Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-16502

Permission to see an executor/slave

    Details

    • Similar Issues:

      Description

      In our environment it would be very helpful to be able to set Permissions, who can see specific executors/slaves.

      It should be like with jobs/projects, where the method "hasPermission()" is called, before you get all Items of the jenkins-instance.

      So it would be just needed in the Computer.java a new attribute "Permission VIEW", and in the Jenkins.java in the Method "getComputer()" the check, if the user has the Permission to see this slave.

        Attachments

          Issue Links

            Activity

            chrissy Christian Meyer created issue -
            Hide
            scm_issue_link SCM/JIRA link daemon added a comment -

            Code changed in jenkins
            User: Stephen Connolly
            Path:
            changelog.html
            core/src/main/java/hudson/model/Computer.java
            core/src/main/java/jenkins/model/Jenkins.java
            core/src/main/resources/hudson/model/Computer/builds.jelly
            core/src/main/resources/hudson/model/Computer/delete.jelly
            core/src/main/resources/hudson/model/Computer/index.jelly
            core/src/main/resources/hudson/model/Computer/load-statistics.jelly
            core/src/main/resources/hudson/model/Computer/markOffline.jelly
            core/src/main/resources/hudson/model/Computer/setOfflineCause.jelly
            core/src/main/resources/hudson/model/Messages.properties
            http://jenkins-ci.org/commit/jenkins/647695e2ffc2f568ca1b80bc5b0cd7b0658eeb3d
            Log:
            JENKINS-16502 Permission to see an executor/slave

            • This is an initial version of the feature.
            • The information about slave names is still exposed via label autocomplete
            Show
            scm_issue_link SCM/JIRA link daemon added a comment - Code changed in jenkins User: Stephen Connolly Path: changelog.html core/src/main/java/hudson/model/Computer.java core/src/main/java/jenkins/model/Jenkins.java core/src/main/resources/hudson/model/Computer/builds.jelly core/src/main/resources/hudson/model/Computer/delete.jelly core/src/main/resources/hudson/model/Computer/index.jelly core/src/main/resources/hudson/model/Computer/load-statistics.jelly core/src/main/resources/hudson/model/Computer/markOffline.jelly core/src/main/resources/hudson/model/Computer/setOfflineCause.jelly core/src/main/resources/hudson/model/Messages.properties http://jenkins-ci.org/commit/jenkins/647695e2ffc2f568ca1b80bc5b0cd7b0658eeb3d Log: JENKINS-16502 Permission to see an executor/slave This is an initial version of the feature. The information about slave names is still exposed via label autocomplete
            Hide
            scm_issue_link SCM/JIRA link daemon added a comment -

            Code changed in jenkins
            User: Stephen Connolly
            Path:
            changelog.html
            core/src/main/java/hudson/model/Computer.java
            core/src/main/java/jenkins/model/Jenkins.java
            core/src/main/resources/hudson/model/Computer/builds.jelly
            core/src/main/resources/hudson/model/Computer/delete.jelly
            core/src/main/resources/hudson/model/Computer/index.jelly
            core/src/main/resources/hudson/model/Computer/load-statistics.jelly
            core/src/main/resources/hudson/model/Computer/markOffline.jelly
            core/src/main/resources/hudson/model/Computer/setOfflineCause.jelly
            core/src/main/resources/hudson/model/Messages.properties
            http://jenkins-ci.org/commit/jenkins/903ef107d3b279c2cffce99b4d61734fba286ef0
            Log:
            Merge pull request #951 from stephenc/master

            JENKINS-16502 Permission to see an executor/slave

            Compare: https://github.com/jenkinsci/jenkins/compare/84a176beefd2...903ef107d3b2

            Show
            scm_issue_link SCM/JIRA link daemon added a comment - Code changed in jenkins User: Stephen Connolly Path: changelog.html core/src/main/java/hudson/model/Computer.java core/src/main/java/jenkins/model/Jenkins.java core/src/main/resources/hudson/model/Computer/builds.jelly core/src/main/resources/hudson/model/Computer/delete.jelly core/src/main/resources/hudson/model/Computer/index.jelly core/src/main/resources/hudson/model/Computer/load-statistics.jelly core/src/main/resources/hudson/model/Computer/markOffline.jelly core/src/main/resources/hudson/model/Computer/setOfflineCause.jelly core/src/main/resources/hudson/model/Messages.properties http://jenkins-ci.org/commit/jenkins/903ef107d3b279c2cffce99b4d61734fba286ef0 Log: Merge pull request #951 from stephenc/master JENKINS-16502 Permission to see an executor/slave Compare: https://github.com/jenkinsci/jenkins/compare/84a176beefd2...903ef107d3b2
            Hide
            stephenconnolly Stephen Connolly added a comment -

            towards Jenkins 1.533

            Show
            stephenconnolly Stephen Connolly added a comment - towards Jenkins 1.533
            stephenconnolly Stephen Connolly made changes -
            Field Original Value New Value
            Status Open [ 1 ] Resolved [ 5 ]
            Resolution Fixed [ 1 ]
            Hide
            dogfood dogfood added a comment -

            Integrated in jenkins_main_trunk #2890
            JENKINS-16502 Permission to see an executor/slave (Revision 647695e2ffc2f568ca1b80bc5b0cd7b0658eeb3d)

            Result = UNSTABLE
            Stephen Connolly : 647695e2ffc2f568ca1b80bc5b0cd7b0658eeb3d
            Files :

            • changelog.html
            • core/src/main/resources/hudson/model/Computer/builds.jelly
            • core/src/main/java/hudson/model/Computer.java
            • core/src/main/resources/hudson/model/Computer/setOfflineCause.jelly
            • core/src/main/resources/hudson/model/Computer/delete.jelly
            • core/src/main/resources/hudson/model/Computer/load-statistics.jelly
            • core/src/main/resources/hudson/model/Messages.properties
            • core/src/main/resources/hudson/model/Computer/index.jelly
            • core/src/main/resources/hudson/model/Computer/markOffline.jelly
            • core/src/main/java/jenkins/model/Jenkins.java
            Show
            dogfood dogfood added a comment - Integrated in jenkins_main_trunk #2890 JENKINS-16502 Permission to see an executor/slave (Revision 647695e2ffc2f568ca1b80bc5b0cd7b0658eeb3d) Result = UNSTABLE Stephen Connolly : 647695e2ffc2f568ca1b80bc5b0cd7b0658eeb3d Files : changelog.html core/src/main/resources/hudson/model/Computer/builds.jelly core/src/main/java/hudson/model/Computer.java core/src/main/resources/hudson/model/Computer/setOfflineCause.jelly core/src/main/resources/hudson/model/Computer/delete.jelly core/src/main/resources/hudson/model/Computer/load-statistics.jelly core/src/main/resources/hudson/model/Messages.properties core/src/main/resources/hudson/model/Computer/index.jelly core/src/main/resources/hudson/model/Computer/markOffline.jelly core/src/main/java/jenkins/model/Jenkins.java
            Hide
            scm_issue_link SCM/JIRA link daemon added a comment -

            Code changed in jenkins
            User: Jesse Glick
            Path:
            changelog.html
            core/src/main/java/hudson/model/Computer.java
            core/src/main/java/jenkins/model/Jenkins.java
            core/src/main/resources/hudson/model/Computer/builds.jelly
            core/src/main/resources/hudson/model/Computer/delete.jelly
            core/src/main/resources/hudson/model/Computer/index.jelly
            core/src/main/resources/hudson/model/Computer/load-statistics.jelly
            core/src/main/resources/hudson/model/Computer/markOffline.jelly
            core/src/main/resources/hudson/model/Computer/setOfflineCause.jelly
            core/src/main/resources/hudson/model/Messages.properties
            http://jenkins-ci.org/commit/jenkins/3911ea2c1450e73fabaf51acc1b635a44a5257c6
            Log:
            Revert "JENKINS-16502 Permission to see an executor/slave"

            This reverts commit 647695e2ffc2f568ca1b80bc5b0cd7b0658eeb3d.

