Unable to lookup AzureAD users #661
Comments
|
After verifying you need to save and refresh the page for it work. Add authenticated users as administrator for the first configuration (I can't see an existing open issue, but its a limitation of how the security page is designed) |
|
Hi, I really appreciate the quick response, That is already done. For now as work around I have updated the config.xml file with the required permissions set for the Azure user with associated Object_ID. Users got the access. But, previously I have added the plugin to other jenkins instances. Even now, on those instances I am able to search for the users directly on the UI, without any issues. I want to be able to search for the users first. That is the main goal. Because, it will allow us to add new Azure users/groups if needed with the required permissions. One more issue is nothing is logged anywhere about the issue. Please advice. Thanks |
|
check the browser console and the server logs. |
|
Nothing is being logged in the browser console for logs. Issue is not the permissions, it is not even able to find the Azure users/groups when typed in search bar under "Authorization section" I mean look at this
|
|
If Add user and Add group buttons are showing that means the disable graph integration is enabled which means it can't check those. Have a look further up in the page (its not in your screenshot) |
|
It is not enabled for sure, please take a look
|
|
possible to take a full page screenshot? (hide whatever config you need) and make sure you've definitely saved and refreshed |
|
Here you go
this is the last section
And now the problem is
As soon as you click on the search option it is able to populate few users on other jenkins instance.
|
|
And on the current jenkins even it is not able to add the groups manually.
But same group can be found on the other instance without any issues. Hope I gave you enough screenshots to look into. |
|
yeah the other instance is doing what I would expect. Looking at the code the only time the Add user and Add group buttons are set are when disableGraphIngration is: Can you check the config.xml configuration on the file system in Jenkins home for the security realm config? |
|
There is no problem in the security realm, Authentication is working fine. It is able to add the users when we manually update the config file with the user/group we wanted, it is working for that group. But it is unable to add the user/groups through the UI part. That is very inconvenient as compared to the instance on which it is working fine. |
|
And also please confirm one thing for this authorization of AzureAD Matrix Strategy. |
|
Can you check the xml config though and make sure the graph integration isn’t disabled. I’m not 100% sure email groups may have been hidden in the person/group picker |
|
What does this mean ? how to check it?
|
|
Please advice on DEBUG this issue. On a side note could you please provide clear step-by-step process for setup on AzureApp? Is it the plugin version or Jenkins version causing this issue? Please advice. Thanks |
|
Steps are here:
Any version that lets you install the plugin should be compatible just fine. I just tested the latest version of the plugin on Jenkins 2.497 and it worked fine for me Can you please open **** out the clientId, clientVersion, and tenant. Can you also provide a screenshot that shows the plugin version and Jenkins version. |
|
here is the whole config file <?xml version='1.1' encoding='UTF-8'?>
<hudson>
<disabledAdministrativeMonitors>
<string>jenkins.security.csrf.CSRFAdministrativeMonitor</string>
<string>jenkins.diagnostics.ControllerExecutorsNoAgents</string>
<string>hudson.util.DoubleLaunchChecker</string>
</disabledAdministrativeMonitors>
<version>2.482</version>
<numExecutors>4</numExecutors>
<mode>NORMAL</mode>
<useSecurity>true</useSecurity>
<authorizationStrategy class="com.microsoft.jenkins.azuread.AzureAdMatrixAuthorizationStrategy">
