I am creating a declarative pipeline project and would like to employ a gating mechanism that only allows users that are present in certain AD groups to 'promote' the build. In order to do this, I make use of the input step plugin.
I started off by using the following:
input(message: 'Do you want to deploy to the Development Environment?)'
This works well, then I make use of the submitter parameter and provide my email
input(message: 'Do you want to deploy to the Development Environment?', submitter: "[email protected]")
This allows only me to allow build through. Now I would like to do this based off users in AD Groups. We use the SAML plugin to integrate with Jenkins and it appears that our groups end up looking like so:
CN=OS-AWS-XYZAdministrator,OU=Security,OU=Groups,OU=The XYZ Group Object,DC=XYZCORP,DC=local
We make use of the Project-based Matrix Authorization Strategy plugin and one of the 'users/groups' is using the above group to give access to the Jenkins UI along with Build Now privileges which we confirmed works.
When trying to do
input(message: 'Do you want to deploy to the Development Environment?', submitter: "CN=OS-AWS-XYZAdministrator,OU=Security,OU=Groups,OU=The XYZ Group Object,DC=XYZCORP,DC=local")
When any user from that AD group clicks Proceed, they get an error saying:
You need to be CN=OS-AWS-XYZAdministrator,OU=Security,OU=Groups,OU=The XYZ Group Object,DC=XYZCORP,DC=local to submit this
I have also tried CN=OS-AWS-XYZAdministrator and OS-AWS-XYZAdministrator with no luck. I even tried
input(message: 'Do you want to deploy to the Development Environment?', submitter: '"CN=OS-AWS-XYZAdministrator,OU=Security,OU=Groups,OU=The XYZ Group Object,DC=XYZCORP,DC=local"')
but that did not work
Does input actually work with AD Groups? Are the spaces in some of the groups throwing it off?
Thanks Cal
Turns out CN=OS-AWS-XYZAdministrator,OU=Security,OU=Groups,OU=The XYZ Group Object,DC=XYZCORP,DC=local is considered to be an invalid format. You cannot have commas or spaces in your AD group. We had to tweak the LDAP query so we only get AWS-XYZAdministrator as the ADGroup according to Jenkins. This fixed it