-
Bug
-
Resolution: Fixed
-
Major
Users may configure Authorize Build plugin with the intention to limit who can run builds on the master in a setup where just going to zero static executors is impractical (e.g. to run a periodic backup or other housekeeping).
In that case, Pipelines cannot even start if started by users lacking Computer/Build on master, as the flyweight task cannot run there (and it seems to be tied to master).
(Reproduction using role-strategy only, as matrix-auth is currently lacking per-agent configuration)
CC jglick
- is related to
-
JENKINS-24513 Zero executors on master not well documented or enforced
-
- Closed
-
- relates to
-
JENKINS-31866 Attempts to restrict Pipeline jobs from running on master result in job hanging
-
- Open
-
-
JENKINS-55327 Job restrictions can be skipped if no node block in Jenkinsfile
-
- Closed
-
- links to
It's a kind of "as designed" behavior. I workaround it by a combination of Permissive Computer.Build on any node to any user and restricting by Job Restrictions plugin: https://github.com/oleg-nenashev/demo-jenkins-config-as-code/blob/master/init_scripts/src/main/groovy/MasterComputer.groovy#L20-L42 . But it's a too complex setup, which requires manual whitelisting of classes.
It would be great a marker interface like "OnMasterFlyweightTask" which would allow tasks even when there is no Computer.Build permission for the current authentication. But such interface requires bumping of Jenkins core. Maybe a default "boolean isOnMaster()" in FlyWeight task solves it in a more compatible way