            Show
            scm_issue_link SCM/JIRA link daemon added a comment - Code changed in jenkins User: Jesse Glick Path: changelog.html core/src/main/java/hudson/model/Computer.java core/src/main/java/jenkins/model/Jenkins.java core/src/main/resources/hudson/model/Computer/builds.jelly core/src/main/resources/hudson/model/Computer/delete.jelly core/src/main/resources/hudson/model/Computer/index.jelly core/src/main/resources/hudson/model/Computer/load-statistics.jelly core/src/main/resources/hudson/model/Computer/markOffline.jelly core/src/main/resources/hudson/model/Computer/setOfflineCause.jelly core/src/main/resources/hudson/model/Messages.properties http://jenkins-ci.org/commit/jenkins/3911ea2c1450e73fabaf51acc1b635a44a5257c6 Log: Revert " JENKINS-16502 Permission to see an executor/slave" This reverts commit 647695e2ffc2f568ca1b80bc5b0cd7b0658eeb3d.
            Hide
            scm_issue_link SCM/JIRA link daemon added a comment -

            Code changed in jenkins
            User: Jesse Glick
            Path:
            changelog.html
            core/src/main/java/hudson/model/Computer.java
            core/src/main/java/jenkins/model/Jenkins.java
            core/src/main/resources/hudson/model/Computer/builds.jelly
            core/src/main/resources/hudson/model/Computer/delete.jelly
            core/src/main/resources/hudson/model/Computer/index.jelly
            core/src/main/resources/hudson/model/Computer/load-statistics.jelly
            core/src/main/resources/hudson/model/Computer/markOffline.jelly
            core/src/main/resources/hudson/model/Computer/setOfflineCause.jelly
            core/src/main/resources/hudson/model/Messages.properties
            http://jenkins-ci.org/commit/jenkins/0ebd8a6c3dedd8ff06a08af175571c6bc49893d9
            Log:
            Revert "JENKINS-16502 Permission to see an executor/slave"

            This reverts commit 647695e2ffc2f568ca1b80bc5b0cd7b0658eeb3d.

            Show
            scm_issue_link SCM/JIRA link daemon added a comment - Code changed in jenkins User: Jesse Glick Path: changelog.html core/src/main/java/hudson/model/Computer.java core/src/main/java/jenkins/model/Jenkins.java core/src/main/resources/hudson/model/Computer/builds.jelly core/src/main/resources/hudson/model/Computer/delete.jelly core/src/main/resources/hudson/model/Computer/index.jelly core/src/main/resources/hudson/model/Computer/load-statistics.jelly core/src/main/resources/hudson/model/Computer/markOffline.jelly core/src/main/resources/hudson/model/Computer/setOfflineCause.jelly core/src/main/resources/hudson/model/Messages.properties http://jenkins-ci.org/commit/jenkins/0ebd8a6c3dedd8ff06a08af175571c6bc49893d9 Log: Revert " JENKINS-16502 Permission to see an executor/slave" This reverts commit 647695e2ffc2f568ca1b80bc5b0cd7b0658eeb3d.
            Hide
            jglick Jesse Glick added a comment -

            Reverted since this caused test failures, and these failures in fact seem legitimate: old installations would not have granted the new permission to non-admins, so computers would be hidden by default. Need to do tricks to conditionally enable this permission.

            Show
            jglick Jesse Glick added a comment - Reverted since this caused test failures, and these failures in fact seem legitimate: old installations would not have granted the new permission to non-admins, so computers would be hidden by default. Need to do tricks to conditionally enable this permission.
            jglick Jesse Glick made changes -
            Resolution Fixed [ 1 ]
            Status Resolved [ 5 ] Reopened [ 4 ]
            Assignee Christian Meyer [ chrissy ] stephenconnolly [ stephenconnolly ]
            Hide
            dogfood dogfood added a comment -

            Integrated in jenkins_main_trunk #2901
            Revert "JENKINS-16502 Permission to see an executor/slave" (Revision 0ebd8a6c3dedd8ff06a08af175571c6bc49893d9)

            Result = SUCCESS
            Jesse Glick : 0ebd8a6c3dedd8ff06a08af175571c6bc49893d9
            Files :

