Access Denied - user is missing the Overall/Read permission

rcaballo commented 2 years ago

Jenkins and plugins versions report

Jenkins: 2.374 OS: Linux - 3.10.0-1160.71.1.el7.x86_64

ace-editor:1.1 active-directory:2.27 ansicolor:1.0.2 ant:481.v7b_09e538fcca antisamy-markup-formatter:2.7 apache-httpcomponents-client-4-api:4.5.13-138.v4e7d9a_7b_a_e61 authentication-tokens:1.4 authorize-project:1.4.0 azure-ad:267.v5b_dfb_514d9fd azure-sdk:118.v43f74dd9ca_dc

What Operating System are you using (both controller, and any agents involved in the problem)?

Linux - Centos 7 Jenkins latest version Azure AD plugin latest version.

Reproduction steps

1) Configure Azure AD plugin with:

Application (client) ID
Secret Value
Directory (tenant) ID

3) Disable graph integration

4) Add "authenticated users" as administrators and save settings on Jenkins. Now, still you have access to Jenkins (full permissions).

4) Change to "Azure Active Directory Matrix-base security"

5) untick "authenticated users" as administrators Add my Azure user as administrator (Full permissions).

Expected Results

Just my Azure user can login to Jenkins as administrator.

Actual Results

Anything else?

Please, let me know how I can setup this correctly or fix the "bug" if need it.

Thanks.

Raviyadav409 commented 2 years ago

Hi @rcaballo FYI , U can uncheck anonymuous after that u can see i have the same setting for my users . Please make sure that u have check the disable graph integration . Azure ad matrix based is working but when we are providing the access the of All read permission to authenticated users managed jenkins is not visible on jenkins home page . And also when we are providing the admin permission to our user even i provide Administer to myself in that case also not able to find the managed jenkins on jenkins page .

above image u can see i have marked check to the Administer box for myself Yadav ravi and for other user as well .

in the above image clearly u can see managed jenkins is missing for the user having Administer access.

If have u any fix for that then please let me know .

tienhngnguyen commented 2 years ago

Hi, we are facing the same issue on our environment. Do you have any idea when this will be fixed? It's currently a serious security issue for us if we can't control the authorization settings when using Jenkins with the Azure AD plugin.

codedev900 commented 1 year ago

Has anyone fixed this bug yet? I'm having the same issue, when I remove the Administrator checkbox from the Authenticated users and I try to login I get the following error "Access Denied - user is missing the Overall/Read permission". There has to be a fix to this issue or is there an alternative fix?

hoikin commented 1 year ago

Hi there, may I know any update about this issues? I try the latest and spend many hours and have the same error message as this screen. It is so upset that AAD plugin doesn't work....

timja commented 1 year ago

Each use-case is specific to how you set it up. It should work just fine if you follow the docs in the README.

We have it running with group based authorization just fine.

hoikin commented 1 year ago

Hello @timja ,

I followed every steps in README and my situation has some difficult to use group based authorization while the readme said UPN is allowed.

Object ID of group
Display name of group (Only if Graph API permissions granted)
preferred_username claim which is normally the 'User principal name', but not always.
User principal name (Rest API authentication only)

timja commented 1 year ago

This is our working config: https://github.com/hmcts/sds-flux-config/blob/b1272bc2a3ee3de7481d487130c68cf9fac14d9e/apps/jenkins/jenkins/jenkins.yaml#L99-L117

hoikin commented 1 year ago

Hi @timja , thanks for sharing.

jenkinsci / azure-ad-plugin