Bug 1736806

Summary: When using a local other than "en", the "openshift-jenkins-login-plugin-config" ConfigMap cannot be applied to Jenkins configuration and leads to login failure
Product: OpenShift Container Platform Reporter: Masatoshi Hayashi <mhayashi>
Component: JenkinsAssignee: Akram Ben Aissi <abenaiss>
Status: CLOSED ERRATA QA Contact: XiuJuan Wang <xiuwang>
Severity: low Docs Contact:
Priority: unspecified    
Version: 3.11.0CC: abenaiss, calfonso, vbobade, wzheng
Target Milestone: ---   
Target Release: 4.3.0   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2020-01-23 11:05:01 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Masatoshi Hayashi 2019-08-02 05:20:02 UTC 
Description of problem:

When user creates configmap "openshift-jenkins-login-plugin-config" for configure permissions of Jenkins operation, any users cannot log-in to the jenkins instance:

~~~
$ oc get -o yaml --export cm openshift-jenkins-login-plugin-config 
apiVersion: v1
data:
  Overall-Administer: admin,edit,jenkins
kind: ConfigMap
metadata:
  name: openshift-jenkins-login-plugin-config


$ oc logs jenkins-3-628lq
...
WARNING: OpenShift Jenkins Login Plugin could not find permission Overall-Administer in Jenkins list of all available permissions
Aug 02, 2019 5:06:25 AM org.openshift.jenkins.plugins.openshiftlogin.OpenShiftOAuth2SecurityRealm getRoleToPermissionMap
INFO: OpenShift Jenkins Login Plugin using role list []
Aug 02, 2019 5:06:27 AM org.openshift.jenkins.plugins.openshiftlogin.OpenShiftOAuth2SecurityRealm populateDefaults
~~~

Then any users cannot log-in the jenkin instance.

How can we configure openshift-jenkins-login-plugin-config?

See also:
https://github.com/openshift/jenkins-openshift-login-plugin#openshift-role-to-jenkins-permission-mapping

Version-Release number of selected component (if applicable):

OpenShift v3.11

Steps to Reproduce:
1. Creates a jenkins instance from catalog on OpenShift web console.
2. Creates a configmap "openshift-jenkins-login-plugin-config" with data "Overall-Administer: admin,edit,jenkins"
3. Confirms that any users cannot log-in the Jenkins instance.
Comment 1 Masatoshi Hayashi 2019-08-02 05:48:21 UTC 
In Script Console of Jenkins, I can show the result:

~~~
println(hudson.security.Permission.getAll())
for (hudson.security.Permission permInSys : hudson.security.Permission.getAll()) {
  println(permInSys.group.title.toString())
  println(permInSys.name.trim())
}

全体
...
全体
Agent
Agent
...
ジョブ
ジョブ
ジョブ
~~~

May the issue be related to language settings?
Comment 2 Akram Ben Aissi 2019-08-02 07:10:00 UTC 
Hi Masatoshi,


Indeed, this could be related to a language setting. The code checking permissions is in this line:
https://github.com/openshift/jenkins-openshift-login-plugin/blob/4a779657157b7cbabc1fba233eba9b313b438674/src/main/java/org/openshift/jenkins/plugins/openshiftlogin/OpenShiftOAuth2SecurityRealm.java#L840


Could you also please set the log level to debug and check for log lines before:
"WARNING: OpenShift Jenkins Login Plugin could not find permission Overall-Administer in Jenkins list of all available permissions "

You should be able to see which Permission the plugin is getting from Jenkins.
Comment 3 Masatoshi Hayashi 2019-08-02 08:34:35 UTC 
Hi Akram,

Thank you for your reply!

