Re: Jenkins Distributed Builds: Restricting users from configuring jobs with Jenkins Master's executors

[Artur Szostak]

I think you cannot do it properly using the project-based authorization 
strategy. But you should be able to do it with the combination of the following 
two plugins:
https://wiki.jenkins.io/display/JENKINS/Ownership+Plugin
https://wiki.jenkins.io/display/JENKINS/Role+Strategy+Plugin

I have only recently become aware of this plugin combination and started 
playing around with it. So if you are willing to change your security model 
then the best is to look at the documentation. See the section "Restricting 
executions on agents" from the following:
https://github.com/jenkinsci/ownership-plugin/blob/master/doc/OwnershipBasedSecurity.md

Cheers

Artur


From: jenkinsci-users@googlegroups.com <jenkinsci-users@googlegroups.com> on 
behalf of Jason LeMauk <jason.lem...@csquaredsystems.com>
Sent: 11 July 2017 20:41:23
To: jenkinsci-users@googlegroups.com
Subject: Jenkins Distributed Builds: Restricting users from configuring jobs 
with Jenkins Master's executors

I currently have a distributed build system in place (1 Jenkins master and 
several Jenkins Agents). I have an automated backup / backup cleanup job that 
runs on Jenkins Master. For this reason I need to keep my executors on the 
Jenkins Master. The rest of my jobs run on specific Jenkins Agents.
As I cannot remove my executors from the Jenkins Master, what is the best way 
to ensure that no other jobs can be built on Jenkins Master? I am using 
project-based authorization strategy, and I don’t want a team member who may 
configure a job selecting the Jenkins Master to build on.
What is the best way to go about achieving this?
Thanks in advance for any guidance and advice!

--
You received this message because you are subscribed to the Google Groups 
"Jenkins Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to 
jenkinsci-users+unsubscr...@googlegroups.com<mailto:jenkinsci-users+unsubscr...@googlegroups.com>.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/jenkinsci-users/BY2PR12MB059992ED76D9D6B99481DD7F89AE0%40BY2PR12MB0599.namprd12.prod.outlook.com<https://groups.google.com/d/msgid/jenkinsci-users/BY2PR12MB059992ED76D9D6B99481DD7F89AE0%40BY2PR12MB0599.namprd12.prod.outlook.com?utm_medium=email_source=footer>.
For more options, visit https://groups.google.com/d/optout.

-- 
You received this message because you are subscribed to the Google Groups 
"Jenkins Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to jenkinsci-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/jenkinsci-users/bc714dc405924475820d5db4efe20db4%40partner.eso.org.
For more options, visit https://groups.google.com/d/optout.

Re: Jenkins Distributed Builds: Restricting users from configuring jobs with Jenkins Master's executors

[Daniel Beck]

> On 12. Jul 2017, at 14:52, Jason LeMauk  
> wrote:
> 
> the user will have to explicitly specify the ‘Master’ to build on, which will 
> prevent jobs from defaulting to the Master for execution.
> 

Well, or have any label expression matching master. Like 
`!the_agent_that_never_works`.

-- 
You received this message because you are subscribed to the Google Groups 
"Jenkins Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to jenkinsci-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/jenkinsci-users/065255BC-B990-44AB-91CC-D2340632DC1C%40beckweb.net.
For more options, visit https://groups.google.com/d/optout.

RE: Jenkins Distributed Builds: Restricting users from configuring jobs with Jenkins Master's executors

[Jason LeMauk]

Thank you for the advice! I discovered the setting you mention yesterday: 
Configure Jenkins > Usage.
As you mentioned, the default setting is ‘use this node as much as possible’ 
for the ‘Usage’ property. Changing this value to ‘Only build jobs with label 
expressions matching this node’ does appear to be the solution I am looking for.
As my goal is to prevent a user from not setting a Jenkins Agent / Slave which 
would execute the job on Jenkins Master, the user will have to explicitly 
specify the ‘Master’ to build on, which will prevent jobs from defaulting to 
the Master for execution.
The job restrictions plugin does look like it does the trick as far as 
preventing users from specifying the Master to execute jobs on, however at this 
point it might be slightly more restrictive than I need at this moment in time. 
I also checked out the open 
issues<https://issues.jenkins-ci.org/browse/JENKINS-39373?jql=project%20%3D%20JENKINS%20AND%20status%20in%20(Open%2C%20%22In%20Progress%22%2C%20Reopened)%20AND%20component%20%3D%20%27job-restrictions-plugin%27>
 associated with the plugin, and it doesn’t look too buggy :D It’s also not up 
for adoption at this time. I’ll definitely consider this plugin in the future 
if an event prompts needing to completely restrict the Master from jobs being 
executed.

From: jenkinsci-users@googlegroups.com 
[mailto:jenkinsci-users@googlegroups.com] On Behalf Of Michael Pailloncy
Sent: Tuesday, July 11, 2017 6:30 PM
To: jenkinsci-users@googlegroups.com
Subject: Re: Jenkins Distributed Builds: Restricting users from configuring 
jobs with Jenkins Master's executors

By default, the master is configured with "Use this node as much as possible" : 
http://${JENKINS_URL}/computer/(master)/configure<http://$%7bJENKINS_URL%7d/computer/(master)/configure>
You can change this behavior with "Only build jobs with label expressions 
matching this node". In this way, the master can only be used if an explicit 
allocation (using 'master' label) is done.

No sure that it's an ideal solution in your case, since team member can still 
force the execution on master, but it can prevent accidental/unwanted execution 
and it's anyway a good idea to avoid build on master.

There is also this plugin : 
https://wiki.jenkins.io/display/JENKINS/Job+Restrictions+Plugin
Seems to fit your needs, but personally not tested.

