Jenkins Role-Based Strategy for agent builds

Question

I have a Jenkins setup with master and slaves, and I'm using the Role Strategy Plugin to manage authorisations for my users. My goal is to allow only specific users to build on specific nodes.

I have a dev global role giving overall read permission and job read permission, I have a dev project role that gives all permissions on Jobs (in the dev folder), and a dev slave role that gives build permissions on agents (=slaves) with names following the pattern dev(.*). To summarise:

When I assign a user to the three roles, the user can build jobs on all nodes, like dev01 and prod01. This is a problem, as I don't want my dev users to build on production slaves. Removing the slave role from the user seems to have similar effects.

I then tried to remove the job build permission from the project role, but then my user can't build any job at all.

Any idea how to accomplish my goal using this plugin ? I know I can use another plugin like the Job Restrictions Plugin, but I want to keep the configuration in one place with role-based strategy, as it seems to support this.

Answer 1

The role-strategy plugin does not provide the functionality to restrict certain projects to a set of slaves. We developed an in-house plugin to handle that on top of role-strategy -- if the Job Restrictions Plugin fits your need, then just use that.

Another option is the Folder Plus plugin, but that's part of the commercial CloudBees Jenkins solution. With that, you can restrict folders of jobs to specific slaves.

Depending on your setup, it may be wise to avoid the role-strategy plugin altogether, since it does not scale well in larger environments. Separating teams by dedicated Jenkins masters may look awkward in the beginning, but scales well and helps to avoid many problems later on.