<permission>GROUP:hudson.model.Hudson.Administer:-jenkins-administrators</permission>
<permission>USER:hudson.model.Hudson.Administer:[email protected]</permission>
<permission>GROUP:hudson.model.Hudson.Read:authenticated</permission>
<permission>GROUP:hudson.model.Hudson.Read:ship (155bec56-8bd0-4ff0-91f0-xxxxxxxxxxx)</permission>
<permission>USER:hudson.model.Hudson.Read:2355774d-4e69-4d33-a24c-xxxxxxxxxxx</permission>
<permission>USER:hudson.model.Hudson.Read:anonymous</permission>
<permission>GROUP:hudson.model.Item.Build:ship (155bec56-8bd0-4ff0-91f0-xxxxxxxxxxx)</permission>
<permission>USER:hudson.model.Item.Build:2355774d-4e69-4d33-a24c-xxxxxxxxxxx</permission>
<permission>GROUP:hudson.model.Item.Cancel:ship (155bec56-8bd0-4ff0-91f0-xxxxxxxxxxx)</permission>
<permission>USER:hudson.model.Item.Cancel:2355774d-4e69-4d33-a24c-xxxxxxxxxxx</permission>
<permission>GROUP:hudson.model.Item.Configure:ship (155bec56-8bd0-4ff0-91f0-xxxxxxxxxxx)</permission>
<permission>USER:hudson.model.Item.Configure:2355774d-4e69-4d33-a24c-xxxxxxxxxxx</permission>
<permission>GROUP:hudson.model.Item.Create:ship (155bec56-8bd0-4ff0-91f0-xxxxxxxxxxx)</permission>
<permission>USER:hudson.model.Item.Create:2355774d-4e69-4d33-a24c-xxxxxxxxxxx</permission>
<permission>GROUP:hudson.model.Item.Delete:ship (155bec56-8bd0-4ff0-91f0-xxxxxxxxxxx)</permission>
<permission>USER:hudson.model.Item.Delete:2355774d-4e69-4d33-a24c-xxxxxxxxxxx</permission>
<permission>GROUP:hudson.model.Item.Move:ship (155bec56-8bd0-4ff0-91f0-xxxxxxxxxxx)</permission>
<permission>USER:hudson.model.Item.Move:2355774d-4e69-4d33-a24c-xxxxxxxxxxx</permission>
<permission>GROUP:hudson.model.Item.Read:authenticated</permission>
<permission>GROUP:hudson.model.Item.Read:ship (155bec56-8bd0-4ff0-91f0-xxxxxxxxxxx)</permission>
<permission>USER:hudson.model.Item.Read:2355774d-4e69-4d33-a24c-xxxxxxxxxxx</permission>
<permission>USER:hudson.model.Item.Read:anonymous</permission>
<permission>GROUP:hudson.model.Item.Workspace:ship (155bec56-8bd0-4ff0-91f0-xxxxxxxxxxx)</permission>
<permission>USER:hudson.model.Item.Workspace:2355774d-4e69-4d33-a24c-xxxxxxxxxxx</permission>
<permission>GROUP:hudson.model.View.Read:authenticated</permission>
<permission>GROUP:hudson.model.View.Read:ship (155bec56-8bd0-4ff0-91f0-xxxxxxxxxxx)</permission>
<permission>USER:hudson.model.View.Read:2355774d-4e69-4d33-a24c-xxxxxxxxxxx</permission>
<permission>USER:hudson.model.View.Read:anonymous</permission>
</authorizationStrategy>
<securityRealm class="com.microsoft.jenkins.azuread.AzureSecurityRealm">
<clientid>{xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx}</clientid>
<credentialType>Secret</credentialType>
<clientsecret>{xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx}</clientsecret>
<tenant>{xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx}</tenant>
<cacheduration>3600</cacheduration>
<fromrequest>false</fromrequest>
<environmentName>Azure</environmentName>
<disableGraphIntegration>false</disableGraphIntegration>
<promptAccount>false</promptAccount>
<singleLogout>false</singleLogout>
<domainHint></domainHint>
</securityRealm>
<disableRememberMe>false</disableRememberMe>
<projectNamingStrategy class="jenkins.model.ProjectNamingStrategy$DefaultProjectNamingStrategy"/>
<workspaceDir>${JENKINS_HOME}/workspace/${ITEM_FULL_NAME}</workspaceDir>
<buildsDir>${ITEM_ROOTDIR}/builds</buildsDir>
<markupFormatter class="hudson.markup.EscapedMarkupFormatter"/>
<jdks/>
<viewsTabBar class="hudson.views.DefaultViewsTabBar"/>
<myViewsTabBar class="hudson.views.DefaultMyViewsTabBar"/>
<clouds/>
<quietPeriod>5</quietPeriod>
<scmCheckoutRetryCount>0</scmCheckoutRetryCount>
<views>
<hudson.model.AllView>
<owner class="hudson" reference="../../.."/>
<name>all</name>
<filterExecutors>false</filterExecutors>
<filterQueue>false</filterQueue>
<properties class="hudson.model.View$PropertyList"/>
</hudson.model.AllView>
<listView>
<owner class="hudson" reference="../../.."/>
<name> Daily Builds</name>
