search

jenkinsci / cas-plugin

Jenkins CAS Plugin
https://plugins.jenkins.io/cas-plugin/
MIT License
9 stars 15 forks source link

Plugin does not report user groups, even though it does collect them. #14

Open yoshi314 opened 2 weeks ago

yoshi314 commented 2 weeks ago

Jenkins and plugins versions report

Environment (This is a sample relatively minimal jenkins install using jenkins-operator in k8s. SAML plugin is unnecessary) ``` Jenkins: 2.462 OS: Linux - 5.4.0-182-generic Java: 17.0.11 - Eclipse Adoptium (OpenJDK 64-Bit Server VM) --- antisamy-markup-formatter:162.v0e6ec0fcfcf6 apache-httpcomponents-client-4-api:4.5.14-208.v438351942757 asm-api:9.7-33.v4d23ef79fcc8 authentication-tokens:1.113.v81215a_241826 bootstrap5-api:5.3.3-1 bouncycastle-api:2.30.1.78.1-233.vfdcdeb_0a_08a_a_ branch-api:2.1169.va_f810c56e895 caffeine-api:3.1.8-133.v17b_1ff2e0599 cas-plugin:1.6.3 checks-api:2.2.0 cloudbees-folder:6.942.vb_43318a_156b_2 command-launcher:107.v773860566e2e commons-lang3-api:3.14.0-76.vda_5591261cfe commons-text-api:1.12.0-119.v73ef73f2345d config-file-provider:973.vb_a_80ecb_9a_4d0 configuration-as-code:1810.v9b_c30a_249a_4c credentials:1337.v60b_d7b_c7b_c9f credentials-binding:677.vdc9d38cb_254d display-url-api:2.204.vf6fddd8a_8b_e9 durable-task:555.v6802fe0f0b_82 echarts-api:5.5.0-1 eddsa-api:0.3.0-4.v84c6f0f4969e email-ext:1814.v404722f34263 font-awesome-api:6.5.2-1 generic-webhook-trigger:2.2.1 git:5.2.2 git-client:5.0.0 git-parameter:0.9.19 gson-api:2.11.0-41.v019fcf6125dc hashicorp-vault-pipeline:1.4 hashicorp-vault-plugin:368.v48134f694db_f instance-identity:185.v303dc7c645f9 ionicons-api:74.v93d5eb_813d5f jackson2-api:2.17.0-379.v02de8ec9f64c jakarta-activation-api:2.1.3-1 jakarta-mail-api:2.1.3-1 javax-activation-api:1.2.0-7 javax-mail-api:1.6.2-10 jaxb:2.3.9-1 jdk-tool:73.vddf737284550 job-dsl:1.87 joda-time-api:2.12.7-29.v5a_b_e3a_82269a_ jquery3-api:3.7.1-2 jsch:0.2.16-86.v42e010d9484b_ json-api:20240303-41.v94e11e6de726 json-path-api:2.9.0-58.v62e3e85b_a_655 junit:1265.v65b_14fa_f12f0 kubernetes:4245.vf5b_83f1fee6e kubernetes-client-api:6.10.0-240.v57880ce8b_0b_2 kubernetes-credentials:174.va_36e093562d9 kubernetes-credentials-provider:1.262.v2670ef7ea_0c5 ldap:725.v3cb_b_711b_1a_ef mailer:472.vf7c289a_4b_420 matrix-auth:3.2.2 matrix-project:832.va_66e270d2946 metrics:4.2.21-451.vd51df8df52ec mina-sshd-api-common:2.12.1-113.v4d3ea_5eb_7f72 mina-sshd-api-core:2.12.1-113.v4d3ea_5eb_7f72 nodejs:1.6.1 okhttp-api:4.11.0-172.vda_da_1feeb_c6e pipeline-build-step:540.vb_e8849e1a_b_d8 pipeline-graph-analysis:216.vfd8b_ece330ca_ pipeline-groovy-lib:727.ve832a_9244dfa_ pipeline-input-step:495.ve9c153f6067b_ pipeline-milestone-step:119.vdfdc43fc3b_9a_ pipeline-model-api:2.2198.v41dd8ef6dd56 pipeline-model-definition:2.2198.v41dd8ef6dd56 pipeline-model-extensions:2.2198.v41dd8ef6dd56 pipeline-rest-api:2.34 pipeline-stage-step:312.v8cd10304c27a_ pipeline-stage-tags-metadata:2.2198.v41dd8ef6dd56 pipeline-stage-view:2.34 pipeline-utility-steps:2.16.0 plain-credentials:182.v468b_97b_9dcb_8 plugin-util-api:4.1.0 prism-api:1.29.0-15 publish-over:0.22 publish-over-ssh:1.25 resource-disposer:0.23 saml:4.464.vea_cb_75d7f5e0 scm-api:690.vfc8b_54395023 script-security:1341.va_2819b_414686 simple-theme-plugin:176.v39740c03a_a_f5 snakeyaml-api:2.2-111.vc6598e30cc65 ssh-credentials:337.v395d2403ccd4 ssh-slaves:2.968.v6f8823c91de4 ssh-steps:2.0.68.va_d21a_12a_6476 sshd:3.330.vc866a_8389b_58 structs:337.v1b_04ea_4df7c8 token-macro:400.v35420b_922dcb_ trilead-api:2.147.vb_73cc728a_32e variant:60.v7290fc0eb_b_cd workflow-aggregator:596.v8c21c963d92d workflow-api:1316.v33eb_726c50b_a_ workflow-basic-steps:1058.vcb_fc1e3a_21a_9 workflow-cps:3903.v48a_8836749e9 workflow-durable-task-step:1353.v1891a_b_01da_18 workflow-job:1426.v2ecb_a_a_42fd46 workflow-multibranch:791.v28fb_f74dfca_e workflow-scm-step:427.v4ca_6512e7df1 workflow-step-api:657.v03b_e8115821b_ workflow-support:907.v6713a_ed8a_573 ws-cleanup:0.42 ```

I've setup CAS to give me a filtered list of groups from AD , and for a while i thought that something was broken, because they did not show up in Jenkins user profile information, as they do with ldap plugin.

After 4 days of experimenting i discovered that CAS works fine, the plugin does indeed recognize them, and i can use them with matrix-auth to match groups to privileges. I just did not know that they were being parsed right, since there is no way to see them in Jenkins to make sure.

Is there any way to give better feedback on data obtained from CAS, or at least plug those groups into user profile information?

I am using CAS 3.0 protocol with cas-server 7.0.1

What Operating System are you using (both controller, and any agents involved in the problem)?

Linux, kubernetes

Reproduction steps

Setup CAS, map groups to whichever attribute CAS returns with group membership.

Log into jenkins and check out your profile.

No groups are listed.

Expected Results

Some feedback about detected groups, aside from digging through the logs.

Actual Results

No feedback is given whether CAS response contains groups and which ones.

Anything else?

No response

Are you interested in contributing a fix?

No response

fcrespel commented 2 weeks ago

I took a look but I don't see a way to make groups appear on the user profile, due to the way Jenkins and CAS work. Basically, Jenkins tries to load groups by name, but CAS doesn't provide an API to lookup groups.

However, as an alternative you can check your own user's authorities (based on the roles attribute you configured in cas-plugin) by going to http://your-jenkins-server/whoAmI/ (or ask another user to do it and send you a screenshot for troubleshooting).

Hope this helps :-)

yoshi314 commented 1 week ago

Oh, right. After some tinkering it appeared there.

It might help to mention this in the docs. Also it would help to mention what log collector to use.