I got the debug log here:

~~~
Aug 02, 2019 8:24:42 AM FINE org.openshift.jenkins.plugins.openshiftlogin.OpenShiftOAuth2SecurityRealm
permStrArr[0].trim() Overall
Aug 02, 2019 8:24:42 AM FINE org.openshift.jenkins.plugins.openshiftlogin.OpenShiftOAuth2SecurityRealm
permInSys.name.trim() Create
Aug 02, 2019 8:24:42 AM FINE org.openshift.jenkins.plugins.openshiftlogin.OpenShiftOAuth2SecurityRealm
permStrArr[1].trim() Administer
Aug 02, 2019 8:24:42 AM FINE org.openshift.jenkins.plugins.openshiftlogin.OpenShiftOAuth2SecurityRealm
permInSys.group.title.toString().trim() 認証情報
Aug 02, 2019 8:24:42 AM FINE org.openshift.jenkins.plugins.openshiftlogin.OpenShiftOAuth2SecurityRealm
permStrArr[0].trim() Overall
Aug 02, 2019 8:24:42 AM FINE org.openshift.jenkins.plugins.openshiftlogin.OpenShiftOAuth2SecurityRealm
permInSys.name.trim() Update
Aug 02, 2019 8:24:42 AM FINE org.openshift.jenkins.plugins.openshiftlogin.OpenShiftOAuth2SecurityRealm
permStrArr[1].trim() Administer
Aug 02, 2019 8:24:42 AM FINE org.openshift.jenkins.plugins.openshiftlogin.OpenShiftOAuth2SecurityRealm
permInSys.group.title.toString().trim() 認証情報

...

Aug 02, 2019 8:24:42 AM FINE org.openshift.jenkins.plugins.openshiftlogin.OpenShiftOAuth2SecurityRealm
permInSys.group.title.toString().trim() ビュー
Aug 02, 2019 8:24:42 AM FINE org.openshift.jenkins.plugins.openshiftlogin.OpenShiftOAuth2SecurityRealm
permStrArr[0].trim() Overall
Aug 02, 2019 8:24:42 AM FINE org.openshift.jenkins.plugins.openshiftlogin.OpenShiftOAuth2SecurityRealm
permInSys.name.trim() Read
Aug 02, 2019 8:24:42 AM FINE org.openshift.jenkins.plugins.openshiftlogin.OpenShiftOAuth2SecurityRealm
permStrArr[1].trim() Read
Aug 02, 2019 8:24:42 AM WARNING org.openshift.jenkins.plugins.openshiftlogin.OpenShiftOAuth2SecurityRealm getRoleToPermissionMap
OpenShift Jenkins Login Plugin could not find permission Overall-Read in Jenkins list of all available permissions
Aug 02, 2019 8:24:42 AM INFO org.openshift.jenkins.plugins.openshiftlogin.OpenShiftOAuth2SecurityRealm getRoleToPermissionMap
OpenShift Jenkins Login Plugin using role list []
Aug 02, 2019 8:24:43 AM FINER org.openshift.jenkins.plugins.openshiftlogin.OpenShiftOAuth2SecurityRealm doCommenceLogin
~~~

Then I confirmed that changing Browser's language settings to English fix the problem and I can log-in to the Jenkins.

~~~
permInSys.name.trim() Build
Aug 02, 2019 8:28:21 AM FINE org.openshift.jenkins.plugins.openshiftlogin.OpenShiftOAuth2SecurityRealm
permStrArr[1].trim() Build
Aug 02, 2019 8:28:21 AM INFO org.openshift.jenkins.plugins.openshiftlogin.OpenShiftOAuth2SecurityRealm getRoleToPermissionMap
OpenShift Jenkins Login Plugin matching configured permission Job-Build to Jenkins permission Permission[interface hudson.model.Item,Build]
Aug 02, 2019 8:28:21 AM INFO org.openshift.jenkins.plugins.openshiftlogin.OpenShiftOAuth2SecurityRealm getRoleToPermissionMap
OpenShift Jenkins Login Plugin adding permission Job-Build for role view
Aug 02, 2019 8:28:21 AM FINE org.openshift.jenkins.plugins.openshiftlogin.OpenShiftOAuth2SecurityRealm
permInSys.group.title.toString().trim() Overall
Aug 02, 2019 8:28:21 AM FINE org.openshift.jenkins.plugins.openshiftlogin.OpenShiftOAuth2SecurityRealm
permStrArr[0].trim() Overall
Aug 02, 2019 8:28:21 AM FINE org.openshift.jenkins.plugins.openshiftlogin.OpenShiftOAuth2SecurityRealm
permInSys.name.trim() Administer
Aug 02, 2019 8:28:21 AM FINE org.openshift.jenkins.plugins.openshiftlogin.OpenShiftOAuth2SecurityRealm
permStrArr[1].trim() Administer
Aug 02, 2019 8:28:21 AM INFO org.openshift.jenkins.plugins.openshiftlogin.OpenShiftOAuth2SecurityRealm getRoleToPermissionMap
OpenShift Jenkins Login Plugin matching configured permission Overall-Administer to Jenkins permission Permission[class hudson.model.Hudson,Administer]
~~~

Regards,
Comment 7 XiuJuan Wang 2019-11-08 03:37:57 UTC 
Akram
Thanks for the details
I could reproduce when set firefox browser webpage to Japanese language(Chinese language works well :-0) with 1.0.20 openshift-login plugin in 4.3.0-0.nightly-2019-11-07-172437.

2019-11-08 03:33:02 WARNING org.openshift.jenkins.plugins.openshiftlogin.OpenShiftOAuth2SecurityRealm getRoleToPermissionMap OpenShift Jenkins Login Plugin could not find permission Overall-Administer in Jenkins list of all available permissions
2019-11-08 03:33:02 INFO    org.openshift.jenkins.plugins.openshiftlogin.OpenShiftOAuth2SecurityRealm getRoleToPermissionMap OpenShift Jenkins Login Plugin using role list []

Wait for https://jira.coreos.com/browse/ART-1239 processing
Comment 8 Wenjing Zheng 2019-11-15 06:56:28 UTC 
Verified with quay.io/openshift-release-dev/ocp-v4.0-art-dev@sha256:b22fa609f3ac0e91bb114a8a0d18a3a6329a6f7f3b8c2225de4ad2a06c7b766f:
1. Set browser language to Japanese;
2. Log into jenkins console - Succeed.
Comment 10 errata-xmlrpc 2020-01-23 11:05:01 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2020:0062