Troubleshooting

Troubleshooting
Prev	Chapter 8. Role Based Access Control Plugin	Next

Recovering from a lock-out

There are two ways to recover from a lock-out. Both require that the Jenkins instance be stopped and then restarted after completion of the steps.

The first way will remove all the roles that are defined in the system but does not require any manual editing of XML files

Ensure that the Jenkins instance is stopped.
Open a shell
Change into the JENKINS_HOME directory
```
$ cd $JENKINS_HOME
```
Remove/rename the nectar-rbac.xml configuration file
```
$ mv nectar-rbac.xml nectar-rbac.xml.old
```
Start the the Jenkins instance.

Ensure that the Jenkins instance is stopped.
Open a command prompt
Change into the JENKINS_HOME directory
```
C:\> cd %JENKINS_HOME%
```

Remove/rename the nectar-rbac.xml configuration file

C:\...\Jenkins> ren nectar-rbac.xml nectar-rbac.xml.old

Start the the Jenkins instance.

The second way will not remove any of the the roles that are defined in the system but requires manual editing of an XML file.

Ensure that the Jenkins instance is stopped.
Open the JENKINS_HOME/nectar-rbac.xml in a text editor that can edit XML files
It is a good idea to make a backup copy of the file before changing it.
The file should look something like General structure of the nectar-rbac.xml file
Add the following line into the role that you want to have the overall Administrator permission
```
<permission id="hudson.model.Hudson.Administer"/>
```
Save the file
Start the the Jenkins instance.

General structure of the nectar-rbac.xml file.

<?xml version='1.0' encoding='UTF-8'?>
<nectar.plugins.rbac.strategy.RoleMatrixAuthorizationPlugin>
  <configuration class="...">
    ...
    <role name="...">
      <permission id="..."/>
      ...
    </role>
    ...
    <role name="anonymous">
      ...
    </role>
    <role name="authenticated">
      ...
    </role>
    ...
  </configuration>
</nectar.plugins.rbac.strategy.RoleMatrixAuthorizationPlugin>

Completely resetting the configuration

If you want to completely reset all of the Role Based Access Control plugin’s configuration, an irreversible action, you can use the script console to remove all of the user defined roles, local groups and role filters on all the objects within your Jenkins instance.

Warning

There is no way to recover the the user defined roles, local groups and role filters once you have reset the configuration other than by restoring a backup of the complete system, and this may have the side-effect of removing any changes that occur within the system after the configuration has been reset.

Only follow this procedure if you are absolutely sure that you want to wipe all of the Role Based Access Control plugin’s configuration

If you have been locked out of the system, you will need to follow one of the procedures in the section called “Recovering from a lock-out” to recover administrative access.

.

Login to Jenkins using a web browser and open the Script Console from the Manage Jenkins screen.

Type the following into the script text box:

nectar.plugins.rbac.strategy.RoleMatrixAuthorizationPlugin
.getInstance().reset()

You should have a screen that looks like Figure 8.18, “Using the script console to completely reset the Role Based Access Control plugin’s configuration”
Click on the Run button. The screen should now look like Figure 8.19, “After successfully resetting the Role Based Access Control plugin’s configuration via the script console”

Figure 8.18. Using the script console to completely reset the Role Based Access Control plugin’s configuration

Figure 8.19. After successfully resetting the Role Based Access Control plugin’s configuration via the script console

Finding hidden projects

You can remove permissions for a project by filtering out roles on that project using a role filter. In general it is best to add groups and roles to a project before applying the role filter, as if you filter all roles, you will be locked out from accessing the project completely. The strategy of filtering out all roles can be used to create secret projects, but there are times when it is necessary to recover or discover the projects that are hidden.

While there are various workarounds for this situation, best is to make sure that there is at least one administrative role with all permissions which is not filterable (see the section called “Configuring and managing roles”). The Jenkins administrator should grant this role to a group containing themselves, and the secret project will be visible again.

Prev	Up	Next
Scripting RBAC	Home	Chapter 9. Skip Next Build Plugin