Rights for "Authenticated Users" are overriding individual rights

[aubertaa]

Jenkins and plugins versions report

Environment

Jenkins: 2.319.1
OS: Linux - 5.4.0-1060-aws
---
Office-365-Connector:4.15.2
PrioritySorter:4.0.1
ace-editor:1.1
active-directory:2.25
amazon-ecr:1.7
analysis-model-api:10.8.1
android-emulator:3.1.3
ansicolor:1.0.1
ant:1.13
antisamy-markup-formatter:2.6
apache-httpcomponents-client-4-api:4.5.13-1.0
authentication-tokens:1.4
aws-credentials:1.33
aws-java-sdk:1.12.131-302.vbef9650c6521
aws-java-sdk-cloudformation:1.12.131-302.vbef9650c6521
aws-java-sdk-codebuild:1.12.131-302.vbef9650c6521
aws-java-sdk-ec2:1.12.131-302.vbef9650c6521
aws-java-sdk-ecr:1.12.131-302.vbef9650c6521
aws-java-sdk-ecs:1.12.131-302.vbef9650c6521
aws-java-sdk-elasticbeanstalk:1.12.131-302.vbef9650c6521
aws-java-sdk-iam:1.12.131-302.vbef9650c6521
aws-java-sdk-logs:1.12.131-302.vbef9650c6521
aws-java-sdk-minimal:1.12.131-302.vbef9650c6521
aws-java-sdk-ssm:1.12.131-302.vbef9650c6521
azure-ad:189.v2da14dccdb43
azure-sdk:84.v53035e83f3c2
badge:1.9
blueocean:1.25.2
blueocean-autofavorite:1.2.4
blueocean-bitbucket-pipeline:1.25.2
blueocean-commons:1.25.2
blueocean-config:1.25.2
blueocean-core-js:1.25.2
blueocean-dashboard:1.25.2
blueocean-display-url:2.4.1
blueocean-events:1.25.2
blueocean-git-pipeline:1.25.2
blueocean-github-pipeline:1.25.2
blueocean-i18n:1.25.2
blueocean-jira:1.25.2
blueocean-jwt:1.25.2
blueocean-personalization:1.25.2
blueocean-pipeline-api-impl:1.25.2
blueocean-pipeline-editor:1.25.2
blueocean-pipeline-scm-api:1.25.2
blueocean-rest:1.25.2
blueocean-rest-impl:1.25.2
blueocean-web:1.25.2
bootstrap4-api:4.6.0-3
bootstrap5-api:5.1.3-4
bouncycastle-api:2.25
branch-api:2.7.0
build-monitor-plugin:1.13+build.202112271752
build-pipeline-plugin:1.5.8
build-timeout:1.20
build-user-vars-plugin:1.8
built-on-column:1.1
caffeine-api:2.9.2-29.v717aac953ff3
checks-api:1.7.2
claim:2.18.2
cloudbees-bitbucket-branch-source:734.v2f848c5e6ea2
cloudbees-folder:6.17
cobertura:1.17
code-coverage-api:2.0.4
command-launcher:1.6
compress-artifacts:1.10
conditional-buildstep:1.4.1
config-file-provider:3.8.2
configuration-as-code:1.55.1
configuration-as-code-groovy:1.1
configurationslicing:1.52
copyartifact:1.46.2
cors-filter:1.1
credentials:1055.v1346ba467ba1
credentials-binding:1.27
cvs:2.19
cygpath:1.5
dashboard-view:2.18
data-tables-api:1.11.3-6
datadog:3.4.0
delivery-pipeline-plugin:1.4.2
dependency-check-jenkins-plugin:5.1.2
discard-old-build:1.05
display-url-api:2.3.5
docker-commons:1.17
docker-workflow:1.26
doxygen:0.18
dropdown-viewstabbar-plugin:1.7
dtkit-api:3.0.0
durable-task:493.v195aefbb0ff2
ec2:1.66
ec2-fleet:2.4.1
echarts-api:5.2.2-2
email-ext:2.86
embeddable-build-status:2.0.3
envinject:2.4.0
envinject-api:1.8
extended-choice-parameter:0.82
external-monitor-job:1.7
extra-columns:1.25
favorite:2.3.3
file-operations:1.11
font-awesome-api:5.15.4-5
forensics-api:1.7.0
ftppublisher:1.2
gallio:1.8
gatling:1.3.0
git:4.10.1
git-client:3.10.1
git-parameter:0.9.14
git-server:1.10
github:1.34.1
github-api:1.301-378.v9807bd746da5
github-branch-source:2.11.4
gitlab-plugin:1.5.26
global-build-stats:1.5
global-variable-string-parameter:1.2
golang:1.4
google-oauth-plugin:1.0.6
gradle:1.37.1
groovy:2.4
groovy-postbuild:2.5
h2-api:1.4.199
handlebars:3.0.8
handy-uri-templates-2-api:2.1.8-1.0
heavy-job:1.1
htmlpublisher:1.28
http_request:1.12
ignore-committer-strategy:1.0.4
jackson2-api:2.13.1-244.v773c36c5b330
jacoco:3.3.1
javadoc:1.6
javax-activation-api:1.2.0-2
javax-mail-api:1.6.2-5
jaxb:2.3.0.1
jdk-tool:1.5
jenkins-design-language:1.25.2
jenkins-multijob-plugin:1.36
jersey2-api:2.35-3
jira:3.6
jjwt-api:0.11.2-9.c8b45b8bb173
job-import-plugin:3.4
jobConfigHistory:2.31-rc1098.b666422863b2
jquery:1.12.4-1
jquery-detached:1.2.1
jquery3-api:3.6.0-2
jsch:0.1.55.2
junit:1.53
kubernetes-cli:1.10.3
kubernetes-client-api:5.11.1-179.v12037658df90
kubernetes-credentials:0.9.0
ldap:2.7
lockable-resources:2.13
log-parser:2.2
mailer:1.34
mapdb-api:1.0.9.0
mask-passwords:3.0
matrix-auth:3.0
matrix-project:1.19
maven-plugin:3.16
mercurial:2.16
metrics:4.0.2.8
momentjs:1.1.1
monitoring:1.90.0
msbuild:1.30
mstest:1.0.0
mstestrunner:1.3.0
naginator:1.18.1
nant:1.4.3
node-iterator-api:1.5.1
nodejs:1.4.3
nunit:0.27
oauth-credentials:0.5
okhttp-api:4.9.3-105.vb96869f8ac3a
pam-auth:1.6.1
parameterized-trigger:2.43
pipeline-build-step:2.15
pipeline-github-lib:1.0
pipeline-graph-analysis:188.v3a01e7973f2c
pipeline-input-step:427.va6441fa17010
pipeline-maven:3.10.0
pipeline-milestone-step:1.3.2
pipeline-model-api:1.9.3
pipeline-model-definition:1.9.3
pipeline-model-extensions:1.9.3
pipeline-rest-api:2.20
pipeline-stage-step:291.vf0a8a7aeeb50
pipeline-stage-tags-metadata:1.9.3
pipeline-stage-view:2.20
pipeline-utility-steps:2.11.0
plain-credentials:1.7
plugin-util-api:2.12.0
popper-api:1.16.1-2
popper2-api:2.11.2-1
port-allocator:1.8
postbuild-task:1.9
postbuildscript:3.1.0-348.vaf5cd5c632ce
powershell:1.7
preSCMbuildstep:0.3
prism-api:1.25.0-2
publish-over:0.22
publish-over-cifs:0.16
publish-over-ftp:1.16
pubsub-light:1.16
purge-job-history:1.6
radiatorviewplugin:1.29
release:2.13
resource-disposer:0.17
run-condition:1.5
s3:0.12.1
saferestart:0.3
scalable-amazon-ecs:1.0
scm-api:2.6.5
script-security:1118.vba21ca2e3286
scriptler:3.4
seleniumhtmlreport:1.1
simple-theme-plugin:0.7
slack:2.49
sloccount:1.25
snakeyaml-api:1.29.1
snsnotify:2.0
sonar:2.14
sse-gateway:1.24
ssh:2.6.1
ssh-agent:1.23
ssh-credentials:1.19
ssh-slaves:1.33.0
ssh-steps:2.0.0
sshd:3.1.0
statistics-gatherer:2.0.3
strict-crumb-issuer:2.1.0
structs:308.v852b473a2b8c
subversion:2.15.1
swarm:3.29
test-results-analyzer:0.3.5
text-finder:1.17
thinBackup:1.10
throttle-concurrents:2.6
timestamper:1.15
token-macro:267.vcdaea6462991
translation:1.16
trilead-api:1.0.13
variant:1.4
view-job-filters:2.3
vstestrunner:1.0.8
windows-slaves:1.8
workflow-aggregator:2.6
workflow-api:1108.v57edf648f5d4
workflow-basic-steps:2.24
workflow-cps:2648.va9433432b33c
workflow-cps-global-lib:552.vd9cc05b8a2e1
workflow-durable-task-step:1112.vda00e6febcc1
workflow-job:1145.v7f2433caa07f
workflow-multibranch:696.v52535c46f4c9
workflow-scm-step:2.13
workflow-step-api:615.vb09dac339255
workflow-support:804.vba10a18a1476
ws-cleanup:0.40
xcode-plugin:2.0.15
xunit:3.0.5

What Operating System are you using (both controller, and any agents involved in the problem)?

Master is on : OS Linux - 5.4.0-1060-aws
No other system involved to reproduce the issue

Reproduction steps

1. configure Jenkins to use "Azure Active Directory Matrix-based security"
2. set no specific rights for "anonymous users" and for "Authenticated users"
3. set all rights for an existing AD user :

I tested this in an isolated context, by creating a new job and choosing "Do not inheirt permissions grants from other ACLs", then setting the permissions as describe thereabove :

4. Then try to read job history by calling :

• YOUJOBURL/api/json?tree=allBuilds[result,number,timestamp,duration,id]&depth=20
• Authentication Basic : your user name / API token

You'll get a 404.

5. Just add "read" permission to "Authenticated users"

6. Try again to read job history by running the API call again, you'll get a valid result.

It seems that giving rights to a specific user is not well considered. Needing to give also rights to a larger group seems to be a regression and not conform to "least privilege" security common practices.

Thanks for your help on that.

Expected Results

Individual rights should override more global ones : extending rights for a specific user should be possible.

Actual Results

Individual rights are overriden by "Authenticated users" ones.

Anything else?

No response

[wolfmah]

I'm experiencing the exact same behaviour.

In our config, we have:

jenkins:
  authorizationStrategy:
    azureAdMatrix:
      permissions:
        - "GROUP:Job/Build:authenticated"
        - "GROUP:Job/Cancel:authenticated"
        - "GROUP:Job/Read:authenticated"
        - "GROUP:Job/Workspace:authenticated"
        - "GROUP:Overall/Administer:Jenkins Admin (33c17c58-2834-4109-ba02-09364679a0e1)"
        - "GROUP:Overall/Read:authenticated"
        - "GROUP:Run/Replay:authenticated"
        - "GROUP:View/Read:authenticated"
        - "USER:Job/Build:Jenkins Bot (b9fec34d-16a5-4a76-9657-e05232dd588c)"
        - "USER:Job/Create:Jenkins Bot (b9fec34d-16a5-4a76-9657-e05232dd588c)"
        - "USER:Run/Delete:Jenkins Bot (b9fec34d-16a5-4a76-9657-e05232dd588c)"

With the above:

• Ordinary developpers that have a valid AD account are correctly assigned their permissions.
• People belonging to the group Jenkins Admin are correctly assigned their permissions.
• The user Jenkins Bot doesn't get it's permission. i.e.: Jenkins Bot is never recognized to have Run/Delete permission. Though, if I add Run/Delete in the group authenticated, Jenkins Bot is allowed to delete runs.

I'm pretty sure it's either those two things:

• The user never gets mapped properly and it's silently defaulting to the group authenticated.
• There's a bug in the code where the group authenticated is overpowering permissions from single user.

[timja]

Thanks will try reproduce in the next few days