Jenkins Distributed Builds: Restricting users from configuring jobs with Jenkins Master's executors

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
5 messages Options
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Jenkins Distributed Builds: Restricting users from configuring jobs with Jenkins Master's executors

J0991

I currently have a distributed build system in place (1 Jenkins master and several Jenkins Agents). I have an automated backup / backup cleanup job that runs on Jenkins Master. For this reason I need to keep my executors on the Jenkins Master. The rest of my jobs run on specific Jenkins Agents.

As I cannot remove my executors from the Jenkins Master, what is the best way to ensure that no other jobs can be built on Jenkins Master? I am using project-based authorization strategy, and I don’t want a team member who may configure a job selecting the Jenkins Master to build on.

What is the best way to go about achieving this?

Thanks in advance for any guidance and advice!

--
You received this message because you are subscribed to the Google Groups "Jenkins Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-users/BY2PR12MB059992ED76D9D6B99481DD7F89AE0%40BY2PR12MB0599.namprd12.prod.outlook.com.
For more options, visit https://groups.google.com/d/optout.
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Jenkins Distributed Builds: Restricting users from configuring jobs with Jenkins Master's executors

Michael Pailloncy
By default, the master is configured with "Use this node as much as possible" : http://${JENKINS_URL}/computer/(master)/configure
You can change this behavior with "Only build jobs with label expressions matching this node". In this way, the master can only be used if an explicit allocation (using 'master' label) is done.

No sure that it's an ideal solution in your case, since team member can still force the execution on master, but it can prevent accidental/unwanted execution and it's anyway a good idea to avoid build on master.

Seems to fit your needs, but personally not tested.

Hope it helps.


2017-07-11 20:41 GMT+02:00 Jason LeMauk <[hidden email]>:

I currently have a distributed build system in place (1 Jenkins master and several Jenkins Agents). I have an automated backup / backup cleanup job that runs on Jenkins Master. For this reason I need to keep my executors on the Jenkins Master. The rest of my jobs run on specific Jenkins Agents.

As I cannot remove my executors from the Jenkins Master, what is the best way to ensure that no other jobs can be built on Jenkins Master? I am using project-based authorization strategy, and I don’t want a team member who may configure a job selecting the Jenkins Master to build on.

What is the best way to go about achieving this?

Thanks in advance for any guidance and advice!

--
You received this message because you are subscribed to the Google Groups "Jenkins Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-users/BY2PR12MB059992ED76D9D6B99481DD7F89AE0%40BY2PR12MB0599.namprd12.prod.outlook.com.
For more options, visit https://groups.google.com/d/optout.

--
You received this message because you are subscribed to the Google Groups "Jenkins Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-users/CAPO77c2zEbVbJh6D8L1rZCNZ4sa%3Dz9cDFwjr4DEYc8fmTXk2tQ%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

RE: Jenkins Distributed Builds: Restricting users from configuring jobs with Jenkins Master's executors

J0991

Thank you for the advice! I discovered the setting you mention yesterday: Configure Jenkins > Usage.

As you mentioned, the default setting is ‘use this node as much as possible’ for the ‘Usage’ property. Changing this value to ‘Only build jobs with label expressions matching this node’ does appear to be the solution I am looking for.

As my goal is to prevent a user from not setting a Jenkins Agent / Slave which would execute the job on Jenkins Master, the user will have to explicitly specify the ‘Master’ to build on, which will prevent jobs from defaulting to the Master for execution.

The job restrictions plugin does look like it does the trick as far as preventing users from specifying the Master to execute jobs on, however at this point it might be slightly more restrictive than I need at this moment in time. I also checked out the open issues associated with the plugin, and it doesn’t look too buggy :D It’s also not up for adoption at this time. I’ll definitely consider this plugin in the future if an event prompts needing to completely restrict the Master from jobs being executed.

 

From: [hidden email] [mailto:[hidden email]] On Behalf Of Michael Pailloncy
Sent: Tuesday, July 11, 2017 6:30 PM
To: [hidden email]
Subject: Re: Jenkins Distributed Builds: Restricting users from configuring jobs with Jenkins Master's executors

 

By default, the master is configured with "Use this node as much as possible" : http://${JENKINS_URL}/computer/(master)/configure

You can change this behavior with "Only build jobs with label expressions matching this node". In this way, the master can only be used if an explicit allocation (using 'master' label) is done.

 

No sure that it's an ideal solution in your case, since team member can still force the execution on master, but it can prevent accidental/unwanted execution and it's anyway a good idea to avoid build on master.

