Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-46652

Authorize Project blocks Pipeline Jobs when Computer/Build for master is lacking

    XMLWordPrintable

Details

    Description

      Users may configure Authorize Build plugin with the intention to limit who can run builds on the master in a setup where just going to zero static executors is impractical (e.g. to run a periodic backup or other housekeeping).

      In that case, Pipelines cannot even start if started by users lacking Computer/Build on master, as the flyweight task cannot run there (and it seems to be tied to master).

      (Reproduction using role-strategy only, as matrix-auth is currently lacking per-agent configuration)

      CC jglick

      Attachments

        Issue Links

          is related to

          Improvement - An improvement or enhancement to an existing feature or task. JENKINS-24513 Zero executors on master not well documented or enforced

          • Major - Major loss of function.
          • Closed
          relates to

          Bug - A problem which impairs or prevents the functions of the product. JENKINS-31866 Attempts to restrict Pipeline jobs from running on master result in job hanging

          • Minor - Minor loss of function, or other problem where easy workaround is present.
          • Open

          Bug - A problem which impairs or prevents the functions of the product. JENKINS-55327 Job restrictions can be skipped if no node block in Jenkinsfile

          • Minor - Minor loss of function, or other problem where easy workaround is present.
          • Closed
          links to

          Web Link CloudBees Internal OSS-2540

          Web Link core PR 3254

          Web Link workflow-durable-task-step PR 61

          Web Link workflow-job PR 85

          Activity

            Ascending order - Click to sort in descending order
            oleg_nenashev Oleg Nenashev added a comment -

            It's a kind of "as designed" behavior. I workaround it by a combination of Permissive Computer.Build on any node to any user and restricting by Job Restrictions plugin: https://github.com/oleg-nenashev/demo-jenkins-config-as-code/blob/master/init_scripts/src/main/groovy/MasterComputer.groovy#L20-L42  . But it's a too complex setup, which requires manual whitelisting of classes.

            It would be great a marker interface like "OnMasterFlyweightTask" which would allow tasks even when there is no Computer.Build permission for the current authentication. But such interface requires bumping of Jenkins core. Maybe a default "boolean isOnMaster()" in FlyWeight task solves it in a more compatible way

            oleg_nenashev Oleg Nenashev added a comment - It's a kind of "as designed" behavior. I workaround it by a combination of Permissive Computer.Build on any node to any user and restricting by Job Restrictions plugin: https://github.com/oleg-nenashev/demo-jenkins-config-as-code/blob/master/init_scripts/src/main/groovy/MasterComputer.groovy#L20-L42   . But it's a too complex setup, which requires manual whitelisting of classes. It would be great a marker interface like "OnMasterFlyweightTask" which would allow tasks even when there is no Computer.Build permission for the current authentication. But such interface requires bumping of Jenkins core. Maybe a default "boolean isOnMaster()" in FlyWeight task solves it in a more compatible way
            jglick Jesse Glick added a comment -

            It is not as designed. BUILD should not be checked on flyweight tasks IMO, which is why the Node patch I proposed in JENKINS-24513 would fix this bug. I see no need for API changes.

            jglick Jesse Glick added a comment - It is not as designed. BUILD should not be checked on flyweight tasks IMO, which is why the Node patch I proposed in  JENKINS-24513 would fix this bug. I see no need for API changes.
            scm_issue_link SCM/JIRA link daemon added a comment -

            Code changed in jenkins
            User: Jesse Glick
            Path:
            core/src/main/java/hudson/model/Node.java
            core/src/main/java/hudson/model/queue/MappingWorksheet.java
            http://jenkins-ci.org/commit/jenkins/9842a2795e81bbdb0aeb5039cd9953bbb0ff2531
            Log:
            JENKINS-46652 Check Computer.BUILD permission only on heayweight tasks.

            scm_issue_link SCM/JIRA link daemon added a comment - Code changed in jenkins User: Jesse Glick Path: core/src/main/java/hudson/model/Node.java core/src/main/java/hudson/model/queue/MappingWorksheet.java http://jenkins-ci.org/commit/jenkins/9842a2795e81bbdb0aeb5039cd9953bbb0ff2531 Log: JENKINS-46652 Check Computer.BUILD permission only on heayweight tasks.
            scm_issue_link SCM/JIRA link daemon added a comment -

            Code changed in jenkins
            User: Jesse Glick
            Path:
            core/src/main/java/hudson/model/Node.java
            core/src/main/java/hudson/model/queue/MappingWorksheet.java
            http://jenkins-ci.org/commit/jenkins/1f4f76ffcae89938aa9b95c23c025da3706d7150
            Log:
            Merge pull request #3254 from jglick/heavyweight-JENKINS-46652

            JENKINS-46652 Check Computer.BUILD permission only on heayweight tasks

            Compare: https://github.com/jenkinsci/jenkins/compare/c84cbf32d15c...1f4f76ffcae8

            scm_issue_link SCM/JIRA link daemon added a comment - Code changed in jenkins User: Jesse Glick Path: core/src/main/java/hudson/model/Node.java core/src/main/java/hudson/model/queue/MappingWorksheet.java http://jenkins-ci.org/commit/jenkins/1f4f76ffcae89938aa9b95c23c025da3706d7150 Log: Merge pull request #3254 from jglick/heavyweight- JENKINS-46652 JENKINS-46652 Check Computer.BUILD permission only on heayweight tasks Compare: https://github.com/jenkinsci/jenkins/compare/c84cbf32d15c...1f4f76ffcae8
            oleg_nenashev Oleg Nenashev added a comment -

            The patch has been integrated towards 2.111

            oleg_nenashev Oleg Nenashev added a comment - The patch has been integrated towards 2.111

            People

              jglick Jesse Glick
              danielbeck Daniel Beck
              Votes:
              1 Vote for this issue
              Watchers:
              5 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: