The slave(s) do not need to be launched from the same account that runs the slave. You can run the master as j1, Then create 2 ssh keys and put one as u1 and the other as u2. Only give j1 the private key – then lauch the slaves as u1 and u2 from j1. That way u1 has no access to u2 and u2 has no access to u1. Does that no accomplish what you require?
/James From: [email protected] [mailto:[email protected]] On Behalf Of varun srivastava Sent: 03 July 2014 14:20 To: [email protected] Subject: Re: Running test cases as different user in Jenkins My Jenkins instance is running as u1. Launching a slave as u2 might require some permission to u1. I can get only restricted set of permission for u1 to do anything as u2. I launch my slave using following unix command ssh hostname java -jar /data/jenkins/slave.jar If u1 is granted permission to launch slave as u2 using above command, there is no restriction on what all commands can be launched on the slave which is not desirable. On Thu, Jul 3, 2014 at 6:34 PM, Mark Waite <[email protected]<mailto:[email protected]>> wrote: Maybe I stated poorly what I was suggesting. Don't allow u1 to sudo to u2 and don't allow u2 to sudo to u1. Create two separate jobs, one that runs as user u1 on the slave that is running as u1, and the other that runs as user u2 on the slave running as u2. Use "copy artifacts" or a similar technique to copy from the u1 job to the u2 job so that the files in the u2 job will always be owned by user u2. Mark Waite On Thu, Jul 3, 2014 at 6:57 AM, varun srivastava <[email protected]<mailto:[email protected]>> wrote: Thanks Mark, But running the slave node as u2 would mean that u1 can run any command as u2 (equivalent to giving complete sudo permission for u2). I have restriction that u1 can sudo as u2 only for running test command/script. On Thu, Jul 3, 2014 at 6:23 PM, Mark Waite <[email protected]<mailto:[email protected]>> wrote: Could you change the requirements a little to simplify? For example, what if you had a slave that was running as user "u2" and performed all its work as user "u2". It could copy the build results from the job which had been performed as user "u1", then execute the tests as user "u2". Mark Waite On Thu, Jul 3, 2014 at 6:23 AM, varun srivastava <[email protected]<mailto:[email protected]>> wrote: Hi, I have a centralized jenkins setup run as user u1. Different projects are set up on this instance. For running some testcases in some project, application user u2 permission is required. So I have granted permission to u1 to sudo as u2 only for running the test script/command. For example u1 can sudo -u u2 run_test.sh Now the problem is that the workspace is checked out as u1 but the test output files are generated with owner as u2. So I am not able to clean up the workspace as it contains files owned by both u1 and u2 and my cleanup plugin is run as u1. Does any one has any solution for setting this up or do we have a plugin that can clean up the workspace as different user. Summarizing the requirement : 1. Run jenkins as u1 2. Checkout and build project as u1. 3. Run test cases as u2. Note that u1 will have permission to sudo as u2 only for running restricted set of commands. 4. Able to clean up the workspace post build properly (that may contain files owned by both u1 and u2) Thanks, Varun -- You received this message because you are subscribed to the Google Groups "Jenkins Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]<mailto:[email protected]>. For more options, visit https://groups.google.com/d/optout. -- Thanks! Mark Waite -- You received this message because you are subscribed to a topic in the Google Groups "Jenkins Users" group. To unsubscribe from this topic, visit https://groups.google.com/d/topic/jenkinsci-users/mW2Dq0wbzWU/unsubscribe. To unsubscribe from this group and all its topics, send an email to [email protected]<mailto:[email protected]>. For more options, visit https://groups.google.com/d/optout. -- Thanks, Varun Kr Srivastava mobile- +919666676033<tel:%2B919666676033> -- You received this message because you are subscribed to the Google Groups "Jenkins Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]<mailto:[email protected]>. For more options, visit https://groups.google.com/d/optout. -- Thanks! Mark Waite -- You received this message because you are subscribed to a topic in the Google Groups "Jenkins Users" group. To unsubscribe from this topic, visit https://groups.google.com/d/topic/jenkinsci-users/mW2Dq0wbzWU/unsubscribe. To unsubscribe from this group and all its topics, send an email to [email protected]<mailto:[email protected]>. For more options, visit https://groups.google.com/d/optout. -- Thanks, Varun Kr Srivastava mobile- +919666676033 -- You received this message because you are subscribed to the Google Groups "Jenkins Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]<mailto:[email protected]>. For more options, visit https://groups.google.com/d/optout. -- You received this message because you are subscribed to the Google Groups "Jenkins Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
