Issue

• My RBAC configuration is not working as expected.

Prerequisite

CloudBees support reports that most RBAC issues are caused by lack of experience with RBAC. Before jumping to a particular RBAC implementation, we recommend that you try to reproduce an example scenario; choose the one that is appropriate for your instance:

• Case A: RBAC configuration in Client Master managed by an Operation Center
• Case B: RBAC configuration in an isolated Client Master

More references in CloudBees RBAC, pay special attention to the sample configuration chapter.

Required Data RBAC issues

Having gained the necessary skills, in the case you still have some questions about your particular implementation follow this article to collect the minimum required information for troubleshooting RBAC issues.

If the required data is bigger than 20 MB you will not be able to use ZenDesk to upload all the information. In this case we would like to encourage you to use our upload service in order to attach all the required information.

Environment

• CloudBees Jenkins Enterprise - Managed Master (CJE-MM)
• CloudBees Jenkins Enterprise - Operations Center (CJE-OC)
• CloudBees Jenkins Platform - Client Master (CJP-CM)
• CloudBees Jenkins Platform - Operations Center (CJP-OC)

Required Data check list

• Explanation of your desired Authorization set-up
• Existing configuration depending on your case:

Case A: RBAC configuration in Client Master managed by an Operation Center

• Support Bundle of the Operation Center
• Support Bundle of the Master
• Issued User WhoAmI outputs
• RBAC Report for Operation Center
• RBAC Report for Master
• RBAC definition for Operation Center
• RBAC definition for Master
• Custom logger
• Traces for audit plugin in the jenkins.log

Case B: RBAC configuration in an isolated Client Master

• Support Bundle of the Master
• Issued User WhoAmI outputs
• RBAC Report for the Master
• RBAC definition for the Master
• Custom logger
• Traces for audit plugin in the jenkins.log

Description of the items

Explanation of your desired Authorization set-up

• Who - Users/Groups (external).
• What - Permissions.
• Where - Containers (e.g for specific item like master, folder or in the whole instance).

RBAC Reports and Definition from your existing configuration might help to understand the new Authorization model implementation.

Support bundle

A support bundle from the Jenkins instance while the issue is exposed. Please, follow the KB below in case you don’t know how to generate a support bundle.

• What is a support-bundle and how to create one

RBAC Report

Prerequisite: you need Overall - RunScripts Admin permission to the run the following scripts.

RBAC configuration is defined at different container levels (Root, Client Masters, Folders and particular items) thus the following scripts get an RBAC report by going through those containers and retrieving their RBAC definition.

Copy the output from executing this script in JENKINS_URL/script and paste to new file $JENKINS_DOMAIN.rbac.txt

RBAC Definition

• nectar-rbac.xml for RBAC group configuration at root level, including roles.
• the config.xml of the folder where you wish to restrict its access plus its parent folders.

In the following example, if you need assistance to restrict access to Example Project 2 where Example.job 5 and 6 are hosted, these following files would be needed: JENKINS_HOME/nectar-rbac.xml, JENKINS_HOME/Example Team B/config.xml and JENKINS_HOME/Example Team B/Example Project 2/config.xml

.
--- ROOT
    |--- Example Team B
        |--- Example Project 1
        |--- Example Project 2
            |--- Example.job 5
            |--- Example.job 6

WhoAmI

If there is a particular user you are having issues with, log in with that user and attach the screenshots from:

• $JENKINS_URL/roles/whoAmI
• $JENKINS_URL/whoAmI

Custom loggers

Before reproducing the issue, create a custom logger with the following packages at FINEST log level:

• nectar.plugins.rbac
• com.cloudbees.opscenter.server.rbac
• hudson.security
• Package from the plugin: jenkins.security.plugins

Traces for audit plugin in the jenkins.log

In the case you are observing that RBAC Group and Roles and are being modified, install Audit plugin) and search for traces like plugin/nectar-rbac/manage/configSubmit in the jenkins.log

1 Jan 6, 2020 1:48:43,490 PM /plugin/nectar-rbac/manage/configSubmit by example_user
1 Jan 24, 2019 3:49:45,265 PM /plugin/nectar-rbac/manage/configSubmit by  example_user