<description>Builds of importance that execute every day.</description>
<filterExecutors>false</filterExecutors>
<filterQueue>false</filterQueue>
<properties class="hudson.model.View$PropertyList"/>
<jobNames>
<comparator class="java.lang.String$CaseInsensitiveComparator"/>
<string>v12-Development-GCS-Java-build</string>
<string>v12-Development-GCS-Java-Nightly-build</string>
<string>v12-Development-GCS-SQL-Nightly-build</string>
<string>v12-Development-JASPER-REPO-Nightly-build</string>
<string>v12-Development-Java-BI-build</string>
<string>v12-Development-Java-build</string>
<string>v12-Development-Java-Nightly-Build</string>
<string>v12-Development-Revision-Info</string>
<string>v12-Development-SQL-Nightly-build</string>
</jobNames>
<jobFilters/>
<columns>
<hudson.views.StatusColumn/>
<hudson.views.WeatherColumn/>
<hudson.views.JobColumn/>
<hudson.views.LastSuccessColumn/>
<hudson.views.LastFailureColumn/>
<hudson.views.LastDurationColumn/>
<hudson.views.BuildButtonColumn/>
</columns>
<recurse>false</recurse>
</listView>
<listView>
<owner class="hudson" reference="../../.."/>
<name> Cloud Builds</name>
<filterExecutors>false</filterExecutors>
<filterQueue>false</filterQueue>
<properties class="hudson.model.View$PropertyList"/>
<jobNames>
<comparator class="java.lang.String$CaseInsensitiveComparator" reference="../../../listView/jobNames/comparator"/>
</jobNames>
<jobFilters/>
<columns>
<hudson.views.StatusColumn/>
<hudson.views.WeatherColumn/>
<hudson.views.JobColumn/>
<hudson.views.LastSuccessColumn/>
<hudson.views.LastFailureColumn/>
<hudson.views.LastDurationColumn/>
<hudson.views.BuildButtonColumn/>
</columns>
<includeRegex>.*-CLOUD-V12.*</includeRegex>
<recurse>false</recurse>
</listView>
<listView>
<owner class="hudson" reference="../../.."/>
<name> Failed Builds</name>
<filterExecutors>false</filterExecutors>
<filterQueue>false</filterQueue>
<properties class="hudson.model.View$PropertyList"/>
<jobNames>
<comparator class="java.lang.String$CaseInsensitiveComparator" reference="../../../listView/jobNames/comparator"/>
</jobNames>
<jobFilters>
<hudson.views.JobStatusFilter plugin="[email protected]_4dd46909">
<includeExcludeTypeString>includeMatched</includeExcludeTypeString>
<unstable>false</unstable>
<failed>true</failed>
<aborted>false</aborted>
<disabled>false</disabled>
<stable>false</stable>
</hudson.views.JobStatusFilter>
</jobFilters>
<columns>
<hudson.views.StatusColumn/>
<hudson.views.WeatherColumn/>
<hudson.views.JobColumn/>
<hudson.views.LastSuccessColumn/>
<hudson.views.LastFailureColumn/>
<hudson.views.LastDurationColumn/>
<hudson.views.BuildButtonColumn/>
</columns>
<recurse>false</recurse>
</listView>
</views>
<primaryView>all</primaryView>
<slaveAgentPort>-1</slaveAgentPort>
<label></label>
<nodeProperties>
<hudson.slaves.EnvironmentVariablesNodeProperty>
<envVars serialization="custom">
<unserializable-parents/>
<tree-map>
<default>
<comparator class="java.lang.String$CaseInsensitiveComparator" reference="../../../../../../views/listView/jobNames/comparator"/>
</default>
<int>1</int>
<string>MAVEN_OPTS</string>
<string></string>
</tree-map>
</envVars>
</hudson.slaves.EnvironmentVariablesNodeProperty>
</nodeProperties>
<globalNodeProperties/>
<nodeRenameMigrationNeeded>false</nodeRenameMigrationNeeded>let me know |
|
Which version of Jenkins and the Azure AD plugin are you using? |
|
Jenkins Version: 2.482 I also tried on other server with these versions, it is also giving me the same issue Since it is not working, I also manually added the plugin version - 531.v13107da_f2635, which is working fine on other version. I have 3 instances on which AzureAD plugin is troubling to lookup users/groups to add and assign permissions. Below all combinations are from other jenkins instances we use, are working fine
|
|
I also found jenkins version and it's compatible plugin versions page here - https://updates.jenkins.io/download/plugins/azure-ad/ Based on this, it is evident that I haven't installed any incompatible version for sure.
