Jenkins Distributed Builds: Restricting users from configuring jobs with Jenkins Master's executors

[Jason LeMauk]

I currently have a distributed build system in place (1 Jenkins master and several Jenkins Agents). I have an automated backup / backup cleanup job that runs on Jenkins Master. For this reason I need to keep my executors on the Jenkins Master. The rest of my jobs run on specific Jenkins Agents.

As I cannot remove my executors from the Jenkins Master, what is the best way to ensure that no other jobs can be built on Jenkins Master? I am using project-based authorization strategy, and I don’t want a team member who may configure a job selecting the Jenkins Master to build on.

What is the best way to go about achieving this?

Thanks in advance for any guidance and advice!

[Michael Pailloncy]

By default, the master is configured with "Use this node as much as possible" : http://${JENKINS_URL}/computer/(master)/configure

You can change this behavior with "Only build jobs with label expressions matching this node". In this way, the master can only be used if an explicit allocation (using 'master' label) is done.

No sure that it's an ideal solution in your case, since team member can still force the execution on master, but it can prevent accidental/unwanted execution and it's anyway a good idea to avoid build on master.

There is also this plugin : https://wiki.jenkins.io/display/JENKINS/Job+Restrictions+Plugin

Seems to fit your needs, but personally not tested.

Hope it helps.

--
You received this message because you are subscribed to the Google Groups "Jenkins Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to jenkinsci-users+unsubscribe@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-users/BY2PR12MB059992ED76D9D6B99481DD7F89AE0%40BY2PR12MB0599.namprd12.prod.outlook.com.
For more options, visit https://groups.google.com/d/optout.

[Jason LeMauk]

Thank you for the advice! I discovered the setting you mention yesterday: Configure Jenkins > Usage.

As you mentioned, the default setting is ‘use this node as much as possible’ for the ‘Usage’ property. Changing this value to ‘Only build jobs with label expressions matching this node’ does appear to be the solution I am looking for.

As my goal is to prevent a user from not setting a Jenkins Agent / Slave which would execute the job on Jenkins Master, the user will have to explicitly specify the ‘Master’ to build on, which will prevent jobs from defaulting to the Master for execution.

The job restrictions plugin does look like it does the trick as far as preventing users from specifying the Master to execute jobs on, however at this point it might be slightly more restrictive than I need at this moment in time. I also checked out the open issues associated with the plugin, and it doesn’t look too buggy :D It’s also not up for adoption at this time. I’ll definitely consider this plugin in the future if an event prompts needing to completely restrict the Master from jobs being executed.

 

From: jenkins...@googlegroups.com [mailto:jenkins...@googlegroups.com] On Behalf Of Michael Pailloncy
Sent: Tuesday, July 11, 2017 6:30 PM
To: jenkins...@googlegroups.com
Subject: Re: Jenkins Distributed Builds: Restricting users from configuring jobs with Jenkins Master's executors

 

By default, the master is configured with "Use this node as much as possible" : http://${JENKINS_URL}/computer/(master)/configure

You can change this behavior with "Only build jobs with label expressions matching this node". In this way, the master can only be used if an explicit allocation (using 'master' label) is done.

 

No sure that it's an ideal solution in your case, since team member can still force the execution on master, but it can prevent accidental/unwanted execution and it's anyway a good idea to avoid build on master.

 

There is also this plugin : https://wiki.jenkins.io/display/JENKINS/Job+Restrictions+Plugin

Seems to fit your needs, but personally not tested.

 

Hope it helps.

 

2017-07-11 20:41 GMT+02:00 Jason LeMauk <jason....@csquaredsystems.com>:

I currently have a distributed build system in place (1 Jenkins master and several Jenkins Agents). I have an automated backup / backup cleanup job that runs on Jenkins Master. For this reason I need to keep my executors on the Jenkins Master. The rest of my jobs run on specific Jenkins Agents.

As I cannot remove my executors from the Jenkins Master, what is the best way to ensure that no other jobs can be built on Jenkins Master? I am using project-based authorization strategy, and I don’t want a team member who may configure a job selecting the Jenkins Master to build on.

What is the best way to go about achieving this?

Thanks in advance for any guidance and advice!

--

You received this message because you are subscribed to the Google Groups "Jenkins Users" group.

To unsubscribe from this group and stop receiving emails from it, send an email to jenkinsci-use...@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-users/BY2PR12MB059992ED76D9D6B99481DD7F89AE0%40BY2PR12MB0599.namprd12.prod.outlook.com.
For more options, visit https://groups.google.com/d/optout.

