is currently not working on Jenkins because it can't find the users, e.g. it is loading forever and does not return any user, Even We have already make App registration and provided all permissions .