'build on slave' permission ?

138 views
Skip to first unread message

K96

unread,
Aug 4, 2011, 9:07:10 AM8/4/11
to Jenkins Users
Hi, everyone.
Sorry if I misunderstood and it's a FAQ, but ..

I wonder why Jenkins does not have a permission
like 'build on a specified slave' even under project-based access
control.

'Build on a slave' nearly means, 'log-in to a slave as a specified OS
account for that slave'
and 'run my build script'.
So job authors can do anything permitted to that slave's OS account,
for example, '/bin/rm -rf ~/*'.

Of course, malicious attack from inside Jenkins users is out of the
question
even under project-based access control,
but their build script may often mistake, for example, they write a
script like
'/bin/rm ~/$MY_TEMP/*' but MY_TEMP might be "",.
It's very dangerous to other teams using their own slaves.

Am I wrong ?

So I believe, a kind of permission to 'build on a specified slave'
is MUST when different teams use a common Jenkins master under project-
based access control.

The subject of the permission should be 'job's, not people executing
the job.
I suppose, easy and simple solution for that issue is:

* setting a credential like a password for each slave which should
not be used by other teams
* every job which wants to use the above slaves should set the above
credential for each slave as its job configuration
* Jenkins should be reject job execution at run-time, when each
candidate slave requires its credential but the job cannot provide any
credential for each candidate slave requiring its credential.

Regards,
K96

Martin B.

unread,
Aug 4, 2011, 11:17:47 AM8/4/11
to jenkins...@googlegroups.com
On 04.08.2011 15:07, K96 wrote:
> Hi, everyone.
> Sorry if I misunderstood and it's a FAQ, but ..
>
> I wonder why Jenkins does not have a permission
> like 'build on a specified slave' even under project-based access
> control.
>
> 'Build on a slave' nearly means, 'log-in to a slave as a specified OS
> account for that slave'
> and 'run my build script'.
> So job authors can do anything permitted to that slave's OS account,
> for example, '/bin/rm -rf ~/*'.
>
> Of course, malicious attack from inside Jenkins users is out of the
> question
> even under project-based access control,
> but their build script may often mistake, for example, they write a
> script like
> '/bin/rm ~/$MY_TEMP/*' but MY_TEMP might be "",.
> It's very dangerous to other teams using their own slaves.
>
> Am I wrong ?
>
> So I believe, a kind of permission to 'build on a specified slave'
> is MUST when different teams use a common Jenkins master under project-
> based access control.
>

The slave labels should accomplish this, no?
It's not waterproof, but as long as everyone cooperates, setting the
correct labels on the correct jobs and slaves should do the trick of
keeping the jobs off those slaves where they don't belong, no?

cheers,
Martin

K96

unread,
Aug 5, 2011, 6:45:02 AM8/5/11
to Jenkins Users
Thanks for your comment.

But as far as I know, slave labels don't work for our purpose.
We need to prevent jobs from being built on slaves not authorized for
them.

For example, job authors may forget to set correct labels on their
jobs,
or even forget to enable 'restrict slaves' option by accident.

We believe our Jenkins users are not malicious, but they often
mistake.
So we can't expect everyone cooperates completely and invariably.

On the contrary, setting permitted jobs on protected slaves seems
useful.

Thanks,
K96

Les Mikesell

unread,
Aug 5, 2011, 8:43:25 AM8/5/11
to jenkins...@googlegroups.com
On 8/5/11 5:45 AM, K96 wrote:

> But as far as I know, slave labels don't work for our purpose.
> We need to prevent jobs from being built on slaves not authorized for
> them.

If you don't trust users to create jobs properly, don't let them create jobs.

> For example, job authors may forget to set correct labels on their
> jobs,
> or even forget to enable 'restrict slaves' option by accident.

Set the 'leave this machine for tied jobs only' configuration option on all of
the slaves so you have to set a label or it won't build. Also, people learn
fairly quickly in an environment where there are a mix of OS versions in the
slave pool.

--
Les Mikesell
lesmi...@gmail.com

K96

unread,
Aug 6, 2011, 3:43:36 AM8/6/11
to Jenkins Users
> Set the 'leave this machine for tied jobs only' configuration option on all of
> the slaves so you have to set a label or it won't build.

I get it ! We will try this setting.
I wasn't able to find out this option.

Very thanks !
K96
>     lesmikes...@gmail.com
Reply all
Reply to author
Forward
0 new messages