 

--

You received this message because you are subscribed to the Google Groups "Jenkins Users" group.

To unsubscribe from this group and stop receiving emails from it, send an email to jenkinsci-use...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-users/CAPO77c2zEbVbJh6D8L1rZCNZ4sa%3Dz9cDFwjr4DEYc8fmTXk2tQ%40mail.gmail.com.

[Daniel Beck]

> On 12. Jul 2017, at 14:52, Jason LeMauk <jason....@csquaredsystems.com> wrote:
>
> the user will have to explicitly specify the ‘Master’ to build on, which will prevent jobs from defaulting to the Master for execution.
>

Well, or have any label expression matching master. Like `!the_agent_that_never_works`.

[Artur Szostak]

I think you cannot do it properly using the project-based authorization strategy. But you should be able to do it with the combination of the following two plugins:
https://wiki.jenkins.io/display/JENKINS/Ownership+Plugin
https://wiki.jenkins.io/display/JENKINS/Role+Strategy+Plugin

I have only recently become aware of this plugin combination and started playing around with it. So if you are willing to change your security model then the best is to look at the documentation. See the section "Restricting executions on agents" from the following:
https://github.com/jenkinsci/ownership-plugin/blob/master/doc/OwnershipBasedSecurity.md

Cheers

Artur

________________________________________
From: jenkins...@googlegroups.com <jenkins...@googlegroups.com> on behalf of Jason LeMauk <jason....@csquaredsystems.com>
Sent: 11 July 2017 20:41:23
To: jenkins...@googlegroups.com
Subject: Jenkins Distributed Builds: Restricting users from configuring jobs with Jenkins Master's executors

--
You received this message because you are subscribed to the Google Groups "Jenkins Users" group.

To unsubscribe from this group and stop receiving emails from it, send an email to jenkinsci-use...@googlegroups.com<mailto:jenkinsci-use...@googlegroups.com>.
To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-users/BY2PR12MB059992ED76D9D6B99481DD7F89AE0%40BY2PR12MB0599.namprd12.prod.outlook.com<https://groups.google.com/d/msgid/jenkinsci-users/BY2PR12MB059992ED76D9D6B99481DD7F89AE0%40BY2PR12MB0599.namprd12.prod.outlook.com?utm_medium=email&utm_source=footer>.

[Oleg Nenashev]

Regarding the executions on the master, I believe that Job Restrictions is a right way to do it since it also protects you from Flyweight tasks. I am the plugin creator, so I may be a bit biased though.

I have an example of the master protection here. It is configuration-as-code, but you can do the same in the Web UI. There is also a brief description in my recent JAM talk in Oslo: slides 29-32

Hopefully it helps,

четверг, 20 июля 2017 г., 13:56:25 UTC+3 пользователь Artur Szostak написал:

I think you cannot do it properly using the project-based authorization strategy. But you should be able to do it with the combination of the following two plugins:
https://wiki.jenkins.io/display/JENKINS/Ownership+Plugin
https://wiki.jenkins.io/display/JENKINS/Role+Strategy+Plugin

I have only recently become aware of this plugin combination and started playing around with it. So if you are willing to change your security model then the best is to look at the documentation. See the section "Restricting executions on agents" from the following:
https://github.com/jenkinsci/ownership-plugin/blob/master/doc/OwnershipBasedSecurity.md

Cheers

Artur

________________________________________
From: jenkins...@googlegroups.com <jenkins...@googlegroups.com> on behalf of Jason LeMauk <jason....@csquaredsystems.com>
Sent: 11 July 2017 20:41:23
To: jenkins...@googlegroups.com
Subject: Jenkins Distributed Builds: Restricting users from configuring jobs with Jenkins Master's executors

I currently have a distributed build system in place (1 Jenkins master and several Jenkins Agents). I have an automated backup / backup cleanup job that runs on Jenkins Master. For this reason I need to keep my executors on the Jenkins Master. The rest of my jobs run on specific Jenkins Agents.
As I cannot remove my executors from the Jenkins Master, what is the best way to ensure that no other jobs can be built on Jenkins Master? I am using project-based authorization strategy, and I don’t want a team member who may configure a job selecting the Jenkins Master to build on.
What is the best way to go about achieving this?
Thanks in advance for any guidance and advice!

--
You received this message because you are subscribed to the Google Groups "Jenkins Users" group.

To unsubscribe from this group and stop receiving emails from it, send an email to jenkinsci-use...@googlegroups.com<mailto:jenkinsci-users+unsubscribe@googlegroups.com>.