Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-46652

Authorize Project blocks Pipeline Jobs when Computer/Build for master is lacking

      Users may configure Authorize Build plugin with the intention to limit who can run builds on the master in a setup where just going to zero static executors is impractical (e.g. to run a periodic backup or other housekeeping).

      In that case, Pipelines cannot even start if started by users lacking Computer/Build on master, as the flyweight task cannot run there (and it seems to be tied to master).

      (Reproduction using role-strategy only, as matrix-auth is currently lacking per-agent configuration)

      CC jglick

          [JENKINS-46652] Authorize Project blocks Pipeline Jobs when Computer/Build for master is lacking

          Oleg Nenashev added a comment -

          It's a kind of "as designed" behavior. I workaround it by a combination of Permissive Computer.Build on any node to any user and restricting by Job Restrictions plugin: https://github.com/oleg-nenashev/demo-jenkins-config-as-code/blob/master/init_scripts/src/main/groovy/MasterComputer.groovy#L20-L42  . But it's a too complex setup, which requires manual whitelisting of classes.

          It would be great a marker interface like "OnMasterFlyweightTask" which would allow tasks even when there is no Computer.Build permission for the current authentication. But such interface requires bumping of Jenkins core. Maybe a default "boolean isOnMaster()" in FlyWeight task solves it in a more compatible way

          Oleg Nenashev added a comment - It's a kind of "as designed" behavior. I workaround it by a combination of Permissive Computer.Build on any node to any user and restricting by Job Restrictions plugin: https://github.com/oleg-nenashev/demo-jenkins-config-as-code/blob/master/init_scripts/src/main/groovy/MasterComputer.groovy#L20-L42   . But it's a too complex setup, which requires manual whitelisting of classes. It would be great a marker interface like "OnMasterFlyweightTask" which would allow tasks even when there is no Computer.Build permission for the current authentication. But such interface requires bumping of Jenkins core. Maybe a default "boolean isOnMaster()" in FlyWeight task solves it in a more compatible way

          Jesse Glick added a comment -

          It is not as designed. BUILD should not be checked on flyweight tasks IMO, which is why the Node patch I proposed in JENKINS-24513 would fix this bug. I see no need for API changes.

          Jesse Glick added a comment - It is not as designed. BUILD should not be checked on flyweight tasks IMO, which is why the Node patch I proposed in  JENKINS-24513 would fix this bug. I see no need for API changes.

          Code changed in jenkins
          User: Jesse Glick
          Path:
          core/src/main/java/hudson/model/Node.java
          core/src/main/java/hudson/model/queue/MappingWorksheet.java
          http://jenkins-ci.org/commit/jenkins/9842a2795e81bbdb0aeb5039cd9953bbb0ff2531
          Log:
          JENKINS-46652 Check Computer.BUILD permission only on heayweight tasks.

          SCM/JIRA link daemon added a comment - Code changed in jenkins User: Jesse Glick Path: core/src/main/java/hudson/model/Node.java core/src/main/java/hudson/model/queue/MappingWorksheet.java http://jenkins-ci.org/commit/jenkins/9842a2795e81bbdb0aeb5039cd9953bbb0ff2531 Log: JENKINS-46652 Check Computer.BUILD permission only on heayweight tasks.

          Code changed in jenkins
          User: Jesse Glick
          Path:
          core/src/main/java/hudson/model/Node.java
          core/src/main/java/hudson/model/queue/MappingWorksheet.java
          http://jenkins-ci.org/commit/jenkins/1f4f76ffcae89938aa9b95c23c025da3706d7150
          Log:
          Merge pull request #3254 from jglick/heavyweight-JENKINS-46652

          JENKINS-46652 Check Computer.BUILD permission only on heayweight tasks

          Compare: https://github.com/jenkinsci/jenkins/compare/c84cbf32d15c...1f4f76ffcae8

          SCM/JIRA link daemon added a comment - Code changed in jenkins User: Jesse Glick Path: core/src/main/java/hudson/model/Node.java core/src/main/java/hudson/model/queue/MappingWorksheet.java http://jenkins-ci.org/commit/jenkins/1f4f76ffcae89938aa9b95c23c025da3706d7150 Log: Merge pull request #3254 from jglick/heavyweight- JENKINS-46652 JENKINS-46652 Check Computer.BUILD permission only on heayweight tasks Compare: https://github.com/jenkinsci/jenkins/compare/c84cbf32d15c...1f4f76ffcae8

          Oleg Nenashev added a comment -

          The patch has been integrated towards 2.111

          Oleg Nenashev added a comment - The patch has been integrated towards 2.111

            jglick Jesse Glick
            danielbeck Daniel Beck
            Votes:
            1 Vote for this issue
            Watchers:
            5 Start watching this issue

              Created:
              Updated:
              Resolved: