Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-16502

Permission to see an agent

XMLWordPrintable

      In our environment it would be very helpful to be able to set Permissions, who can see specific agent.

      It should be like with jobs/projects, where the method "hasPermission()" is called, before you get all Items of the jenkins-instance.

      So it would be just needed in the Computer.java a new attribute "Permission VIEW", and in the Jenkins.java in the Method "getComputer()" the check, if the user has the Permission to see this agent.

          [JENKINS-16502] Permission to see an agent

          SCM/JIRA link daemon added a comment -

          Code changed in jenkins
          User: Jesse Glick
          Path:
          changelog.html
          core/src/main/java/hudson/model/Computer.java
          core/src/main/java/jenkins/model/Jenkins.java
          core/src/main/resources/hudson/model/Computer/builds.jelly
          core/src/main/resources/hudson/model/Computer/delete.jelly
          core/src/main/resources/hudson/model/Computer/index.jelly
          core/src/main/resources/hudson/model/Computer/load-statistics.jelly
          core/src/main/resources/hudson/model/Computer/markOffline.jelly
          core/src/main/resources/hudson/model/Computer/setOfflineCause.jelly
          core/src/main/resources/hudson/model/Messages.properties
          http://jenkins-ci.org/commit/jenkins/0ebd8a6c3dedd8ff06a08af175571c6bc49893d9
          Log:
          Revert "JENKINS-16502 Permission to see an executor/slave"

          This reverts commit 647695e2ffc2f568ca1b80bc5b0cd7b0658eeb3d.

          SCM/JIRA link daemon added a comment - Code changed in jenkins User: Jesse Glick Path: changelog.html core/src/main/java/hudson/model/Computer.java core/src/main/java/jenkins/model/Jenkins.java core/src/main/resources/hudson/model/Computer/builds.jelly core/src/main/resources/hudson/model/Computer/delete.jelly core/src/main/resources/hudson/model/Computer/index.jelly core/src/main/resources/hudson/model/Computer/load-statistics.jelly core/src/main/resources/hudson/model/Computer/markOffline.jelly core/src/main/resources/hudson/model/Computer/setOfflineCause.jelly core/src/main/resources/hudson/model/Messages.properties http://jenkins-ci.org/commit/jenkins/0ebd8a6c3dedd8ff06a08af175571c6bc49893d9 Log: Revert " JENKINS-16502 Permission to see an executor/slave" This reverts commit 647695e2ffc2f568ca1b80bc5b0cd7b0658eeb3d.

          Jesse Glick added a comment -

          Reverted since this caused test failures, and these failures in fact seem legitimate: old installations would not have granted the new permission to non-admins, so computers would be hidden by default. Need to do tricks to conditionally enable this permission.

          Jesse Glick added a comment - Reverted since this caused test failures, and these failures in fact seem legitimate: old installations would not have granted the new permission to non-admins, so computers would be hidden by default. Need to do tricks to conditionally enable this permission.

          dogfood added a comment -

          Integrated in jenkins_main_trunk #2901
          Revert "JENKINS-16502 Permission to see an executor/slave" (Revision 0ebd8a6c3dedd8ff06a08af175571c6bc49893d9)

          Result = SUCCESS
          Jesse Glick : 0ebd8a6c3dedd8ff06a08af175571c6bc49893d9
          Files :

          • core/src/main/resources/hudson/model/Messages.properties
          • core/src/main/resources/hudson/model/Computer/load-statistics.jelly
          • core/src/main/java/jenkins/model/Jenkins.java
          • core/src/main/resources/hudson/model/Computer/markOffline.jelly
          • core/src/main/resources/hudson/model/Computer/delete.jelly
          • core/src/main/resources/hudson/model/Computer/setOfflineCause.jelly
          • core/src/main/resources/hudson/model/Computer/index.jelly
          • changelog.html
          • core/src/main/java/hudson/model/Computer.java
          • core/src/main/resources/hudson/model/Computer/builds.jelly

          dogfood added a comment - Integrated in jenkins_main_trunk #2901 Revert " JENKINS-16502 Permission to see an executor/slave" (Revision 0ebd8a6c3dedd8ff06a08af175571c6bc49893d9) Result = SUCCESS Jesse Glick : 0ebd8a6c3dedd8ff06a08af175571c6bc49893d9 Files : core/src/main/resources/hudson/model/Messages.properties core/src/main/resources/hudson/model/Computer/load-statistics.jelly core/src/main/java/jenkins/model/Jenkins.java core/src/main/resources/hudson/model/Computer/markOffline.jelly core/src/main/resources/hudson/model/Computer/delete.jelly core/src/main/resources/hudson/model/Computer/setOfflineCause.jelly core/src/main/resources/hudson/model/Computer/index.jelly changelog.html core/src/main/java/hudson/model/Computer.java core/src/main/resources/hudson/model/Computer/builds.jelly

          dogfood added a comment -

          Integrated in jenkins_main_trunk #2908
          Revert "JENKINS-16502 Permission to see an executor/slave" (Revision 3911ea2c1450e73fabaf51acc1b635a44a5257c6)

          Result = SUCCESS
          Jesse Glick : 3911ea2c1450e73fabaf51acc1b635a44a5257c6
          Files :

          • core/src/main/java/jenkins/model/Jenkins.java
          • core/src/main/resources/hudson/model/Computer/delete.jelly
          • core/src/main/resources/hudson/model/Computer/builds.jelly
          • changelog.html
          • core/src/main/resources/hudson/model/Messages.properties
          • core/src/main/java/hudson/model/Computer.java
          • core/src/main/resources/hudson/model/Computer/markOffline.jelly
          • core/src/main/resources/hudson/model/Computer/setOfflineCause.jelly
          • core/src/main/resources/hudson/model/Computer/load-statistics.jelly
          • core/src/main/resources/hudson/model/Computer/index.jelly

          dogfood added a comment - Integrated in jenkins_main_trunk #2908 Revert " JENKINS-16502 Permission to see an executor/slave" (Revision 3911ea2c1450e73fabaf51acc1b635a44a5257c6) Result = SUCCESS Jesse Glick : 3911ea2c1450e73fabaf51acc1b635a44a5257c6 Files : core/src/main/java/jenkins/model/Jenkins.java core/src/main/resources/hudson/model/Computer/delete.jelly core/src/main/resources/hudson/model/Computer/builds.jelly changelog.html core/src/main/resources/hudson/model/Messages.properties core/src/main/java/hudson/model/Computer.java core/src/main/resources/hudson/model/Computer/markOffline.jelly core/src/main/resources/hudson/model/Computer/setOfflineCause.jelly core/src/main/resources/hudson/model/Computer/load-statistics.jelly core/src/main/resources/hudson/model/Computer/index.jelly

          Oleg Nenashev added a comment -

          JENKINS-22760 seems to be the almost similar to this issues. Probably, it makes sense to fix it in the same pull request (and let it to be managed by same switches)

          Oleg Nenashev added a comment - JENKINS-22760 seems to be the almost similar to this issues. Probably, it makes sense to fix it in the same pull request (and let it to be managed by same switches)

          Tiago Lopes added a comment -

          This would be a good feature to have.

          Using Folders, permissions and a few other plugins, our Jenkins is pretty much set in a "need to know basis", except for agents, which remain visible to any authenticated user.

          Tiago Lopes added a comment - This would be a good feature to have. Using Folders, permissions and a few other plugins, our Jenkins is pretty much set in a "need to know basis", except for agents, which remain visible to any authenticated user.

          Daniel Ng added a comment -

          I believe this would be useful as well. Especially in my case where I am deploying Selenium Grid Nodes through Jenkins Agents. If I wanted to dedicate a particular node to only automated testing and not have it bogged down by other build tasks, it would be ideal to hide them from view and make them "unavailable" to people.

          Daniel Ng added a comment - I believe this would be useful as well. Especially in my case where I am deploying Selenium Grid Nodes through Jenkins Agents. If I wanted to dedicate a particular node to only automated testing and not have it bogged down by other build tasks, it would be ideal to hide them from view and make them "unavailable" to people.

          Jesse Glick added a comment -

          Would also be useful to override SlaveComputer.hasPermission from those plugins which dynamically attach and then detach an agent in the course of a build—for example, dockerNode from docker-plugin, podTemplate from kubernetes—to delegate the permission check to READ on the corresponding Job. Thus, in a multitenant installation with segregated view permissions, these one-off agents would be displayed in the Build Executor Status widget only to users who would actually be able to see the build itself. Otherwise you see a bunch of containers running but cannot view the associated builds, which is pretty useless. CC danielbeck wfollonier

          Jesse Glick added a comment - Would also be useful to override SlaveComputer.hasPermission from those plugins which dynamically attach and then detach an agent in the course of a build—for example, dockerNode from docker-plugin , podTemplate from kubernetes —to delegate the permission check to READ on the corresponding Job . Thus, in a multitenant installation with segregated view permissions, these one-off agents would be displayed in the Build Executor Status widget only to users who would actually be able to see the build itself. Otherwise you see a bunch of containers running but cannot view the associated builds, which is pretty useless. CC danielbeck wfollonier

          Tiago Lopes added a comment -

          There are build queue and executors filters in Views, which omit jobs from unselected folders/jobs in the view.

          But the filters are not recursive, making them recursive would be a start, so that you can create a View with a selected folder and view only the corresponding jobs inside the folder. which I assume is typical organization in Jenkins.

          Tiago Lopes added a comment - There are build queue and executors filters in Views, which omit jobs from unselected folders/jobs in the view. But the filters are not recursive, making them recursive would be a start, so that you can create a View with a selected folder and view only the corresponding jobs inside the folder. which I assume is typical organization in Jenkins.

          Stephen Connolly added a comment -

          Removing myself as assignee. My current work assignments do not provide sufficient bandwidth to review these issues and in the majority of cases I am only assigned by virtue of being the default assignee. For the credentials-api and scm-api related plugins I have permission to allocate time reviewing changes to these APIs themselves to ensure these APIs remain cohesive, but that can be handled through PR reviews rather than assigning issues in JIRA

          Stephen Connolly added a comment - Removing myself as assignee. My current work assignments do not provide sufficient bandwidth to review these issues and in the majority of cases I am only assigned by virtue of being the default assignee. For the credentials-api and scm-api related plugins I have permission to allocate time reviewing changes to these APIs themselves to ensure these APIs remain cohesive, but that can be handled through PR reviews rather than assigning issues in JIRA

            Unassigned Unassigned
            chrissy Christian Meyer
            Votes:
            7 Vote for this issue
            Watchers:
            13 Start watching this issue

              Created:
              Updated: