Regarding the executions on the master, I believe that Job Restrictions is a right way to do it since it also protects you from Flyweight tasks. I am the plugin creator, so I may be a bit biased though.
I have an example of the master protection here <https://github.com/oleg-nenashev/docker-ci-jenkins-io-dev/blob/master/init_scripts/src/main/groovy/MasterComputer.groovy#L27-L39>. It is configuration-as-code, but you can do the same in the Web UI. There is also a brief description in my recent JAM talk in Oslo: slides 29-32 <https://speakerdeck.com/onenashev/oslo-jenkins-meetup-managing-security-in-jenkins-cheat-sheet?slide=29> Hopefully it helps, четверг, 20 июля 2017 г., 13:56:25 UTC+3 пользователь Artur Szostak написал: > > I think you cannot do it properly using the project-based authorization > strategy. But you should be able to do it with the combination of the > following two plugins: > https://wiki.jenkins.io/display/JENKINS/Ownership+Plugin > https://wiki.jenkins.io/display/JENKINS/Role+Strategy+Plugin > > I have only recently become aware of this plugin combination and started > playing around with it. So if you are willing to change your security model > then the best is to look at the documentation. See the section "Restricting > executions on agents" from the following: > > https://github.com/jenkinsci/ownership-plugin/blob/master/doc/OwnershipBasedSecurity.md > > <https://www.google.com/url?q=https%3A%2F%2Fgithub.com%2Fjenkinsci%2Fownership-plugin%2Fblob%2Fmaster%2Fdoc%2FOwnershipBasedSecurity.md&sa=D&sntz=1&usg=AFQjCNFnt7IZJZkPoBe_DHa9Qx2J3UROQg> > > > Cheers > > Artur > > ________________________________________ > From: [email protected] <javascript:> < > [email protected] <javascript:>> on behalf of Jason LeMauk < > [email protected] <javascript:>> > Sent: 11 July 2017 20:41:23 > To: [email protected] <javascript:> > Subject: Jenkins Distributed Builds: Restricting users from configuring > jobs with Jenkins Master's executors > > I currently have a distributed build system in place (1 Jenkins master and > several Jenkins Agents). I have an automated backup / backup cleanup job > that runs on Jenkins Master. For this reason I need to keep my executors on > the Jenkins Master. The rest of my jobs run on specific Jenkins Agents. > As I cannot remove my executors from the Jenkins Master, what is the best > way to ensure that no other jobs can be built on Jenkins Master? I am using > project-based authorization strategy, and I don’t want a team member who > may configure a job selecting the Jenkins Master to build on. > What is the best way to go about achieving this? > Thanks in advance for any guidance and advice! > > -- > You received this message because you are subscribed to the Google Groups > "Jenkins Users" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected] <javascript:><mailto: > [email protected] <javascript:>>. > To view this discussion on the web visit > https://groups.google.com/d/msgid/jenkinsci-users/BY2PR12MB059992ED76D9D6B99481DD7F89AE0%40BY2PR12MB0599.namprd12.prod.outlook.com > < > https://groups.google.com/d/msgid/jenkinsci-users/BY2PR12MB059992ED76D9D6B99481DD7F89AE0%40BY2PR12MB0599.namprd12.prod.outlook.com?utm_medium=email&utm_source=footer>. > > > For more options, visit https://groups.google.com/d/optout. > -- You received this message because you are subscribed to the Google Groups "Jenkins Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-users/9402f1c6-013b-4480-86af-de1dcfe610dc%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
