-
Bug
-
Resolution: Not A Defect
-
Blocker
-
Jenkins LTS version 2.452.2
Role-based Authorization Strategy Version 727.vd344b_eec783d
This bug report details an issue encountered with the Jenkins Role-Based Access Plugin. When attempting to define an Agent role in the Manage Roles section, the provided role pattern fails to identify matching agents.
Steps to Reproduce:
- Access Jenkins and navigate to "Manage Jenkins."
- Click on "Manage and Assign Roles."
- Go to the "Manage Roles" section.
- Create a new role or edit an existing one.
- Under the "Agent" permissions, enter "master" as the role pattern.
- Double-click on the "master" pattern.
Expected Behavior:
Double-clicking on the "master" pattern should display a list of agents matching the pattern (presumably an agent named "master").
Actual Behavior:
Double-clicking on the "master" pattern results in a message indicating "no agent found matching 'master'."
[JENKINS-73407] Agent Role Pattern Not Finding Matching Agent
Sudarshan T N
added a comment - remember that you have to use regular expressions, so
(?i)restricted-agent*
should probably be
(?i).*restricted-agent.*
This will not match labels given to agents.
And 'master' will only match an agent with name 'master'. As mentioned before the controller itself is not using the term 'master' anymore.
Markus Winter
added a comment - - edited remember that you have to use regular expressions, so
(?i)restricted-agent*
should probably be
(?i).*restricted-agent.*
This will not match labels given to agents.
And 'master' will only match an agent with name 'master'. As mentioned before the controller itself is not using the term 'master' anymore.
Sudarshan T N
added a comment - thank you it worked Sudarshan T N
added a comment - Could you please help me with this
I have 2 users, user1 and user2 I want to allow only user1 to run the Jenkins job in restricted-agent
I have set the permissions like this but user2 can also provision the Jenkins job with the following permissions, I am not sure what is wrong here
could you please help me with what I am missing here?
Sudarshan T N
added a comment - Could you please help me with this
I have 2 users, user1 and user2 I want to allow only user1 to run the Jenkins job in restricted-agent
I have set the permissions like this but user2 can also provision the Jenkins job with the following permissions, I am not sure what is wrong here
could you please help me with what I am missing here? Markus Winter
added a comment - You will need the plugin https://plugins.jenkins.io/authorize-project/ and configure it as 'run as user who triggered the build' to be able to restrict who can run builds on a node. By default builds are executed as the the SYSTEM user that acts like an admin.
Markus Winter
added a comment - You will need the plugin https://plugins.jenkins.io/authorize-project/ and configure it as 'run as user who triggered the build' to be able to restrict who can run builds on a node. By default builds are executed as the the SYSTEM user that acts like an admin. Sudarshan T N
added a comment - OK thank you so much, let me try that thank you, Markus, this helped me to restrict users from running jobs on Jenkins ec2 and other permanent agents.
but I am facing one more issue, how do I allow users to run jobs on Jenkins built-in agent?
user1 lacks permission to run on ‘Jenkins’
Sudarshan T N
added a comment - - edited thank you, Markus, this helped me to restrict users from running jobs on Jenkins ec2 and other permanent agents.
but I am facing one more issue, how do I allow users to run jobs on Jenkins built-in agent?
user1 lacks permission to run on ‘Jenkins’
Markus Winter
added a comment - If you want to allow to run on all agents I would define a global role instead of an agent role that tries to match everything.
Currently it seems that it is not possible to define an agent role that matches the built-in controller. But building on the controller is not recommended anyway.
Markus Winter
added a comment - If you want to allow to run on all agents I would define a global role instead of an agent role that tries to match everything.
Currently it seems that it is not possible to define an agent role that matches the built-in controller. But building on the controller is not recommended anyway.
Sudarshan T N
added a comment - I want to define a role for each agent, I just tried this to show that the built-in agent was not shown in the list
Sudarshan T N
added a comment - I want to define a role for each agent, I just tried this to show that the built-in agent was not shown in the list Sudarshan T N
added a comment - Is there any other way, we could define a role for the built-in controller ? and allow only few users to run job there ?
Sudarshan T N
added a comment - Is there any other way, we could define a role for the built-in controller ? and allow only few users to run job there ? Markus Winter
added a comment - At the moment it seems to be not possible to define a rule for the built-in. I haven't yet understood why this is the case, need to debug this
Markus Winter
added a comment - At the moment it seems to be not possible to define a rule for the built-in. I haven't yet understood why this is the case, need to debug this Sudarshan T N
added a comment - could we get this feature to set a role on built-in agent also ? Markus Winter
added a comment - After analyzing the code in Jenkins core it is not possible to define an agent role for the built-in node. The reason is that Jenkins itself is a Node and overwrites the getACL() method defined in the Node class. So when it comes to checking the permissions for the built-in node, the root ACL is returned.
Without digging in the details the same is probably true for Matrix auth.
Markus Winter
added a comment - After analyzing the code in Jenkins core it is not possible to define an agent role for the built-in node. The reason is that Jenkins itself is a Node and overwrites the getACL() method defined in the Node class. So when it comes to checking the permissions for the built-in node, the root ACL is returned.
Without digging in the details the same is probably true for Matrix auth. Markus Winter
added a comment - Closing this as role patterns for agents work without problems.
The build permission for agents works only when the authorize-project plugin is installed.
A role that matches the controller itself is not possible due to the way this is implemented in core.
Markus Winter
added a comment - Closing this as role patterns for agents work without problems.
The build permission for agents works only when the authorize-project plugin is installed.
A role that matches the controller itself is not possible due to the way this is implemented in core. Sudarshan T N
added a comment - thanks, mawinter69 for all the support,
I have one question why do builds are kept in the queue if the user is lacking permission, can't we abort the job automatically if the user is lacking permission to run in a specific agent?
Sudarshan T N
added a comment - thanks, mawinter69 for all the support,
I have one question why do builds are kept in the queue if the user is lacking permission, can't we abort the job automatically if the user is lacking permission to run in a specific agent? Markus Winter
added a comment - Aborting builds is out of scope for role-strategy plugin.
While it might be a use case for you to remove builds in the queue this might not be true for others in all cases. Not sure if it is possible to achieve this via a plugin.
Markus Winter
added a comment - Aborting builds is out of scope for role-strategy plugin.
While it might be a use case for you to remove builds in the queue this might not be true for others in all cases. Not sure if it is possible to achieve this via a plugin. 
Please provide more input, e.g. a screenshot listing the agents that are defined (from .../computer) would be helpful
Is your intention to define permissions on the built-in agent?