Details

    • Similar Issues:

      Description

      Jenkins Version: 2.176.1

      Github Authentication Plugin Version: 0.32

      I'm trying to set up Matrix-based Authorization Strategy for my team, that requires me to grant permissions to users based on the Github team membership.

      Following the instructions on the wiki I'm specifying the group name as "org_name*team_name", but I'm getting the following error:

       

      org_name*engineering
      org.kohsuke.github.GHException: Failed to retrieve https://api.github.com/orgs/org_name/teams at org.kohsuke.github.Requester$PagingIterator.fetch(Requester.java:529) at org.kohsuke.github.Requester$PagingIterator.hasNext(Requester.java:494) at org.kohsuke.github.PagedIterator.fetch(PagedIterator.java:44) at org.kohsuke.github.PagedIterator.hasNext(PagedIterator.java:32) at org.kohsuke.github.GHOrganization.getTeamByName(GHOrganization.java:89) at org.jenkinsci.plugins.GithubAuthenticationToken.loadTeam(GithubAuthenticationToken.java:544) at org.jenkinsci.plugins.GithubSecurityRealm.loadGroupByGroupname(GithubSecurityRealm.java:794) at org.jenkinsci.plugins.matrixauth.AuthorizationContainerDescriptor.doCheckName_(AuthorizationContainerDescriptor.java:157) at hudson.security.GlobalMatrixAuthorizationStrategy$DescriptorImpl.doCheckName(GlobalMatrixAuthorizationStrategy.java:222) at java.lang.invoke.MethodHandle.invokeWithArguments(MethodHandle.java:627)
      

       We are currently successfully using the Github Committer Authorization Strategy, however it's becoming a necessity to add permissions based on user-groups, such as letting devs replay jobs. 

       

        Attachments

          Activity

          Hide
          sag47 Sam Gleske added a comment -

          Kote Mushegiani I also forgot to mention that you need to upgrade to github-outh 0.33 because plugin version 0.32 suffers from a critical bug in matrix auth. See JENKINS-57154 for details

          Show
          sag47 Sam Gleske added a comment - Kote Mushegiani I also forgot to mention that you need to upgrade to github-outh 0.33 because plugin version 0.32 suffers from a critical bug in matrix auth. See JENKINS-57154 for details
          Hide
          juhtie01 Juha Tiensyrjä added a comment -

          I believe that the plugin upgrade was coincidental / a red herring related to something either GitHub or one of the organization admins did and only manifested once we restarted the Jenkins instance with the new plugin version. We fixed the problem by revoking the Oauth application privileges from GitHub organization settings page, logged in with the machine user whose token is used for the Oauth app, requested for permissions and had one of the org admins to approve those permissions. After that, no more errors.

          Show
          juhtie01 Juha Tiensyrjä added a comment - I believe that the plugin upgrade was coincidental / a red herring related to something either GitHub or one of the organization admins did and only manifested once we restarted the Jenkins instance with the new plugin version. We fixed the problem by revoking the Oauth application privileges from GitHub organization settings page, logged in with the machine user whose token is used for the Oauth app, requested for permissions and had one of the org admins to approve those permissions. After that, no more errors.
          Hide
          kmushegi Kote Mushegiani added a comment -

          Sam Gleske I will try upgrading the plugin and setting up the matrix auth.

           

          I'm in the Engineering github team, but the only authority I see is `authenticated`. I guess after I switch to matrix auth that will change?

          Could you advice on what are the risks of being locked out as the result of setting matrix auth wrong? Does 0.33 still require referencing the team name by its common name and not slug?

          Show
          kmushegi Kote Mushegiani added a comment - Sam Gleske I will try upgrading the plugin and setting up the matrix auth.   I'm in the Engineering github team, but the only authority I see is `authenticated`. I guess after I switch to matrix auth that will change? Could you advice on what are the risks of being locked out as the result of setting matrix auth wrong? Does 0.33 still require referencing the team name by its common name and not slug?
          Hide
          kmushegi Kote Mushegiani added a comment -

          After upgrading the plugin, I still see the same error when trying to add a group to matrix auth in the following way "ORGNAME*engineering" or "ORGNAME*Engineering"

          Show
          kmushegi Kote Mushegiani added a comment - After upgrading the plugin, I still see the same error when trying to add a group to matrix auth in the following way "ORGNAME*engineering" or "ORGNAME*Engineering"
          Hide
          sag47 Sam Gleske added a comment -

          Strange, I can't seem to be able to replicate your issue. You should be able to see your own granted authorities under:

          Kote Mushegiani Is it possible that you didn't grant your OAuth app permission to view the org and its teams? GitHub now allows orgs to restrict team only to allowed OAuth apps. In that case, the plugin wouldn't be able to query teams of the org. See the earlier comment by Juha Tiensyrjä which is a similar situation as I describe.

          The risks of being locked out are similar to the risks with other plugins. The only way to recover would be to edit the root config.xml and restoring your access. Personally, I configure my own username in addition to teams to ensure that my specific user doesn't lose access when configuring matrix authorization.

          Does 0.33 still require referencing the team name by its common name and not slug?

          Yes, the plugin still has bug JENKINS-34835 where you must reference teams by common name and not slug.

          Show
          sag47 Sam Gleske added a comment - Strange, I can't seem to be able to replicate your issue. You should be able to see your own granted authorities under: https://yourjenkins/whoAmI - when you go here does your GitHub teams show up under granted authorities? Kote Mushegiani Is it possible that you didn't grant your OAuth app permission to view the org and its teams? GitHub now allows orgs to restrict team only to allowed OAuth apps. In that case, the plugin wouldn't be able to query teams of the org. See the earlier comment by Juha Tiensyrjä which is a similar situation as I describe. The risks of being locked out are similar to the risks with other plugins. The only way to recover would be to edit the root config.xml and restoring your access. Personally, I configure my own username in addition to teams to ensure that my specific user doesn't lose access when configuring matrix authorization. Does 0.33 still require referencing the team name by its common name and not slug? Yes, the plugin still has bug JENKINS-34835 where you must reference teams by common name and not slug.

            People

            • Assignee:
              sag47 Sam Gleske
              Reporter:
              kmushegi Kote Mushegiani
            • Votes:
              0 Vote for this issue
              Watchers:
              4 Start watching this issue

              Dates

              • Created:
                Updated: