Open Raviyadav409 opened 2 years ago
You can perhaps work around the problem by checking the "Disable graph integration" box in the Jenkins security settings. That way, Jenkins won't attempt to query all users and groups from Azure AD, and you have to paste the names and IDs as text instead. I do this to minimize the information leaks in case the Jenkins controller is somehow compromised.
Stumbled upon a workaround here, I haven't taken the time to dig into the code the figure out why it works, but if you follow these steps I think you'll have a working graph integration:
Logged in users can do anything
. Click Save
Azure AD
and click the Administrator
checkbox next to Authenticated users
. Also, click Disable graph integration
and click SaveAdministrator
checkbox. Click saveDisable graph integration
and click saveAt this point the group/user lookup works. I've done this on two distinct jenkins boxes and had the same result. You'll probably want to remove admin from authenticated users and add at least one entry for yourself. I think the bug had something to do with the list of authorized entities being empty, but that's just a guess. I've checked and the fix persists after restart.
Good luck!
@hawknewton I have tried your workaround but it did not work in my case.
In your case, is the UPN your email or AAD object ID? According to Jenkins' user profile page, my UPN should be the email, but I can only use the object ID as a valid UPN while testing connection for authentication or putting into the AAD authorization matrix.
EDIT: somehow it worked, but it definitely did not work when I was logged in as admin
. It worked when I logged in as an Azure AD user though. So the flow that worked for me is:
admin
user, set up the AAD authentication. Save it.Authorization
section, select AAD Matrix-based security
, and give Administer
permission to Authenticated Users
. Save it.admin
user and log in as an AAD user. Now you should be able to look up users/groups. Add yourself/your group there, give yourself Administer
permission and remove Administer
permission from Authenticated Users
for safety.@hawknewton @tgquan67 Hi guys, I tried the Both scenarios but it still not working , In both cases i found the same ACCESS DENIED Issue .
@Raviyadav409 when you tried what I posted, was you able to search for users/groups? Notice that you have to enable graph integration to be able to search, otherwise you will have to enter the user manually in a very specific and precise way, or else the user will not be granted anything. Basically in my case there are 2 requirements:
Administer
permission to Authenticated Users
first before logging out of admin, or else you will be locked out, as admin
user will not be available once you enable AAD authentication.Hi @tgquan67 i have singed as AAD .For your reference i have attached screenshot as below .
And one thing i would like to mention is i'm not able to search for users/groups . We have already make App registration and provided all permissions. U can see all permission here as well .!!
On my side the permissions are different
I think you will at least need Directory.Read.All
to search for users/groups (refer to https://github.com/jenkinsci/azure-ad-plugin/issues/89).
I think you will at least need Directory.Read.All
you shouldn't need that, is there any errors in the browser console or Jenkins logs?
Stumbled upon a workaround here, I haven't taken the time to dig into the code the figure out why it works, but if you follow these steps I think you'll have a working graph integration:
1. Enable Azure AD authentication, make sure you can use the test functionality to lookup your UPN and set access control to `Logged in users can do anything`. Click `Save` 2. Change authorization to `Azure AD` and click the `Administrator` checkbox next to `Authenticated users`. Also, click `Disable graph integration` and click Save 3. Go add some random entry under the matrix, I used my UPN and clicked the `Administrator` checkbox. Click save 4. Finally, go back and uncheck `Disable graph integration` and click save
At this point the group/user lookup works. I've done this on two distinct jenkins boxes and had the same result. You'll probably want to remove admin from authenticated users and add at least one entry for yourself. I think the bug had something to do with the list of authorized entities being empty, but that's just a guess. I've checked and the fix persists after restart.
Good luck!
This fixed it for me, thanks a lot. The logs were totally silent with no clues as to what the underlying root cause might be.
Hi @andysworkshop @tgquan67 @hawknewton @KalleOlaviNiemitalo Azure ad matrix based is working now but when we are providing the access the of All read permission to authenticated users managed jenkins is not visible on jenkins home page . And also when we are providing the admin permission to our user even i provide Administer to myself in that case also not able to find the managed jenkins on jenkins page . Here is the attached Screenshot .
in above image u can see i have marked check to the Administer box for myself Yadav ravi and for other user as well .
in the above image clearly u can see managed jenkins is missing for the user having Administer access.
Apart from that i'm facing other issue regarding jenkins login . once i setup the things for azure ad security matrix based after that i'm not able to login in jenkins as admin . Even i'm using correct username and password for the jenkins . here is the screenshot for that .
@Raviyadav409 I'm not sure about your first question, but for your second question, once you have set up a different authentication scheme, you will not be able to use admin
user from the built-in database (refer to https://issues.jenkins.io/browse/JENKINS-15063 for more detail).
Has anyone tried the update 2.361.2 to see if that resolves this issue?
Hii @cap-mevans sorry to infrom we haven't get this application update at container level .
U can check ArtifactHub is using 2.361.1 jenkins version
artifact hub is now updated FWIW
Hi All,
I tested the azure ad matrix based security in latest jenkins version i.e 2.361.2 . In this version i'm also getting the same issue what i have raised earlier . U can find the that issue in below .
Hi @andysworkshop @tgquan67 @hawknewton @KalleOlaviNiemitalo Azure ad matrix based is working now but when we are providing the access the of All read permission to authenticated users managed jenkins is not visible on jenkins home page . And also when we are providing the admin permission to our user even i provide Administer to myself in that case also not able to find the managed jenkins on jenkins page . Here is the attached Screenshot . in above image u can see i have marked check to the Administer box for myself Yadav ravi and for other user as well .
in the above image clearly u can see managed jenkins is missing for the user having Administer access.
Apart from that i'm facing other issue regarding jenkins login . once i setup the things for azure ad security matrix based after that i'm not able to login in jenkins as admin . Even i'm using correct username and password for the jenkins . here is the screenshot for that .
Did you add those user by selecting from search box (with graph integration enabled) or you just forcefully added them there while graph integration disabled? Because even if the name there is a bit incorrect, the permission will not take effect. In my case, the names there are displayed in My.Email@mydomain.com (user-object-id-in-AD)
or groupname (group-object-id-in-AD)
format.
In the past I also tried to manually add my name there with graph integration disabled, but it's quite hard to figure out the correct format without seeing the correct it in your particular case at least once.
@tgquan67 FYI , for me search box is not appearing at azure ad matrix based security . so i just disable graph integration and then i added users manually .
One way to know if the name you added is correct is to enable graph integration again. I think when you enable it, any invalid entry you added will be crossed out.
@tgquan67 FYI , In my case every entry which i have added manaully is correct one and that entry is not getting crossed out . It means my all entries correct and authorized . But Still when i giving the admin access to that entry . That is not working as expected . It means that user or entry is not getting any admin permission .
Hi @andysworkshop @tgquan67 @hawknewton @KalleOlaviNiemitalo, I too have similar issue. I tested the azure ad matrix based security in latest jenkins version i.e 2.372. while i configure global security, user names are not able to find. Below is the permission/admin conset on azure,
Any suggestion to fix this Jenkins Azure integration?
@madhulikap0903 the only thing I realized in my case is that you have to give all permissions to Authenticated Users
, and then log out of admin account and relogin as an AD user. Only then could I search for AD users/groups.
Remember that once you log out of admin user, you won't be able to relogin as admin.
You may not need to log out, saving the config and refreshing the page should be enough.
I face the same issue within the /manage/configureSecurity/
global configuration page, BUT it works within a jobs configuration page.
Empty results list in global config
Working results list in job config*
Jenkins 2.361.3 Azure AD Plugin 267.v5b_dfb_514d9fd
(*) the first Enable project-based security config section appears to be for the Project-based matrix, the second for the Azure-based matrix
I had this issue when setting the plugin up. All the previous steps were tried, or attempted, as I had to roll back the config to the point before I configured the Azure plugin a few times after getting locked out.
Have the same issue on Jenkins 2.346.3 and Azure AD Plugin Version 306.va_7083923fd50 it started working after re-enabling option "Disable graph integration"
I'm having the same issue on Jenkins Jenkins 2.426.1 with latest Azure ad plugin on multiple servers. Disabling and reenabling Graph integration resolves it, but it cannot be done without disruption to group based security permissions. It should be considered priority 1 issue for this plugin.
We are using jenkins latest application version i.e 2.361.1
Jenkins application version :- Jenkins 2.361.1 Helm Version : 4.2.0 Azure AD Plugin Version: 267.v5b_dfb_514d9fd Operating system: Linux/windows Helm Chart Version link :- https://artifacthub.io/packages/helm/jenkinsci/jenkins/4.2.0 Web Browser: Any Cluster- GKE CLUSTER GKE Cluster Version:- v1.21.14-gke.700
Azure AD Authorization is currently not working on Jenkins because it can't find the users, e.g. it is loading forever and does not return any user, Even We have already make App registration and provided all permissions .