Feature / Idea

Allow global pipeline library to execute steps on the master when shared pipeline steps defined by an admin are run by a user's Jenkinsfile. However, the user is not allowed to define the master in their Jenkinsfile.

Security scope: Admins are the only ones who can define global shared pipeline libraries. So any code they load into the master could be allowed to run if that's what they intend for the step (even if that step is called by a non-admin).

Story 

As an admin of Jenkins, I would like to run stages defined in a global shared pipeline library on the master but not allowed from pipeline steps in the calling job so that I may take advantage of executors on the master in a controlled manner and not allow normal pipeline users to use the master.

Let's pretend I have a global shared pipeline library with the following file.

vars/masterMagicStep.groovy

Where masterMagicStep.groovy has the following code defined...

node('master') {
  //some work defined by the admin goes here
}

The following should succeed

Here's a user Jenkinsfile defined in a repository.

masterMagicStep()

node('another-agent') {
  //user defined magic
}

The masterMagicStep executes on the Jenkins master and the user-defined code executes on another agent.

The following should not succeed

Here's a user Jenkinsfile defined in a repository.

masterMagicStep()

node('master') {
  //uh oh! The user is attempting to modify something on the master
}

The masterMagicStep would "normally" be allowed in this pretend feature. However, the job is blocked from running because the user is attempting to execute code on the master. This is not allowed.