Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-56617

Node-based security is ignored with pipelines

    Details

    • Similar Issues:

      Description

      Node-based security is ignored in Pipelines. Restricting "build" on a node to specific users has no effect.

      Reproduction:

      1. Create a node, let's say "test-node"
      2. Use restrictions to end up with a user that has access to Jenkins and can create pipelines but does not have "build" permission on that node
      3. Create a new job of type pipeline and add this code to it:
      node('test-node') { sh 'ls -la ..' }
       
      1. No matter which user will start this job, he will be allowed to do it and be able to read files on that node. I would expect that running the job is denied for users who do not have "build" access to that node.

      That opens up the problem that users who are allowed to create jobs (which is not generally a bad idea) can use this to spy on nodes they are not allowed to use.

        Attachments

          Issue Links

            Activity

              People

              • Assignee:
                Unassigned
                Reporter:
                konzertheld Christian Gredig
              • Votes:
                0 Vote for this issue
                Watchers:
                3 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved: