Adding user into AzureAd Matrix AuthorizationStrategy via jenkins job

dchabra26 · August 29, 2024, 9:15am

Hi Everyone, Trying to add user with permission. Using AzureAD auth strategy. So far used below -

 stage('Update Jenkins Security Matrix') {
            steps {
                script {
                    def userId = env.userObjectId
                    def permission = hudson.model.Hudson.Administer 
                    def azureStrategy = Jenkins.instance.getAuthorizationStrategy()
                    def permissionEntry = new org.jenkinsci.plugins.matrixauth.PermissionEntry(permission, userId) 
                    azureStrategy.add(permission, permissionEntry)
                        

                    Jenkins.instance.save()
                }
            }
        }

Getting error :

Also: org.jenkinsci.plugins.workflow.actions.ErrorAction$ErrorId: dafbe164-8fec-45cc-85f3-253d8806485b **14:31:04** groovy.lang.MissingPropertyException: No such field found: field java.lang.Class Administer **14:31:04** at org.jenkinsci.plugins.scriptsecurity.sandbox.groovy.SandboxInterceptor.unclassifiedField(SandboxInterceptor.java:402) **14:31:04** at org.jenkinsci.plugins.scriptsecurity.sandbox.groovy.SandboxInterceptor.onGetProperty(SandboxInterceptor.java:386) **14:31:04** at org.kohsuke.groovy.sandbox.impl.Checker$7.call(Checker.java:375)

mawinter69 · August 29, 2024, 9:52am

There is no hudson.model.Hudson.Administer
Try something like this

def userId = env.userObjectId
def permission = jenkins.model.Jenkins.ADMINISTER
def azureStrategy = Jenkins.instance.getAuthorizationStrategy()
def type = com.microsoft.jenkins.azuread.AuthorizationType.USER
def permissionEntry = new com.microsoft.jenkins.azuread.PermissionEntry(type, userId) 
azureStrategy.add(permission, permissionEntry)

dchabra26 · August 29, 2024, 10:06am

Thanks for letting me know. But there is not such class found

15:28:34  WorkflowScript: 64: unable to resolve class com.microsoft.jenkins.azuread.PermissionEntry 
15:28:34   @ line 64, column 23.
15:28:34     def permissionEntry = new com.microsoft.jenkins.azuread.PermissionEntry(type, userId) 
15:28:34                           ^
15:28:34  
15:28:34  1 error
15:28:34  
15:28:34  	at org.codehaus.groovy.control.ErrorCollector.failIfErrors(ErrorCollector.java:309)

Used plugin version - Microsoft Entra ID (previously Azure AD)
Version457.vf85d61f83b_26

mawinter69 · August 29, 2024, 11:11am

Ok you wrote you use azureAD so I assumed you use that plugin. Then go back to the original package

...
def type = org.jenkinsci.plugins.matrixauth.AuthorizationType.USER
def permissionEntry = new org.jenkinsci.plugins.matrixauth.PermissionEntry(type, userId)
...

dchabra26 · August 30, 2024, 5:08am

Many thanks. It worked

dchabra26 · September 16, 2024, 5:57am

what are all permission sets or path. -jenkins.model.Jenkins.BUILD is not working. Where I can find all the permissions. In my jenkins config its like below-

<permission>USER:hudson.model.Item.Build:08dd9e02-3209-4288-8251-44eddd0ef00b</permission>
<permission>USER:hudson.model.Item.Cancel:fb8def53-4f94-42ad-9058-d6bce85b20af</permission>
<permission>USER:hudson.model.Item.Configure:08dd9e02-3209-4288-8251-44edbb0ede00b</permission>
<permission>USER:hudson.model.Item.Create:08dd9e02-3459-4488-8251-42edbb0effe0b</permission>

mawinter69 · September 16, 2024, 7:42am

jenkins.model.Jenkins.BUILD is not a known permission.
The build permission is hudson.model.Item.BUILD
You could grant for an admin all permissions, and then look at the config.xml to get a list of all permissions. From the class name you can usually guess what the permission stands for.

dchabra26 · September 16, 2024, 7:56am

I tried with paths fetched from config.xml (as shared above)and got error.

13:19:55 Also: org.jenkinsci.plugins.workflow.actions.ErrorAction$ErrorId: 954252db-ad0e-496a-b668-094b10ff0496 13:19:55 groovy.lang.MissingPropertyException: No such field found: field java.lang.Class Build 13:19:55 at org.jenkinsci.plugins.scriptsecurity.sandbox.groovy.SandboxInterceptor.unclassifiedField(SandboxInterceptor.java:402)

Note: Looking to set permission according to user role (not all admin) some would have read-only, some with build etc.

mawinter69 · September 16, 2024, 8:13am

Grant the permissions via the UI, then look at the config.xml and you get a list of all permissions that you have in your Jenkins (plugins can also contribute permissions).
Not sure what you mean with path, permissions are class names the way you want to use them.

dchabra26 · September 16, 2024, 9:14am

By path I mean permission class only. added user via UI and the below generated in config.xml. Tried using those permission class but getting error as shared above.

<permission>USER:hudson.model.Item.Build:08dd9e02-3209-4288-8251-44eddd0ef00b</permission>
<permission>USER:hudson.model.Item.Cancel:fb8def53-4f94-42ad-9058-d6bce85b20af</permission>
<permission>USER:hudson.model.Item.Configure:08dd9e02-3209-4288-8251-44edbb0ede00b</permission>
<permission>USER:hudson.model.Item.Create:08dd9e02-3459-4488-8251-42edbb0effe0b</permission>

mawinter69 · September 16, 2024, 9:37am

you will need to share the code that you’re running to be able to understand the problem you’re facing.

mawinter69 · September 16, 2024, 9:40am

Probably you need to capitalize the last part
e.g. hudson.model.Item.BUILD in your script

Topic		Replies	Views
Add New User through Azure Active Directory Ask a question question	1	340	March 26, 2024
Enable SSO on Jenkins using Azure AD Using Jenkins question	0	774	November 27, 2023
Authorization - AAD matrix-based security issue Ask a question question , events	0	501	January 30, 2022
How to provide an user overall admin access using groovy script? Using Jenkins	4	1448	May 10, 2022
Jenkins with Azure AD authentication Ask a question	5	564	July 10, 2024

Adding user into AzureAd Matrix AuthorizationStrategy via jenkins job

Related topics