Issue
-
Framework Deployer plugin permissions - Deploy Now/Deploy, Deploy Now/JobCredentials and Deploy Now/UserCredentials - are not in the list of permissions available under my controller authorization settings although the plugin was successfully installed in the controller.
-
When I try to provision a new controller with CasC and any of the Framework Deployer plugin permissions in the
rbac.yamlfile by their fully qualified name - com.cloudbees.plugins.deployer.DeployNowRunAction.Deploy, com.cloudbees.plugins.deployer.DeployNowRunAction.JobCredentials, com.cloudbees.plugins.deployer.DeployNowRunAction.UserCredentials - the controller fails to start with the following error:
SEVERE jenkins.InitReactorRunner$1#onTaskFailed: Failed Bootstrap.initialize com.cloudbees.jenkins.plugins.casc.CasCException: Unknown or disabled permissions are not allowed to be part of the definition file. Please remove [com.cloudbees.plugins.deployer.DeployNowRunAction.Deploy, com.cloudbees.plugins.deployer.DeployNowRunAction.JobCredentials, com.cloudbees.plugins.deployer.DeployNowRunAction.UserCredentials] at com.cloudbees.jenkins.plugins.casc.rbac.CRoles.allPermissionAreEnabledCheck(CRoles.java:135)
Context
The Framework Deloyer permissions are only injected and configurable once a deploy step is used in a job for the first time. Moreover, that’s incompatible with configuring the plugin permissions via CasC for a brand new cotroller, because CasC loads the RBAC information before loading the items, so the permissions cannot be recognized at the moment of provisioning a new instance.
Workaround
In a new controller provisioned without the RBAC CasC file but with the deployer-framework plugin installed, you can make the permissions appear in the RBAC permissions matrix by creating a Freestyle job following the steps in CloudBees Amazon Web Services Deploy Engine.
Tested product/plugin versions
-
CloudBees CI on modern cloud platforms - managed controller 2.452.2.3
-
Deployer Framework Plugin version 88.ve78a_92f39e8e