-
Bug
-
Resolution: Not A Defect
-
Blocker
-
Jenkins LTS version 2.452.2
Role-based Authorization Strategy Version 727.vd344b_eec783d
This bug report details an issue encountered with the Jenkins Role-Based Access Plugin. When attempting to define an Agent role in the Manage Roles section, the provided role pattern fails to identify matching agents.
Steps to Reproduce:
- Access Jenkins and navigate to "Manage Jenkins."
- Click on "Manage and Assign Roles."
- Go to the "Manage Roles" section.
- Create a new role or edit an existing one.
- Under the "Agent" permissions, enter "master" as the role pattern.
- Double-click on the "master" pattern.
Expected Behavior:
Double-clicking on the "master" pattern should display a list of agents matching the pattern (presumably an agent named "master").
Actual Behavior:
Double-clicking on the "master" pattern results in a message indicating "no agent found matching 'master'."
[JENKINS-73407] Agent Role Pattern Not Finding Matching Agent
Markus Winter
added a comment - If you want to allow to run on all agents I would define a global role instead of an agent role that tries to match everything.
Currently it seems that it is not possible to define an agent role that matches the built-in controller. But building on the controller is not recommended anyway.
Markus Winter
added a comment - If you want to allow to run on all agents I would define a global role instead of an agent role that tries to match everything.
Currently it seems that it is not possible to define an agent role that matches the built-in controller. But building on the controller is not recommended anyway.
Sudarshan T N
added a comment - I want to define a role for each agent, I just tried this to show that the built-in agent was not shown in the list
Sudarshan T N
added a comment - I want to define a role for each agent, I just tried this to show that the built-in agent was not shown in the list Sudarshan T N
added a comment - Is there any other way, we could define a role for the built-in controller ? and allow only few users to run job there ?
Sudarshan T N
added a comment - Is there any other way, we could define a role for the built-in controller ? and allow only few users to run job there ? Markus Winter
added a comment - At the moment it seems to be not possible to define a rule for the built-in. I haven't yet understood why this is the case, need to debug this
Markus Winter
added a comment - At the moment it seems to be not possible to define a rule for the built-in. I haven't yet understood why this is the case, need to debug this Sudarshan T N
added a comment - could we get this feature to set a role on built-in agent also ? Markus Winter
added a comment - After analyzing the code in Jenkins core it is not possible to define an agent role for the built-in node. The reason is that Jenkins itself is a Node and overwrites the getACL() method defined in the Node class. So when it comes to checking the permissions for the built-in node, the root ACL is returned.
Without digging in the details the same is probably true for Matrix auth.
Markus Winter
added a comment - After analyzing the code in Jenkins core it is not possible to define an agent role for the built-in node. The reason is that Jenkins itself is a Node and overwrites the getACL() method defined in the Node class. So when it comes to checking the permissions for the built-in node, the root ACL is returned.
Without digging in the details the same is probably true for Matrix auth. Markus Winter
added a comment - Closing this as role patterns for agents work without problems.
The build permission for agents works only when the authorize-project plugin is installed.
A role that matches the controller itself is not possible due to the way this is implemented in core.
Markus Winter
added a comment - Closing this as role patterns for agents work without problems.
The build permission for agents works only when the authorize-project plugin is installed.
A role that matches the controller itself is not possible due to the way this is implemented in core. Sudarshan T N
added a comment - thanks, mawinter69 for all the support,
I have one question why do builds are kept in the queue if the user is lacking permission, can't we abort the job automatically if the user is lacking permission to run in a specific agent?
Sudarshan T N
added a comment - thanks, mawinter69 for all the support,
I have one question why do builds are kept in the queue if the user is lacking permission, can't we abort the job automatically if the user is lacking permission to run in a specific agent? Markus Winter
added a comment - Aborting builds is out of scope for role-strategy plugin.
While it might be a use case for you to remove builds in the queue this might not be true for others in all cases. Not sure if it is possible to achieve this via a plugin.
Markus Winter
added a comment - Aborting builds is out of scope for role-strategy plugin.
While it might be a use case for you to remove builds in the queue this might not be true for others in all cases. Not sure if it is possible to achieve this via a plugin. 
thank you, Markus, this helped me to restrict users from running jobs on Jenkins ec2 and other permanent agents.
but I am facing one more issue, how do I allow users to run jobs on Jenkins built-in agent?