 

There is also this plugin : <a href="https://wiki.jenkins.io/display/JENKINS/Job&#43;Restrictions&#43;Plugin">https://wiki.jenkins.io/display/JENKINS/Job+Restrictions+Plugin

Seems to fit your needs, but personally not tested.

 

Hope it helps.

 

 

2017-07-11 20:41 GMT+02:00 Jason LeMauk <[hidden email]>:

I currently have a distributed build system in place (1 Jenkins master and several Jenkins Agents). I have an automated backup / backup cleanup job that runs on Jenkins Master. For this reason I need to keep my executors on the Jenkins Master. The rest of my jobs run on specific Jenkins Agents.

As I cannot remove my executors from the Jenkins Master, what is the best way to ensure that no other jobs can be built on Jenkins Master? I am using project-based authorization strategy, and I don’t want a team member who may configure a job selecting the Jenkins Master to build on.

What is the best way to go about achieving this?

Thanks in advance for any guidance and advice!

--
You received this message because you are subscribed to the Google Groups "Jenkins Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-users/BY2PR12MB059992ED76D9D6B99481DD7F89AE0%40BY2PR12MB0599.namprd12.prod.outlook.com.
For more options, visit https://groups.google.com/d/optout.

 

--
You received this message because you are subscribed to the Google Groups "Jenkins Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-users/CAPO77c2zEbVbJh6D8L1rZCNZ4sa%3Dz9cDFwjr4DEYc8fmTXk2tQ%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.

--
You received this message because you are subscribed to the Google Groups "Jenkins Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-users/BY2PR12MB05999AA44A56EC04B933F69289AF0%40BY2PR12MB0599.namprd12.prod.outlook.com.
For more options, visit https://groups.google.com/d/optout.
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Jenkins Distributed Builds: Restricting users from configuring jobs with Jenkins Master's executors

Daniel Beck

> On 12. Jul 2017, at 14:52, Jason LeMauk <[hidden email]> wrote:
>
> the user will have to explicitly specify the ‘Master’ to build on, which will prevent jobs from defaulting to the Master for execution.
>

Well, or have any label expression matching master. Like `!the_agent_that_never_works`.

--
You received this message because you are subscribed to the Google Groups "Jenkins Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-users/065255BC-B990-44AB-91CC-D2340632DC1C%40beckweb.net.
For more options, visit https://groups.google.com/d/optout.
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Jenkins Distributed Builds: Restricting users from configuring jobs with Jenkins Master's executors

Artur Szostak
In reply to this post by J0991
I think you cannot do it properly using the project-based authorization strategy. But you should be able to do it with the combination of the following two plugins:
https://wiki.jenkins.io/display/JENKINS/Ownership+Plugin
https://wiki.jenkins.io/display/JENKINS/Role+Strategy+Plugin

I have only recently become aware of this plugin combination and started playing around with it. So if you are willing to change your security model then the best is to look at the documentation. See the section "Restricting executions on agents" from the following:
https://github.com/jenkinsci/ownership-plugin/blob/master/doc/OwnershipBasedSecurity.md

Cheers

Artur

________________________________________
From: [hidden email] <[hidden email]> on behalf of Jason LeMauk <[hidden email]>
Sent: 11 July 2017 20:41:23
To: [hidden email]
Subject: Jenkins Distributed Builds: Restricting users from configuring jobs with Jenkins Master's executors

I currently have a distributed build system in place (1 Jenkins master and several Jenkins Agents). I have an automated backup / backup cleanup job that runs on Jenkins Master. For this reason I need to keep my executors on the Jenkins Master. The rest of my jobs run on specific Jenkins Agents.
As I cannot remove my executors from the Jenkins Master, what is the best way to ensure that no other jobs can be built on Jenkins Master? I am using project-based authorization strategy, and I don’t want a team member who may configure a job selecting the Jenkins Master to build on.
What is the best way to go about achieving this?
Thanks in advance for any guidance and advice!

--
You received this message because you are subscribed to the Google Groups "Jenkins Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email]<mailto:[hidden email]>.
To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-users/BY2PR12MB059992ED76D9D6B99481DD7F89AE0%40BY2PR12MB0599.namprd12.prod.outlook.com<https://groups.google.com/d/msgid/jenkinsci-users/BY2PR12MB059992ED76D9D6B99481DD7F89AE0%40BY2PR12MB0599.namprd12.prod.outlook.com?utm_medium=email&utm_source=footer>.
For more options, visit https://groups.google.com/d/optout.

--
You received this message because you are subscribed to the Google Groups "Jenkins Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-users/bc714dc405924475820d5db4efe20db4%40partner.eso.org.
For more options, visit https://groups.google.com/d/optout.
Loading...