|
|
Could you try this debug build: Install the plugin from the advanced page, restart On the security page: |
|
What is the minimum Jenkins version required for the latest patch of the plugin you have shared? |
|
2.479.1 |
|
So, for testing I have jenkins instance with the version of 2.452.1. To test it on the prod instances, we need to schedule the downtime and notify users, which would delay this testing. One more thing about the changing plugin versions like (Downgrade/Upgrade), since downgrade option is not provided by Jenkins through UI, we would manually download the plugin**.hpi** file to the plugin directory and restart the server right? And then, that plugin also has requirement of some other dependent plugins, which we would have to search for them manually to find out which version of that plugin has the compatibility with our Jenkins version. In this case, what happens if we just download the DEBUG version you are suggesting? what about the dependency plugin versions? And also let me know, since there is not much information found on Jenkins logs about the issue we are currently dealing with, is there a way to check more details of this issue on Azure side? Please advice. |
|
Use this version instead: https://repo.jenkins-ci.org/incrementals/org/jenkins-ci/plugins/azure-ad/557.v5eed7a_c68693/azure-ad-557.v5eed7a_c68693.hpi Is it possible to test on a version that isn't production? |
|
azure-ad/557.v5eed7a_c68693/azure-ad-557.v5eed7a_c68693.hpi --- Is this compatible with Jenkins version 2.452.1?
And what about the dependency plugins and compatible versions? |
|
yes it is, dependencies will be compatible as long as you are up to date. |
|
I mean is it compatible with the Jenkins version - 2.452.1? What do you mean up to date? I did not understand that part We have a jenkins version - 2.452.1 And this plugin dependencies - are they compatible with Jenkins version 2.452.1? |
|
Yes it will work. It’s the latest version with some changes backed out so it works on your Jenkins |
|
Thank you for confirming that, I will check and let you know soon. |
|
Hi, Here is the screenshots,
Date: Fri Feb 14 13:48:35 EST 2025 please verify and let me know. Just so you know, no problem in authentication part. |
|
In the above screenshot you only have the Add button which shows the integration enabled which is what I expected based on the config (although not the same as in your previous screenshot). The reason for your last screenshot not showing results should either be in your browser console or the Jenkins server logs |
|
Yes, you are right about that add button. but it is not useful atal as i am unable to click and add any user/groups. The names which were added at the time of initial configuration of the plugin. That’s it if we want to add more user/groups after that it is not able to search and also not allowing us to add manually thru UI. You can also see that it is showing a pop-up saying “we didn’t find any matches.” I tried browsers after clearing browser cache as well. Even i tried in an incognito window as well. But it is working very fine for other jenkins instances. Why it is not working for one instance and not other is not clear. Please advice how to investigate further. |
|
As I said before please check this: The reason for your last screenshot not showing results should either be in your browser console or the Jenkins server logs |
Hi,
I have the latest version of Jenkins and also the latest version of the plugin-Microsoft Entra ID.
I am able to setup security Realm - Azure Active Directory. And able to verify configuration with users. But the problem is with the Authorization strategy -AzureAD Matrix Authorization Strategy.
And while setting up we need to first add the users and required groups by searching the name. It is giving me error
Please provide any inputs to this issue.
Thanks
vsk
The text was updated successfully, but these errors were encountered: