Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-46652

Authorize Project blocks Pipeline Jobs when Computer/Build for master is lacking

    Details

    • Similar Issues:

      Description

      Users may configure Authorize Build plugin with the intention to limit who can run builds on the master in a setup where just going to zero static executors is impractical (e.g. to run a periodic backup or other housekeeping).

      In that case, Pipelines cannot even start if started by users lacking Computer/Build on master, as the flyweight task cannot run there (and it seems to be tied to master).

      (Reproduction using role-strategy only, as matrix-auth is currently lacking per-agent configuration)

      CC Jesse Glick

        Attachments

          Issue Links

            Activity

            danielbeck Daniel Beck created issue -
            danielbeck Daniel Beck made changes -
            Field Original Value New Value
            Link This issue is related to JENKINS-24513 [ JENKINS-24513 ]
            Hide
            oleg_nenashev Oleg Nenashev added a comment -

            It's a kind of "as designed" behavior. I workaround it by a combination of Permissive Computer.Build on any node to any user and restricting by Job Restrictions plugin: https://github.com/oleg-nenashev/demo-jenkins-config-as-code/blob/master/init_scripts/src/main/groovy/MasterComputer.groovy#L20-L42  . But it's a too complex setup, which requires manual whitelisting of classes.

            It would be great a marker interface like "OnMasterFlyweightTask" which would allow tasks even when there is no Computer.Build permission for the current authentication. But such interface requires bumping of Jenkins core. Maybe a default "boolean isOnMaster()" in FlyWeight task solves it in a more compatible way

            Show
            oleg_nenashev Oleg Nenashev added a comment - It's a kind of "as designed" behavior. I workaround it by a combination of Permissive Computer.Build on any node to any user and restricting by Job Restrictions plugin: https://github.com/oleg-nenashev/demo-jenkins-config-as-code/blob/master/init_scripts/src/main/groovy/MasterComputer.groovy#L20-L42   . But it's a too complex setup, which requires manual whitelisting of classes. It would be great a marker interface like "OnMasterFlyweightTask" which would allow tasks even when there is no Computer.Build permission for the current authentication. But such interface requires bumping of Jenkins core. Maybe a default "boolean isOnMaster()" in FlyWeight task solves it in a more compatible way
            Hide
            jglick Jesse Glick added a comment -

            It is not as designed. BUILD should not be checked on flyweight tasks IMO, which is why the Node patch I proposed in JENKINS-24513 would fix this bug. I see no need for API changes.

            Show
            jglick Jesse Glick added a comment - It is not as designed. BUILD should not be checked on flyweight tasks IMO, which is why the Node patch I proposed in  JENKINS-24513 would fix this bug. I see no need for API changes.
            jglick Jesse Glick made changes -
            Labels permissions
            jamesdumay James Dumay made changes -
            Remote Link This issue links to "CloudBees Internal OSS-2540 (Web Link)" [ 18256 ]
            jglick Jesse Glick made changes -
            Assignee Jesse Glick [ jglick ]
            jglick Jesse Glick made changes -
            Status Open [ 1 ] In Progress [ 3 ]
            jglick Jesse Glick made changes -
            Remote Link This issue links to "core PR 3254 (Web Link)" [ 19919 ]
            jglick Jesse Glick made changes -
            Remote Link This issue links to "workflow-job PR 85 (Web Link)" [ 19920 ]
            jglick Jesse Glick made changes -
            Remote Link This issue links to "workflow-durable-task-step PR 61 (Web Link)" [ 19921 ]
            jglick Jesse Glick made changes -
            Status In Progress [ 3 ] In Review [ 10005 ]
            Hide
            scm_issue_link SCM/JIRA link daemon added a comment -

            Code changed in jenkins
            User: Jesse Glick
            Path:
            core/src/main/java/hudson/model/Node.java
            core/src/main/java/hudson/model/queue/MappingWorksheet.java
            http://jenkins-ci.org/commit/jenkins/9842a2795e81bbdb0aeb5039cd9953bbb0ff2531
            Log:
            JENKINS-46652 Check Computer.BUILD permission only on heayweight tasks.

            Show
            scm_issue_link SCM/JIRA link daemon added a comment - Code changed in jenkins User: Jesse Glick Path: core/src/main/java/hudson/model/Node.java core/src/main/java/hudson/model/queue/MappingWorksheet.java http://jenkins-ci.org/commit/jenkins/9842a2795e81bbdb0aeb5039cd9953bbb0ff2531 Log: JENKINS-46652 Check Computer.BUILD permission only on heayweight tasks.
            Hide
            scm_issue_link SCM/JIRA link daemon added a comment -

            Code changed in jenkins
            User: Jesse Glick
            Path:
            core/src/main/java/hudson/model/Node.java
            core/src/main/java/hudson/model/queue/MappingWorksheet.java
            http://jenkins-ci.org/commit/jenkins/1f4f76ffcae89938aa9b95c23c025da3706d7150
            Log:
            Merge pull request #3254 from jglick/heavyweight-JENKINS-46652

            JENKINS-46652 Check Computer.BUILD permission only on heayweight tasks

            Compare: https://github.com/jenkinsci/jenkins/compare/c84cbf32d15c...1f4f76ffcae8

            Show
            scm_issue_link SCM/JIRA link daemon added a comment - Code changed in jenkins User: Jesse Glick Path: core/src/main/java/hudson/model/Node.java core/src/main/java/hudson/model/queue/MappingWorksheet.java http://jenkins-ci.org/commit/jenkins/1f4f76ffcae89938aa9b95c23c025da3706d7150 Log: Merge pull request #3254 from jglick/heavyweight- JENKINS-46652 JENKINS-46652 Check Computer.BUILD permission only on heayweight tasks Compare: https://github.com/jenkinsci/jenkins/compare/c84cbf32d15c...1f4f76ffcae8
            jglick Jesse Glick made changes -
            Status In Review [ 10005 ] Resolved [ 5 ]
            Resolution Fixed [ 1 ]
            Hide
            oleg_nenashev Oleg Nenashev added a comment -

            The patch has been integrated towards 2.111

            Show
            oleg_nenashev Oleg Nenashev added a comment - The patch has been integrated towards 2.111
            oleg_nenashev Oleg Nenashev made changes -
            Link This issue relates to JENKINS-31866 [ JENKINS-31866 ]
            oleg_nenashev Oleg Nenashev made changes -
            Link This issue relates to JENKINS-55327 [ JENKINS-55327 ]

              People

              • Assignee:
                jglick Jesse Glick
                Reporter:
                danielbeck Daniel Beck
              • Votes:
                1 Vote for this issue
                Watchers:
                5 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved: