We currently have dozens of Jenkins instances that need to be migrated to Kubernetes. We intend to enable SAML authentication and projectMatrix authorization strategy. Some of the current Jenkins instances use globalMatrix, others use projectMatrix. During test-migration of an instance which is running globalMatrix, we ran into the following error:
2022-02-16 13:07:24.818+0000 [id=29] INFO jenkins.InitReactorRunner$1#onAttained: System config loaded
2022-02-16 13:07:26.505+0000 [id=29] SEVERE jenkins.InitReactorRunner$1#onTaskFailed: Failed ConfigurationAsCode.init
java.lang.IllegalArgumentException: Permission can not be null for sid:Overall/Read:4e0f8217-1c58-41de-9716-60ca76710552
at hudson.security.GlobalMatrixAuthorizationStrategy.add(GlobalMatrixAuthorizationStrategy.java:95)
Our JCasC YAML file contains this:
jenkins:
authorizationStrategy:
projectMatrix:
permissions:
- GROUP:Overall/Read:4e0f8217-1c58-41de-9716-60ca76710552
- GROUP:Credentials/Create:4e0f8217-1c58-41de-9716-60ca76710552
- ...
Looking at the error, it’s clear that GlobalMatrixAuthorizationStrategy is being attempted, while projectMatrix is supplied for JCasC. This is likely because the current authorization strategy is set to globalMatrix, as seen in the config.xml
:
<?xml version='1.1' encoding='UTF-8'?>
<hudson>
<authorizationStrategy class="hudson.security.GlobalMatrixAuthorizationStrategy">
<permission>hudson.model.View.Read:4e0f8217-1c58-41de-9716-60ca76710552</permission>
<permission>hudson.model.View.Delete:4e0f8217-1c58-41de-9716-60ca76710552</permission>
...
How can we ensure that JCasC erases the existing globalMatrix authorization strategy and forces projectMatrix? Thanks in advance!
Kind regards,
Emil