[JIRA] (JENKINS-58479) Failing to retrieve teams

Issue Type:	Bug
Assignee:	Sam Gleske
Attachments:	Screen Shot 2019-07-12 at 11.17.29 AM.png
Components:	github-oauth-plugin
Created:	2019-07-12 18:30
Labels:	oauth matrix-auth
Priority:	Blocker
Reporter:	Kote Mushegiani

I'm trying to set up Matrix-based Authorization Strategy for my team, that requires me to grant permissions to users based on the Github team membership.

Following the instructions on the wiki I'm specifying the group name as "org_name*team_name", but I'm getting the following error:

 
                                                                org_name*engineering
org.kohsuke.github.GHException: Failed to retrieve https://api.github.com/orgs/org_name/teams at org.kohsuke.github.Requester$PagingIterator.fetch(Requester.java:529) at org.kohsuke.github.Requester$PagingIterator.hasNext(Requester.java:494) at org.kohsuke.github.PagedIterator.fetch(PagedIterator.java:44) at org.kohsuke.github.PagedIterator.hasNext(PagedIterator.java:32) at org.kohsuke.github.GHOrganization.getTeamByName(GHOrganization.java:89) at org.jenkinsci.plugins.GithubAuthenticationToken.loadTeam(GithubAuthenticationToken.java:544) at org.jenkinsci.plugins.GithubSecurityRealm.loadGroupByGroupname(GithubSecurityRealm.java:794) at org.jenkinsci.plugins.matrixauth.AuthorizationContainerDescriptor.doCheckName_(AuthorizationContainerDescriptor.java:157) at hudson.security.GlobalMatrixAuthorizationStrategy$DescriptorImpl.doCheckName(GlobalMatrixAuthorizationStrategy.java:222) at java.lang.invoke.MethodHandle.invokeWithArguments(MethodHandle.java:627)

This message was sent by Atlassian Jira (v7.11.2#711002-sha1:fdc329d)

kmushegian@gmail.com (JIRA)

unread,

Jul 12, 2019, 2:35:01 PM7/12/19

to jenkinsc...@googlegroups.com

Kote Mushegiani updated an issue

Jenkins /

Change By:	Kote Mushegiani

Jenkins Version: 2.176.1

Github Authentication Plugin Version: 0.32

I'm trying to set up Matrix-based Authorization Strategy for my team, that requires me to grant permissions to users based on the Github team membership.

Following the instructions on the wiki I'm specifying the group name as "org_name*team_name", but I'm getting the following error:

{code:java}

org_name*engineering
org.kohsuke.github.GHException: Failed to retrieve https://api.github.com/orgs/org_name/teams at org.kohsuke.github.Requester$PagingIterator.fetch(Requester.java:529) at org.kohsuke.github.Requester$PagingIterator.hasNext(Requester.java:494) at org.kohsuke.github.PagedIterator.fetch(PagedIterator.java:44) at org.kohsuke.github.PagedIterator.hasNext(PagedIterator.java:32) at org.kohsuke.github.GHOrganization.getTeamByName(GHOrganization.java:89) at org.jenkinsci.plugins.GithubAuthenticationToken.loadTeam(GithubAuthenticationToken.java:544) at org.jenkinsci.plugins.GithubSecurityRealm.loadGroupByGroupname(GithubSecurityRealm.java:794) at org.jenkinsci.plugins.matrixauth.AuthorizationContainerDescriptor.doCheckName_(AuthorizationContainerDescriptor.java:157) at hudson.security.GlobalMatrixAuthorizationStrategy$DescriptorImpl.doCheckName(GlobalMatrixAuthorizationStrategy.java:222) at java.lang.invoke.MethodHandle.invokeWithArguments(MethodHandle.java:627)

{code}

We are currently successfully using the Github Committer Authorization Strategy, however it's becoming a necessity to add permissions based on user-groups, such as letting devs replay jobs.

kmushegian@gmail.com (JIRA)

unread,

Jul 25, 2019, 6:32:02 PM7/25/19

to jenkinsc...@googlegroups.com

Kote Mushegiani commented on

Has anyone taken a look at this? Or are there any updates?

sam.mxracer@gmail.com (JIRA)

unread,

Aug 5, 2019, 10:23:02 PM8/5/19

to jenkinsc...@googlegroups.com

Sam Gleske commented on

There's a bug in the OAuth plugin where you must reference team name by common name and not by slug.

So, if your engineering team is actually Engineering in the GitHub UI, then it must match that. I'll reference the existing issue when I find it.

sam.mxracer@gmail.com (JIRA)

unread,

Aug 5, 2019, 10:24:02 PM8/5/19

to jenkinsc...@googlegroups.com

Sam Gleske commented on

JENKINS-34835 is the original issue.

kmushegian@gmail.com (JIRA)

unread,

Aug 6, 2019, 7:07:01 PM8/6/19

to jenkinsc...@googlegroups.com

Kote Mushegiani commented on

Sam Gleske so, should I be able to input `ORGNAME*Engineering`? I tried this and it throws the same error.

The team is called "Engineering" in Github UI, and is referenced as `@ORGNAME/engineering`. I guess that's the slug?

The url for the team is https://github.com/orgs/ORGNAME/teams/engineering

clarkster82@gmail.com (JIRA)

unread,

Aug 6, 2019, 11:15:02 PM8/6/19

to jenkinsc...@googlegroups.com

Paul Clark assigned an issue to Paul Clark

Jenkins /

Change By:	Paul Clark
Assignee:	Sam Gleske Paul Clark

juha.tiensyrja@arm.com (JIRA)

unread,

Aug 8, 2019, 7:52:01 AM8/8/19

to jenkinsc...@googlegroups.com

Juha Tiensyrjä commented on

We are experiencing the same issue. Our existing configuration stopped working yesterday, probably after upgrading the GitHub Oauth plugin to 0.33.

clarkster82@gmail.com (JIRA)

unread,

Aug 8, 2019, 3:51:03 PM8/8/19

to jenkinsc...@googlegroups.com

Paul Clark assigned an issue to Sam Gleske

Jenkins /

Change By:	Paul Clark
Assignee:	Paul Clark Sam Gleske

sam.mxracer@gmail.com (JIRA)

unread,

Aug 10, 2019, 10:17:03 AM8/10/19

to jenkinsc...@googlegroups.com

Sam Gleske commented on

Kote Mushegiani if you visit https://[you Jenkins instance]/whoAmI all known authorities for your user will be there. If the name you have in matrix auth does not match the name in granted authorities then users will not have access. Find a user who's in the Engineering GitHub team and see what authorities they have granted.

I can't reproduce this issue myself. Juha Tiensyrjä can you describe in more detail what, specifically, stopped working? There were definite issues with the 0.32 version of the plugin that were fixed in 0.33. However, the fix was only to backend code on the globalSecurity page and should not have made a difference your configuration itself.

Without more detail and steps to reproduce I don't know how else to approach this issue. It passes all of my local testing when trying to reproduce what this issue describes.

sam.mxracer@gmail.com (JIRA)

unread,

Aug 10, 2019, 10:22:04 AM8/10/19

to jenkinsc...@googlegroups.com

Sam Gleske commented on

Kote Mushegiani I also forgot to mention that you need to upgrade to github-outh 0.33 because plugin version 0.32 suffers from a critical bug in matrix auth. See ~~JENKINS-57154~~ for details

juha.tiensyrja@arm.com (JIRA)

unread,

Aug 12, 2019, 2:10:03 AM8/12/19

to jenkinsc...@googlegroups.com

Juha Tiensyrjä commented on

I believe that the plugin upgrade was coincidental / a red herring related to something either GitHub or one of the organization admins did and only manifested once we restarted the Jenkins instance with the new plugin version. We fixed the problem by revoking the Oauth application privileges from GitHub organization settings page, logged in with the machine user whose token is used for the Oauth app, requested for permissions and had one of the org admins to approve those permissions. After that, no more errors.

kmushegian@gmail.com (JIRA)

unread,

Aug 12, 2019, 2:09:02 PM8/12/19

to jenkinsc...@googlegroups.com

Kote Mushegiani commented on

Sam Gleske I will try upgrading the plugin and setting up the matrix auth.

I'm in the Engineering github team, but the only authority I see is `authenticated`. I guess after I switch to matrix auth that will change?

Could you advice on what are the risks of being locked out as the result of setting matrix auth wrong? Does 0.33 still require referencing the team name by its common name and not slug?

kmushegian@gmail.com (JIRA)

unread,

Aug 12, 2019, 5:14:03 PM8/12/19

to jenkinsc...@googlegroups.com

Kote Mushegiani commented on

After upgrading the plugin, I still see the same error when trying to add a group to matrix auth in the following way "ORGNAME*engineering" or "ORGNAME*Engineering"

sam.mxracer@gmail.com (JIRA)

unread,

Aug 25, 2019, 9:42:02 PM8/25/19

to jenkinsc...@googlegroups.com

Sam Gleske commented on

Strange, I can't seem to be able to replicate your issue. You should be able to see your own granted authorities under:

https://yourjenkins/whoAmI - when you go here does your GitHub teams show up under granted authorities?

Kote Mushegiani Is it possible that you didn't grant your OAuth app permission to view the org and its teams? GitHub now allows orgs to restrict team only to allowed OAuth apps. In that case, the plugin wouldn't be able to query teams of the org. See the earlier comment by Juha Tiensyrjä which is a similar situation as I describe.

The risks of being locked out are similar to the risks with other plugins. The only way to recover would be to edit the root config.xml and restoring your access. Personally, I configure my own username in addition to teams to ensure that my specific user doesn't lose access when configuring matrix authorization.

Does 0.33 still require referencing the team name by its common name and not slug?

Yes, the plugin still has bug JENKINS-34835 where you must reference teams by common name and not slug.