From 0385a653af327a357990af80b55fa11696251241 Mon Sep 17 00:00:00 2001
From: Brad Stein <Brad.Stein@gmail.com>
Date: Tue, 16 Dec 2025 20:33:03 -0300
Subject: [PATCH] fix: use FullControlOnceLoggedIn auth strategy

---
 services/jenkins/helmrelease.yaml | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/services/jenkins/helmrelease.yaml b/services/jenkins/helmrelease.yaml
index de4bda9..78e9382 100644
--- a/services/jenkins/helmrelease.yaml
+++ b/services/jenkins/helmrelease.yaml
@@ -92,7 +92,7 @@ spec:
           import jenkins.model.Jenkins
           import org.jenkinsci.plugins.oic.OicSecurityRealm
           import org.jenkinsci.plugins.oic.OicServerWellKnownConfiguration
-          import hudson.security.GlobalMatrixAuthorizationStrategy
+          import hudson.security.FullControlOnceLoggedInAuthorizationStrategy
           def env = System.getenv()
           if (!(env['ENABLE_OIDC'] ?: 'false').toBoolean()) {
             println("OIDC disabled (ENABLE_OIDC=false); keeping default security realm")
@@ -126,8 +126,8 @@ spec:
             realm.setSendScopesInTokenRequest(true)
             def j = Jenkins.get()
             j.setSecurityRealm(realm)
-            def auth = new GlobalMatrixAuthorizationStrategy()
-            auth.add(Jenkins.ADMINISTER, "authenticated")
+            def auth = new FullControlOnceLoggedInAuthorizationStrategy()
+            auth.setAllowAnonymousRead(false)
             j.setAuthorizationStrategy(auth)
             j.save()
             println("Configured OIDC realm from init script (well-known)")