Issue

My RBAC configuration is not working as expected.

Prerequisite

CloudBees support reports that most RBAC issues are caused by lack of experience with RBAC. Before jumping to a particular RBAC implementation, we recommend that you try to reproduce an example scenario; choose the one that is appropriate for your instance:

Case A: RBAC configuration in Client controller managed by an Operation Center
Case B: RBAC configuration in an isolated Client controller

More references in CloudBees RBAC, pay special attention to the sample configuration chapter.

Required Data RBAC issues

Having gained the necessary skills, in the case you still have some questions about your particular implementation follow this article to collect the minimum required information for troubleshooting RBAC issues.

If the required data is bigger than 50 MB you will not be able to use ZenDesk to upload all the information. In this case we would like to encourage you to use our upload service in order to attach all the required information.

Environment

CloudBees Jenkins Enterprise - Managed controller (CJE-MM)
CloudBees Jenkins Enterprise - Operations Center (CJE-OC)
CloudBees Jenkins Platform - Client controller (CJP-CM)
CloudBees Jenkins Platform - Operations Center (CJP-OC)

Required Data check list

Explanation of your desired Authorization set-up
Existing configuration depending on your case:

Case A: RBAC configuration in Client controller managed by an Operation Center

Support Bundle of the Operation Center
Support Bundle of the Master
Issued User WhoAmI outputs
RBAC Report for Operation Center
RBAC Report for Master
RBAC definition for Operation Center
RBAC definition for Master
Custom logger
Traces for audit plugin in the jenkins.log

Case B: RBAC configuration in an isolated Client controller

Support Bundle of the Master
Issued User WhoAmI outputs
RBAC Report for the Master
RBAC definition for the Master
Custom logger
Traces for audit plugin in the jenkins.log

Description of the items

Explanation of your desired Authorization set-up

Who - Users/Groups (external).
What - Permissions.
Where - Containers (e.g for specific item like controller, folder or in the whole instance).

RBAC Reports and Definition from your existing configuration might help to understand the new Authorization model implementation.

Support bundle

A support bundle from the Jenkins instance while the issue is exposed. Please, follow the KB below in case you don’t know how to generate a support bundle.

What is a support-bundle and how to create one

RBAC Report

Prerequisite: you need Overall - RunScripts Admin permission to the run the following scripts.

RBAC configuration is defined at different container levels (Root, Client controllers, Folders and particular items) thus the following scripts get an RBAC report by going through those containers and retrieving their RBAC definition.

Copy the output from executing this script in JENKINS_URL/script and paste to new file $JENKINS_DOMAIN.rbac.txt

RBAC Definition

nectar-rbac.xml for RBAC group configuration at root level, including roles.
the config.xml of the folder where you wish to restrict its access plus its parent folders.

In the following example, if you need assistance to restrict access to Example Project 2 where Example.job 5 and 6 are hosted, these following files would be needed: JENKINS_HOME/nectar-rbac.xml, JENKINS_HOME/Example Team B/config.xml and JENKINS_HOME/Example Team B/Example Project 2/config.xml

.
--- ROOT
    |--- Example Team B
        |--- Example Project 1
        |--- Example Project 2
            |--- Example.job 5
            |--- Example.job 6

WhoAmI

If there is a particular user you are having issues with, log in with that user (or if it’s not you, ask the user encountering the issue to) and attach the screenshots from:

$JENKINS_URL/roles/whoAmI
$JENKINS_URL/whoAmI

Custom loggers

Before reproducing the issue, create a custom logger with the following packages at FINEST log level:

nectar.plugins.rbac
com.cloudbees.opscenter.server.rbac
hudson.security
Package from the plugin: jenkins.security.plugins

Traces for audit plugin in the jenkins.log

In the case you are observing that RBAC Group and Roles and are being modified, install Audit plugin) and search for traces like plugin/nectar-rbac/manage/configSubmit in the jenkins.log

1 Jan 6, 2020 1:48:43,490 PM /plugin/nectar-rbac/manage/configSubmit by example_user
1 Jan 24, 2019 3:49:45,265 PM /plugin/nectar-rbac/manage/configSubmit by  example_user

Required Data: RBAC issues