This bug report details an issue encountered with the Jenkins Role-Based Access Plugin. When attempting to define an Agent role in the Manage Roles section, the provided role pattern fails to identify matching agents.

      Steps to Reproduce:

      1. Access Jenkins and navigate to "Manage Jenkins."
      2. Click on "Manage and Assign Roles."
      3. Go to the "Manage Roles" section.
      4. Create a new role or edit an existing one.
      5. Under the "Agent" permissions, enter "master" as the role pattern.
      6. Double-click on the "master" pattern.

      Expected Behavior:

      Double-clicking on the "master" pattern should display a list of agents matching the pattern (presumably an agent named "master").

      Actual Behavior:

      Double-clicking on the "master" pattern results in a message indicating "no agent found matching 'master'."

          [JENKINS-73407] Agent Role Pattern Not Finding Matching Agent

          Sudarshan T N added a comment - - edited

          thank you, Markus, this helped me to restrict users from running jobs on Jenkins ec2 and other permanent agents.

          but I am facing one more issue, how do I allow users to run jobs on Jenkins built-in agent?

           user1 lacks permission to run on ‘Jenkins’

           

          Sudarshan T N added a comment - - edited thank you, Markus, this helped me to restrict users from running jobs on Jenkins ec2 and other permanent agents. but I am facing one more issue, how do I allow users to run jobs on Jenkins built-in agent?  user1 lacks permission to run on ‘Jenkins’  

          Markus Winter added a comment -

          If you want to allow to run on all agents I would define a global role instead of an agent role that tries to match everything.

          Currently it seems that it is not possible to define an agent role that matches the built-in controller. But building on the controller is not recommended anyway.

           

          Markus Winter added a comment - If you want to allow to run on all agents I would define a global role instead of an agent role that tries to match everything. Currently it seems that it is not possible to define an agent role that matches the built-in controller. But building on the controller is not recommended anyway.  

          Sudarshan T N added a comment -

          I want to define a role for each agent, I just tried this to show that the built-in agent was not shown in the list 

          Sudarshan T N added a comment - I want to define a role for each agent, I just tried this to show that the built-in agent was not shown in the list 

          Sudarshan T N added a comment -

          Is there any other way, we could define a role for the built-in controller ? and allow only few users to run job there ?

          Sudarshan T N added a comment - Is there any other way, we could define a role for the built-in controller ? and allow only few users to run job there ?

          Markus Winter added a comment -

          At the moment it seems to be not possible to define a rule for the built-in. I haven't yet understood why this is the case, need to debug this

          Markus Winter added a comment - At the moment it seems to be not possible to define a rule for the built-in. I haven't yet understood why this is the case, need to debug this

          Sudarshan T N added a comment -

          could we get this feature to set a role on built-in agent also ?

          Sudarshan T N added a comment - could we get this feature to set a role on built-in agent also ?

          Markus Winter added a comment -

          After analyzing the code in Jenkins core it is not possible to define an agent role for the built-in node. The reason is that Jenkins itself is a Node and overwrites the getACL() method defined in the Node class. So when it comes to checking the permissions for the built-in node, the root ACL is returned.

          Without digging in the details the same is probably true for Matrix auth.

          Markus Winter added a comment - After analyzing the code in Jenkins core it is not possible to define an agent role for the built-in node. The reason is that Jenkins itself is a Node and overwrites the getACL() method defined in the Node class. So when it comes to checking the permissions for the built-in node, the root ACL is returned. Without digging in the details the same is probably true for Matrix auth.

          Markus Winter added a comment -

          Closing this as role patterns for agents work without problems.

          The build permission for agents works only when the authorize-project plugin is installed.

          A role that matches the controller itself is not possible due to the way this is implemented in core.

          Markus Winter added a comment - Closing this as role patterns for agents work without problems. The build permission for agents works only when the authorize-project plugin is installed. A role that matches the controller itself is not possible due to the way this is implemented in core.

          Sudarshan T N added a comment -

          thanks, mawinter69 for all the support,

          I have one question why do builds are kept in the queue if the user is lacking permission, can't we abort the job automatically if the user is lacking permission to run in a specific agent?

          Sudarshan T N added a comment - thanks, mawinter69 for all the support, I have one question why do builds are kept in the queue if the user is lacking permission, can't we abort the job automatically if the user is lacking permission to run in a specific agent?

          Markus Winter added a comment -

          Aborting builds is out of scope for role-strategy plugin.

          While it might be a use case for you to remove builds in the queue this might not be true for others in all cases. Not sure if it is possible to achieve this via a plugin.

          Markus Winter added a comment - Aborting builds is out of scope for role-strategy plugin. While it might be a use case for you to remove builds in the queue this might not be true for others in all cases. Not sure if it is possible to achieve this via a plugin.

            mawinter69 Markus Winter
            sudarshan Sudarshan T N
            Votes:
            0 Vote for this issue
            Watchers:
            3 Start watching this issue

              Created:
              Updated:
              Resolved: