Node-based security is ignored in Pipelines. Restricting "build" on a node to specific users has no effect.
Reproduction:
- Create a node, let's say "test-node"
- Use restrictions to end up with a user that has access to Jenkins and can create pipelines but does not have "build" permission on that node
- Create a new job of type pipeline and add this code to it:
node('test-node') { sh 'ls -la ..' }
- No matter which user will start this job, he will be allowed to do it and be able to read files on that node. I would expect that running the job is denied for users who do not have "build" access to that node.
That opens up the problem that users who are allowed to create jobs (which is not generally a bad idea) can use this to spy on nodes they are not allowed to use.
- relates to
-
JENKINS-24513 Zero executors on master not well documented or enforced
-
- Closed
-