Hope it helps.


2017-07-11 20:41 GMT+02:00 Jason LeMauk 
<jason.lem...@csquaredsystems.com<mailto:jason.lem...@csquaredsystems.com>>:
I currently have a distributed build system in place (1 Jenkins master and 
several Jenkins Agents). I have an automated backup / backup cleanup job that 
runs on Jenkins Master. For this reason I need to keep my executors on the 
Jenkins Master. The rest of my jobs run on specific Jenkins Agents.
As I cannot remove my executors from the Jenkins Master, what is the best way 
to ensure that no other jobs can be built on Jenkins Master? I am using 
project-based authorization strategy, and I don’t want a team member who may 
configure a job selecting the Jenkins Master to build on.
What is the best way to go about achieving this?
Thanks in advance for any guidance and advice!
--
You received this message because you are subscribed to the Google Groups 
"Jenkins Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to 
jenkinsci-users+unsubscr...@googlegroups.com<mailto:jenkinsci-users+unsubscr...@googlegroups.com>.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/jenkinsci-users/BY2PR12MB059992ED76D9D6B99481DD7F89AE0%40BY2PR12MB0599.namprd12.prod.outlook.com<https://groups.google.com/d/msgid/jenkinsci-users/BY2PR12MB059992ED76D9D6B99481DD7F89AE0%40BY2PR12MB0599.namprd12.prod.outlook.com?utm_medium=email_source=footer>.
For more options, visit https://groups.google.com/d/optout.

--
You received this message because you are subscribed to the Google Groups 
"Jenkins Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to 
jenkinsci-users+unsubscr...@googlegroups.com<mailto:jenkinsci-users+unsubscr...@googlegroups.com>.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/jenkinsci-users/CAPO77c2zEbVbJh6D8L1rZCNZ4sa%3Dz9cDFwjr4DEYc8fmTXk2tQ%40mail.gmail.com<https://groups.google.com/d/msgid/jenkinsci-users/CAPO77c2zEbVbJh6D8L1rZCNZ4sa%3Dz9cDFwjr4DEYc8fmTXk2tQ%40mail.gmail.com?utm_medium=email_source=footer>.
For more options, visit https://groups.google.com/d/optout.

-- 
You received this message because you are subscribed to the Google Groups 
"Jenkins Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to jenkinsci-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/jenkinsci-users/BY2PR12MB05999AA44A56EC04B933F69289AF0%40BY2PR12MB0599.namprd12.prod.outlook.com.
For more options, visit https://groups.google.com/d/optout.

Re: Jenkins Distributed Builds: Restricting users from configuring jobs with Jenkins Master's executors

[Michael Pailloncy]

By default, the master is configured with "Use this node as much as
possible" : http://${JENKINS_URL}/computer/(master)/configure
You can change this behavior with "Only build jobs with label expressions
matching this node". In this way, the master can only be used if an
explicit allocation (using 'master' label) is done.

No sure that it's an ideal solution in your case, since team member can
still force the execution on master, but it can prevent accidental/unwanted
execution and it's anyway a good idea to avoid build on master.

There is also this plugin :
https://wiki.jenkins.io/display/JENKINS/Job+Restrictions+Plugin
Seems to fit your needs, but personally not tested.

Hope it helps.


2017-07-11 20:41 GMT+02:00 Jason LeMauk :

> I currently have a distributed build system in place (1 Jenkins master and
> several Jenkins Agents). I have an automated backup / backup cleanup job
> that runs on Jenkins Master. For this reason I need to keep my executors on
> the Jenkins Master. The rest of my jobs run on specific Jenkins Agents.
>
> As I cannot remove my executors from the Jenkins Master, what is the best
> way to ensure that no other jobs can be built on Jenkins Master? I am using
> project-based authorization strategy, and I don’t want a team member who
> may configure a job selecting the Jenkins Master to build on.
>
> What is the best way to go about achieving this?
>
> Thanks in advance for any guidance and advice!
>
> --
> You received this message because you are subscribed to the Google Groups
> "Jenkins Users" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to jenkinsci-users+unsubscr...@googlegroups.com.
> To view this discussion on the web visit https://groups.google.com/d/
> msgid/jenkinsci-users/BY2PR12MB059992ED76D9D6B99481D
> D7F89AE0%40BY2PR12MB0599.namprd12.prod.outlook.com
> 
> .
> For more options, visit https://groups.google.com/d/optout.
>

-- 
You received this message because you are subscribed to the Google Groups 
"Jenkins Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to jenkinsci-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/jenkinsci-users/CAPO77c2zEbVbJh6D8L1rZCNZ4sa%3Dz9cDFwjr4DEYc8fmTXk2tQ%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.

Jenkins Distributed Builds: Restricting users from configuring jobs with Jenkins Master's executors

[Jason LeMauk]

I currently have a distributed build system in place (1 Jenkins master and 
several Jenkins Agents). I have an automated backup / backup cleanup job that 
runs on Jenkins Master. For this reason I need to keep my executors on the 
Jenkins Master. The rest of my jobs run on specific Jenkins Agents.
As I cannot remove my executors from the Jenkins Master, what is the best way 
to ensure that no other jobs can be built on Jenkins Master? I am using 
project-based authorization strategy, and I don't want a team member who may 
configure a job selecting the Jenkins Master to build on.
What is the best way to go about achieving this?
Thanks in advance for any guidance and advice!

-- 
You received this message because you are subscribed to the Google Groups 
"Jenkins Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to jenkinsci-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/jenkinsci-users/BY2PR12MB059992ED76D9D6B99481DD7F89AE0%40BY2PR12MB0599.namprd12.prod.outlook.com.
For more options, visit https://groups.google.com/d/optout.