Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-46652

Authorize Project blocks Pipeline Jobs when Computer/Build for master is lacking

      Users may configure Authorize Build plugin with the intention to limit who can run builds on the master in a setup where just going to zero static executors is impractical (e.g. to run a periodic backup or other housekeeping).

      In that case, Pipelines cannot even start if started by users lacking Computer/Build on master, as the flyweight task cannot run there (and it seems to be tied to master).

      (Reproduction using role-strategy only, as matrix-auth is currently lacking per-agent configuration)

      CC jglick

          [JENKINS-46652] Authorize Project blocks Pipeline Jobs when Computer/Build for master is lacking

          Daniel Beck created issue -
          Daniel Beck made changes -
          Link New: This issue is related to JENKINS-24513 [ JENKINS-24513 ]

          Oleg Nenashev added a comment -

          It's a kind of "as designed" behavior. I workaround it by a combination of Permissive Computer.Build on any node to any user and restricting by Job Restrictions plugin: https://github.com/oleg-nenashev/demo-jenkins-config-as-code/blob/master/init_scripts/src/main/groovy/MasterComputer.groovy#L20-L42  . But it's a too complex setup, which requires manual whitelisting of classes.

          It would be great a marker interface like "OnMasterFlyweightTask" which would allow tasks even when there is no Computer.Build permission for the current authentication. But such interface requires bumping of Jenkins core. Maybe a default "boolean isOnMaster()" in FlyWeight task solves it in a more compatible way

          Oleg Nenashev added a comment - It's a kind of "as designed" behavior. I workaround it by a combination of Permissive Computer.Build on any node to any user and restricting by Job Restrictions plugin: https://github.com/oleg-nenashev/demo-jenkins-config-as-code/blob/master/init_scripts/src/main/groovy/MasterComputer.groovy#L20-L42   . But it's a too complex setup, which requires manual whitelisting of classes. It would be great a marker interface like "OnMasterFlyweightTask" which would allow tasks even when there is no Computer.Build permission for the current authentication. But such interface requires bumping of Jenkins core. Maybe a default "boolean isOnMaster()" in FlyWeight task solves it in a more compatible way

          Jesse Glick added a comment -

          It is not as designed. BUILD should not be checked on flyweight tasks IMO, which is why the Node patch I proposed in JENKINS-24513 would fix this bug. I see no need for API changes.

          Jesse Glick added a comment - It is not as designed. BUILD should not be checked on flyweight tasks IMO, which is why the Node patch I proposed in  JENKINS-24513 would fix this bug. I see no need for API changes.
          Jesse Glick made changes -
          Labels New: permissions
          James Dumay made changes -
          Remote Link New: This issue links to "CloudBees Internal OSS-2540 (Web Link)" [ 18256 ]
          Jesse Glick made changes -
          Assignee New: Jesse Glick [ jglick ]
          Jesse Glick made changes -
          Status Original: Open [ 1 ] New: In Progress [ 3 ]
          Jesse Glick made changes -
          Remote Link New: This issue links to "core PR 3254 (Web Link)" [ 19919 ]
          Jesse Glick made changes -
          Remote Link New: This issue links to "workflow-job PR 85 (Web Link)" [ 19920 ]

            jglick Jesse Glick
            danielbeck Daniel Beck
            Votes:
            1 Vote for this issue
            Watchers:
            5 Start watching this issue

              Created:
              Updated:
              Resolved: