How to run jenkins's job as a specific user?

Question

Jenkins cluster in my company runs builds as root user. How to configure cluster/build to run as a different user? Without root privileges ?

Answer 1

If you really have no Jenkins root access, but have "own" Jenkins job there - the optimal way would be to execute the Job "as is" by some default account, but inside the job-processing - use other credentials as required (see some hints below). Actually it's not recommended to run Jobs from Jenkins-server root-account, so here your Jenkins-admin might need to do some homework first. AFAIK - in latest Jenkins versions - the Jenkins uses internal "virtual" account per default.

Within your Jenkins job (e.g. within some script) you might use other credentials than the ones of job-executor. For example in Linux you can call commands as different user (see runuser or su - username). In Windows you can use the win32security.LogonUser and win32security.RevertToSelf interfaces (which could be also called from python and other programming languages). Of cause you need corresponding user credentials to do that, but if you haven't them - what is the purpose of the task ;-) ?

To access JIRA/Confluence/SharePoint/etc. you might use predefined PAT of corresponding user(s).

However if you really like to run the Jenkins job as a different user - there are several ways:

• Configure the job to run it from account of user, who has triggered the job (it might happen that arbitrary user doesn't have enough access rights for certain artifacts, so it will be your task - how to ensure that each logged-in user will get proper results)
• Specify to run the job as predefined constant user (different than the Jenkins default job-user).

To achieve it - you might need to install additional plugin(s) on Jenkins. E.g. the plugin "authorize-project" allows to specify concrete user to be used by execution of certain Jenkins-job.

Answer 2

Any agent can be configured to be launched as any user, so do that.

Advise your company Jenkins Admin to change Jenkins immediately to NOT run as root. It does not need root (can be a daemon/service tho) and increases your risk exposure . We use Java Service Wrapper (RUN_AS_USER=jenkins) in Unix. The new windows installer prompts you for the account to use (don't use System despite being the default).

Answer 3

Builds always run under the user that runs the node agent process. So your options are

• Specify a different user for connecting the node, or
• Switch to a different user during the build (e.g., via sudo in a shell build step). This is more flexible, but plugin related-code (like SCM checkout) will still run under the root account.