            • core/src/main/resources/hudson/model/Messages.properties
            • core/src/main/resources/hudson/model/Computer/load-statistics.jelly
            • core/src/main/java/jenkins/model/Jenkins.java
            • core/src/main/resources/hudson/model/Computer/markOffline.jelly
            • core/src/main/resources/hudson/model/Computer/delete.jelly
            • core/src/main/resources/hudson/model/Computer/setOfflineCause.jelly
            • core/src/main/resources/hudson/model/Computer/index.jelly
            • changelog.html
            • core/src/main/java/hudson/model/Computer.java
            • core/src/main/resources/hudson/model/Computer/builds.jelly
            Show
            dogfood dogfood added a comment - Integrated in jenkins_main_trunk #2901 Revert " JENKINS-16502 Permission to see an executor/slave" (Revision 0ebd8a6c3dedd8ff06a08af175571c6bc49893d9) Result = SUCCESS Jesse Glick : 0ebd8a6c3dedd8ff06a08af175571c6bc49893d9 Files : core/src/main/resources/hudson/model/Messages.properties core/src/main/resources/hudson/model/Computer/load-statistics.jelly core/src/main/java/jenkins/model/Jenkins.java core/src/main/resources/hudson/model/Computer/markOffline.jelly core/src/main/resources/hudson/model/Computer/delete.jelly core/src/main/resources/hudson/model/Computer/setOfflineCause.jelly core/src/main/resources/hudson/model/Computer/index.jelly changelog.html core/src/main/java/hudson/model/Computer.java core/src/main/resources/hudson/model/Computer/builds.jelly
            jglick Jesse Glick made changes -
            Link This issue depends on JENKINS-17200 [ JENKINS-17200 ]
            Hide
            dogfood dogfood added a comment -

            Integrated in jenkins_main_trunk #2908
            Revert "JENKINS-16502 Permission to see an executor/slave" (Revision 3911ea2c1450e73fabaf51acc1b635a44a5257c6)

            Result = SUCCESS
            Jesse Glick : 3911ea2c1450e73fabaf51acc1b635a44a5257c6
            Files :

            • core/src/main/java/jenkins/model/Jenkins.java
            • core/src/main/resources/hudson/model/Computer/delete.jelly
            • core/src/main/resources/hudson/model/Computer/builds.jelly
            • changelog.html
            • core/src/main/resources/hudson/model/Messages.properties
            • core/src/main/java/hudson/model/Computer.java
            • core/src/main/resources/hudson/model/Computer/markOffline.jelly
            • core/src/main/resources/hudson/model/Computer/setOfflineCause.jelly
            • core/src/main/resources/hudson/model/Computer/load-statistics.jelly
            • core/src/main/resources/hudson/model/Computer/index.jelly
            Show
            dogfood dogfood added a comment - Integrated in jenkins_main_trunk #2908 Revert " JENKINS-16502 Permission to see an executor/slave" (Revision 3911ea2c1450e73fabaf51acc1b635a44a5257c6) Result = SUCCESS Jesse Glick : 3911ea2c1450e73fabaf51acc1b635a44a5257c6 Files : core/src/main/java/jenkins/model/Jenkins.java core/src/main/resources/hudson/model/Computer/delete.jelly core/src/main/resources/hudson/model/Computer/builds.jelly changelog.html core/src/main/resources/hudson/model/Messages.properties core/src/main/java/hudson/model/Computer.java core/src/main/resources/hudson/model/Computer/markOffline.jelly core/src/main/resources/hudson/model/Computer/setOfflineCause.jelly core/src/main/resources/hudson/model/Computer/load-statistics.jelly core/src/main/resources/hudson/model/Computer/index.jelly
            oleg_nenashev Oleg Nenashev made changes -
            Link This issue is related to JENKINS-22760 [ JENKINS-22760 ]
            Hide
            oleg_nenashev Oleg Nenashev added a comment -

            JENKINS-22760 seems to be the almost similar to this issues. Probably, it makes sense to fix it in the same pull request (and let it to be managed by same switches)

            Show
            oleg_nenashev Oleg Nenashev added a comment - JENKINS-22760 seems to be the almost similar to this issues. Probably, it makes sense to fix it in the same pull request (and let it to be managed by same switches)
            oleg_nenashev Oleg Nenashev made changes -
            Link This issue is blocking JENKINS-5517 [ JENKINS-5517 ]
            rtyler R. Tyler Croy made changes -
            Workflow JNJira [ 147324 ] JNJira + In-Review [ 186107 ]
            danielbeck Daniel Beck made changes -
            Labels new-permission
            jglick Jesse Glick made changes -
            Link This issue relates to JENKINS-15484 [ JENKINS-15484 ]
            cloudbees CloudBees Inc. made changes -
            Remote Link This issue links to "CloudBees Internal OSS-55 (Web Link)" [ 19255 ]
            Hide
            tlopespt Tiago Lopes added a comment -

            This would be a good feature to have.

            Using Folders, permissions and a few other plugins, our Jenkins is pretty much set in a "need to know basis", except for agents, which remain visible to any authenticated user.

            Show
            tlopespt Tiago Lopes added a comment - This would be a good feature to have. Using Folders, permissions and a few other plugins, our Jenkins is pretty much set in a "need to know basis", except for agents, which remain visible to any authenticated user.
            Hide
            danjng Daniel Ng added a comment -

            I believe this would be useful as well. Especially in my case where I am deploying Selenium Grid Nodes through Jenkins Agents. If I wanted to dedicate a particular node to only automated testing and not have it bogged down by other build tasks, it would be ideal to hide them from view and make them "unavailable" to people.

            Show
            danjng Daniel Ng added a comment - I believe this would be useful as well. Especially in my case where I am deploying Selenium Grid Nodes through Jenkins Agents. If I wanted to dedicate a particular node to only automated testing and not have it bogged down by other build tasks, it would be ideal to hide them from view and make them "unavailable" to people.
            Hide
            jglick Jesse Glick added a comment -

            Would also be useful to override SlaveComputer.hasPermission from those plugins which dynamically attach and then detach an agent in the course of a build—for example, dockerNode from docker-plugin, podTemplate from kubernetes—to delegate the permission check to READ on the corresponding Job. Thus, in a multitenant installation with segregated view permissions, these one-off agents would be displayed in the Build Executor Status widget only to users who would actually be able to see the build itself. Otherwise you see a bunch of containers running but cannot view the associated builds, which is pretty useless. CC Daniel Beck Wadeck Follonier

            Show
            jglick Jesse Glick added a comment - Would also be useful to override SlaveComputer.hasPermission from those plugins which dynamically attach and then detach an agent in the course of a build—for example, dockerNode from docker-plugin , podTemplate from kubernetes —to delegate the permission check to READ on the corresponding Job . Thus, in a multitenant installation with segregated view permissions, these one-off agents would be displayed in the Build Executor Status widget only to users who would actually be able to see the build itself. Otherwise you see a bunch of containers running but cannot view the associated builds, which is pretty useless. CC Daniel Beck Wadeck Follonier
            Hide
            tlopespt Tiago Lopes added a comment -

            There are build queue and executors filters in Views, which omit jobs from unselected folders/jobs in the view.

            But the filters are not recursive, making them recursive would be a start, so that you can create a View with a selected folder and view only the corresponding jobs inside the folder. which I assume is typical organization in Jenkins.

            Show
            tlopespt Tiago Lopes added a comment - There are build queue and executors filters in Views, which omit jobs from unselected folders/jobs in the view. But the filters are not recursive, making them recursive would be a start, so that you can create a View with a selected folder and view only the corresponding jobs inside the folder. which I assume is typical organization in Jenkins.
            jvz Matt Sicker made changes -
            Labels new-permission new-permission permissions security
            Hide
            stephenconnolly Stephen Connolly added a comment -

            Removing myself as assignee. My current work assignments do not provide sufficient bandwidth to review these issues and in the majority of cases I am only assigned by virtue of being the default assignee. For the credentials-api and scm-api related plugins I have permission to allocate time reviewing changes to these APIs themselves to ensure these APIs remain cohesive, but that can be handled through PR reviews rather than assigning issues in JIRA

            Show
            stephenconnolly Stephen Connolly added a comment - Removing myself as assignee. My current work assignments do not provide sufficient bandwidth to review these issues and in the majority of cases I am only assigned by virtue of being the default assignee. For the credentials-api and scm-api related plugins I have permission to allocate time reviewing changes to these APIs themselves to ensure these APIs remain cohesive, but that can be handled through PR reviews rather than assigning issues in JIRA
            stephenconnolly Stephen Connolly made changes -
            Assignee Stephen Connolly [ stephenconnolly ]

              People

              • Assignee:
                Unassigned
                Reporter:
                chrissy Christian Meyer
              • Votes:
                4 Vote for this issue
                Watchers:
                9 Start watching this issue

                Dates

                • Created:
                  Updated: