[JIRA] (JENKINS-50644) Support restrictions from the global shared pipeline library

2018-04-06 Thread sam.mxra...@gmail.com (JIRA) 
Title: Message Title


 
 
 
 

 
 
 

 
   
 Sam Gleske updated an issue  
 

  
 
 
 
 

 
 
  
 
 
 
 

 
 Jenkins /  JENKINS-50644  
 
 
  Support restrictions from the global shared pipeline library   
 

  
 
 
 
 

 
Change By: 
 Sam Gleske  
 

  
 
 
 
 

 
 h1. Feature / IdeaAllow global pipeline library to execute steps on the master when shared pipeline steps defined by an admin are run  by a user's Jenkinsfile .   However, the user is not allowed to define the master in their Jenkinsfile.  Security scope: Admins are the only ones who can define global shared pipeline libraries.  So any code they load into the master could be allowed to run if that's what they intend for the step (even if that step is called by a non-admin). h1. Story As an admin of Jenkins, I would like to run stages defined in a global shared pipeline library on the master but not allowed from pipeline steps in the calling job so that I may take advantage of executors on the master in a controlled manner and not allow normal pipeline users to use the master.Let's pretend I have a global shared pipeline library with the following file.{noformat}vars/masterMagicStep.groovy{noformat}Where masterMagicStep.groovy has the following code defined...{noformat}node('master') {  //some work defined by the admin goes here}{noformat}h1. The following should succeedHere's a user Jenkinsfile defined in a repository.{noformat}masterMagicStep()node('another-agent') {  //user defined magic}{noformat}The masterMagicStep executes on the Jenkins master and the user-defined code executes on another agent.h1. The following should not succeedHere's a user Jenkinsfile defined in a repository.{noformat}masterMagicStep()node('master') {  //uh oh! The user is attempting to modify something on the master}{noformat}The masterMagicStep would "normally" be allowed in this pretend feature. However, the job is blocked from running because the user is attempting to execute code on the master. This is not allowed.  
 

  
 
 
 
 

 
 
 

 
 
 Add Comment

[JIRA] (JENKINS-50644) Support restrictions from the global shared pipeline library

2018-04-06 Thread sam.mxra...@gmail.com (JIRA) 
Title: Message Title


 
 
 
 

 
 
 

 
   
 Sam Gleske updated an issue  
 

  
 
 
 
 

 
 
  
 
 
 
 

 
 Jenkins /  JENKINS-50644  
 
 
  Support restrictions from the global shared pipeline library   
 

  
 
 
 
 

 
Change By: 
 Sam Gleske  
 

  
 
 
 
 

 
 h1. Feature / IdeaAllow global pipeline library to execute steps on the master when shared pipeline steps defined by an admin are run.h1. Story  As an admin of Jenkins, I would like to run stages defined in a global shared pipeline library on the master but not allowed from pipeline steps in the calling job so that I may take advantage of executors on the master in a controlled manner and not allow normal pipeline users to use the master.Let's pretend I have a global shared pipeline library with the following file.{noformat}vars/masterMagicStep.groovy{noformat}Where masterMagicStep.groovy has the following code defined...{noformat}node('master') {  //some work defined by the admin goes here}{noformat}h1. The following should succeedHere's a user Jenkinsfile defined in a repository.{noformat}masterMagicStep()node('another-agent') {  //user defined magic}{noformat}The masterMagicStep executes on the Jenkins master and the user-defined code executes on another agent.h1. The following should not succeedHere's a user Jenkinsfile defined in a repository.{noformat}masterMagicStep()node('master') {  //uh oh! The user is attempting to modify something on the master}{noformat}  The masterMagicStep would "normally" be allowed in this pretend feature.  However, the job is blocked from running because the user is attempting to execute code on the master.  This is not allowed.  
 

  
 
 
 
 

 
 
 

 
 
 Add Comment  
 

  
 

  
 
 
 
 

[JIRA] (JENKINS-50644) Support restrictions from the global shared pipeline library

2018-04-06 Thread sam.mxra...@gmail.com (JIRA) 
Title: Message Title


 
 
 
 

 
 
 

 
   
 Sam Gleske created an issue  
 

  
 
 
 
 

 
 
  
 
 
 
 

 
 Jenkins /  JENKINS-50644  
 
 
  Support restrictions from the global shared pipeline library   
 

  
 
 
 
 

 
Issue Type: 
  New Feature  
 
 
Assignee: 
 Unassigned  
 
 
Components: 
 job-restrictions-plugin  
 
 
Created: 
 2018-04-07 05:24  
 
 
Priority: 
  Minor  
 
 
Reporter: 
 Sam Gleske  
 

  
 
 
 
 

 
 As an admin of Jenkins, I would like to run stages defined in a global shared pipeline library on the master but not allowed from pipeline steps in the calling job so that I may take advantage of executors on the master in a controlled manner and not allow normal pipeline users to use the master. Let's pretend I have a global shared pipeline library with the following file. 

 
vars/masterMagicStep.groovy 

 Where masterMagicStep.groovy has the following code defined... 

 
node('master') {
  //some work defined by the admin goes here
}
 

 The following should succeed Here's a user Jenkinsfile defined in a repository. 

 
masterMagicStep()

node('another-agent') {
  //user defined magic
} 

 The masterMagicStep executes on the Jenkins master and the user-defined code executes on another agent. The following should not succeed