Details

    • Similar Issues:

      Description

      Hello,

      Im trying to restrict the nodes in jenkins but doesn't matters what i do, always shows me that the user has lack of permission.

      Jenkins v2.190.3

      Role-based Authorization Strategy v2.15

      Authorize Project v1.3.0

       

      So for this example is:

      Acces Control:

      • Role-Based Strategy 

      Access Control for Builds:

      • Project default Build Authorization
           - Strategy Run as anonymous

      (the idea is make it work with Run as the user who triggered the build)

       

      Later, I have this configuration:

      • A global role called general which just have view
      • A Slave role which the pattern is "gradle-.* (I tested with gradle*, gradle.* and even with .*)
      • Both roles assigned to anonymous

       

      So when i run a pipeline with a dynamic agent in kubernetes shows me:

      Started by user XXXXXX
      Running as anonymous

      which is ok, after this, the agent is created, connected to jenkins but the job is waiting forever for the agent and if the agent is already connected shows:

      ‘anonymous’ lacks permission to run on ‘gradle-xxxxxx’

       

      The only way to fix this is run as SYSTEM or add build privileges to "general" global role.

       

      From jenkins logs, nothing relevant is showed up.

        Attachments

          Activity

          Hide
          matandomuertos Nahuel Cassinari added a comment -

          One important thing.

          The agent is created in kubernetes using the plugin. But i guess that in the end has not influence because jenkins see the pod in kubernetes as a physical node which is an agent.

          Show
          matandomuertos Nahuel Cassinari added a comment - One important thing. The agent is created in kubernetes using the plugin. But i guess that in the end has not influence because jenkins see the pod in kubernetes as a physical node which is an agent.
          Hide
          faucherb94 Ben Faucher added a comment -

          I am also seeing this exact issue with a non-kubernetes deployment. Jenkins master is running out of a docker container on an Ubuntu host, agent is an Ubuntu VM permanently connected over SSH.

          Jenkins v2.222.1 (alpine docker image)
          Role-strategy v2.16
          Authorize-project v1.3.0

          1. Agent is named "foo"
          2. Create a user with global read-only access called "builder"
          3. In Security > Manage and Assign Roles > Mange roles, create a node role
            • Name: "foo-access"
            • Pattern: "foo"
          4. In Security > Manage and Assign Roles > Assign Roles, assign the role to "builder"
          5. Create a new pipeline job set to use agent "foo"
          6. Configure pipeline to run as user "builder"
          7. Run pipeline. Build stalls indefinitely with this error:
            19:34:07  Started by user Ben Faucher
            19:34:07  Running as builder
            19:34:07  Running in Durability level: PERFORMANCE_OPTIMIZED
            19:34:09  [Pipeline] Start of Pipeline
            19:34:22  [Pipeline] node
            19:34:37  Still waiting to schedule task
            19:34:37  ‘builder’ lacks permission to run on ‘foo’; ‘build-1’ doesn’t have label ‘foo’
            
          Show
          faucherb94 Ben Faucher added a comment - I am also seeing this exact issue with a non-kubernetes deployment. Jenkins master is running out of a docker container on an Ubuntu host, agent is an Ubuntu VM permanently connected over SSH. Jenkins v2.222.1 (alpine docker image) Role-strategy v2.16 Authorize-project v1.3.0 Agent is named "foo" Create a user with global read-only access called "builder" In Security > Manage and Assign Roles > Mange roles, create a node role Name: "foo-access" Pattern: "foo" In Security > Manage and Assign Roles > Assign Roles, assign the role to "builder" Create a new pipeline job set to use agent "foo" Configure pipeline to run as user "builder" Run pipeline. Build stalls indefinitely with this error: 19:34:07 Started by user Ben Faucher 19:34:07 Running as builder 19:34:07 Running in Durability level: PERFORMANCE_OPTIMIZED 19:34:09 [Pipeline] Start of Pipeline 19:34:22 [Pipeline] node 19:34:37 Still waiting to schedule task 19:34:37 ‘builder’ lacks permission to run on ‘foo’; ‘build-1’ doesn’t have label ‘foo’

            People

            • Assignee:
              oleg_nenashev Oleg Nenashev
              Reporter:
              matandomuertos Nahuel Cassinari
            • Votes:
              2 Vote for this issue
              Watchers:
              3 Start watching this issue

              Dates

              • Created:
                Updated: