Prerequisite
CloudBees support reports that most RBAC issues are caused by lack of experience with RBAC. Before jumping to a particular RBAC implementation, we recommend that you try to reproduce an example scenario; choose the one that is appropriate for your instance:
-
Case A: RBAC configuration in Client controller managed by an Operation Center
-
Case B: RBAC Configuration in an isolated Client Controller.
More references in CloudBees RBAC, pay special attention to the sample configuration chapter.
Required Data RBAC issues
Having gained the necessary skills, in the case you still have some questions about your particular implementation follow this article to collect the minimum required information for troubleshooting RBAC issues.
If the required data is bigger than 50 MB you will not be able to use ZenDesk to upload all the information. In this case we would like to encourage you to use our upload service in order to attach all the required information.
Environment
-
CloudBees Jenkins Enterprise - Managed controller (CJE-MM)
-
CloudBees Jenkins Enterprise - Operations center (CJE-OC)
Required Data check list
-
Explanation of your desired Authorization set-up
-
Existing configuration depending on your case:
Case A: RBAC configuration in Client controller managed by an Operation Center
-
Support Bundle of the Operation Center
-
Support Bundle of the Master
-
Issued User
WhoAmIoutputs -
RBAC Report for Operation Center
-
RBAC Report for Master
-
RBAC definition for Operation Center
-
RBAC definition for Master
-
Custom logger
-
Traces for audit plugin in the jenkins.log
Description of the items
Explanation of your desired Authorization set-up
-
Who - Users/Groups (external).
-
What - Permissions.
-
Where - Containers (e.g for specific item like controller, folder or in the whole instance).
RBAC Reports and Definition from your existing configuration might help to understand the new Authorization model implementation.
Support bundle
A support bundle from the Jenkins instance while the issue is exposed. Please, follow the KB below in case you don’t know how to generate a support bundle.
RBAC Report
Prerequisite: you need Overall - RunScripts Admin permission to the run the following scripts.
RBAC configuration is defined at different container levels (Root, Client controllers, Folders and particular items) thus the following scripts get an RBAC report by going through those containers and retrieving their RBAC definition.
Copy the output from executing this script in JENKINS_URL/script and paste to new file $JENKINS_DOMAIN.rbac.txt
RBAC Definition
-
nectar-rbac.xmlfor RBAC group configuration at root level, including roles. -
the
config.xmlof the folder where you wish to restrict its access plus its parent folders.
In the following example, if you need assistance to restrict access to Example Project 2 where Example.job 5 and 6 are hosted, these following files would be needed: JENKINS_HOME/nectar-rbac.xml, JENKINS_HOME/Example Team B/config.xml and JENKINS_HOME/Example Team B/Example Project 2/config.xml
. --- ROOT |--- Example Team B |--- Example Project 1 |--- Example Project 2 |--- Example.job 5 |--- Example.job 6
WhoAmI
If there is a particular user you are having issues with, log in with that user (or if it’s not you, ask the user encountering the issue to) and attach the screenshots from:
-
$JENKINS_URL/roles/whoAmI -
$JENKINS_URL/whoAmI
Custom loggers
Before reproducing the issue, create a custom logger with the following packages at FINEST log level:
-
nectar.plugins.rbac -
com.cloudbees.opscenter.server.rbac -
hudson.security -
Package from the plugin:
jenkins.security.plugins
Traces for audit plugin in the jenkins.log
In the case you are observing that RBAC Group and Roles and are being modified, install Audit plugin) and search for traces like plugin/nectar-rbac/manage/configSubmit in the jenkins.log
1 Jan 6, 2020 1:48:43,490 PM /plugin/nectar-rbac/manage/configSubmit by example_user 1 Jan 24, 2019 3:49:45,265 PM /plugin/nectar-rbac/manage/configSubmit by example_user