Have the scheduling algorithm honor the permissions

ada4a216 · Kohsuke Kawaguchi · 6d8723a9 · ada4a216 · ada4a216 · ada4a216
4 changed file
--- a/core/src/main/java/hudson/model/Node.java
+++ b/core/src/main/java/hudson/model/Node.java
@@ -62,6 +62,7 @@ import javax.annotation.CheckForNull;
 import jenkins.model.Jenkins;
 import jenkins.util.io.OnMaster;
 import net.sf.json.JSONObject;
+import org.acegisecurity.Authentication;
 import org.jvnet.localizer.Localizable;
 import org.kohsuke.stapler.BindInterceptor;
 import org.kohsuke.stapler.Stapler;
@@ -326,6 +327,13 @@ public abstract class Node extends AbstractModelObject implements Reconfigurable
        if(l==null && getMode()== Mode.EXCLUSIVE)
            return CauseOfBlockage.fromMessage(Messages._Node_BecauseNodeIsReserved(getNodeName()));   // this node is reserved for tasks that are tied to it

+        Authentication identity = item.task.getIdentity();
+        if (!getACL().hasPermission(identity,AbstractProject.BUILD)) {
+            // doesn't have a permission
+            // TODO: does it make more sense to define a separate permission?
+            return CauseOfBlockage.fromMessage(Messages._Node_LackingBuildPermission(identity.getName(),getNodeName()));
+        }
+
        // Check each NodeProperty to see whether they object to this node
        // taking the task
        for (NodeProperty prop: getNodeProperties()) {

--- a/core/src/main/java/hudson/model/queue/MappingWorksheet.java
+++ b/core/src/main/java/hudson/model/queue/MappingWorksheet.java
@@ -25,6 +25,7 @@ package hudson.model.queue;

 import com.google.common.collect.ImmutableList;
 import com.google.common.collect.Iterables;
+import hudson.model.AbstractProject;
 import hudson.model.Computer;
 import hudson.model.Executor;
 import hudson.model.Label;
@@ -35,6 +36,7 @@ import hudson.model.Queue.Executable;
 import hudson.model.Queue.JobOffer;
 import hudson.model.Queue.Task;
 import hudson.model.labels.LabelAssignmentAction;
+import hudson.security.ACL;

 import java.util.AbstractList;
 import java.util.ArrayList;
@@ -57,7 +59,7 @@ import static java.lang.Math.*;
 * which determines where each {@link SubTask} gets executed.
 *
 * <p>
- * This mapping is done under two constraints:
+ * This mapping is done under the following constraints:
 *
 * <ul>
 * <li>
@@ -65,6 +67,9 @@ import static java.lang.Math.*;
 * See {@link SubTask#getSameNodeConstraint()}
 * <li>
 * Label constraint. {@link SubTask}s can specify that it can be only run on nodes that has the label.
+ * <li>
+ * Permission constraint. {@link SubTask}s have {@linkplain SubTask#getIdentity() identities} that need to have
+ * permissions to build on the node.
 * </ul>
 *
 * <p>
@@ -111,6 +116,7 @@ public class MappingWorksheet {
        public final int index;
        public final Computer computer;
        public final Node node;
+        public final ACL nodeAcl;

        private ExecutorChunk(List<ExecutorSlot> base, int index) {
            super(base);
@@ -118,14 +124,25 @@ public class MappingWorksheet {
            assert !base.isEmpty();
            computer = base.get(0).getExecutor().getOwner();
            node = computer.getNode();
+            nodeAcl = node.getACL();
        }

        /**
         * Is this executor chunk and the given work chunk compatible? Can the latter be run on the former?
         */
        public boolean canAccept(WorkChunk c) {
-            return this.size() >= c.size()
-                && (c.assignedLabel==null || c.assignedLabel.contains(node));
+            if (this.size()<c.size())
+                return false;   // too small compared towork
+
+            if (c.assignedLabel!=null && !c.assignedLabel.contains(node))
+                return false;   // label mismatch
+
+            for (SubTask task : c) {
+                if (!nodeAcl.hasPermission(task.getIdentity(), AbstractProject.BUILD))
+                    return false;   // tasks don't have a permission to run on this node
+            }
+
+            return true;
        }

        /**
@@ -154,6 +171,9 @@ public class MappingWorksheet {
        }
    }

+    /**
+     * {@link SubTask}s that need to run on the same node.
+     */
    public class WorkChunk extends ReadOnlyList<SubTask> {
        public final int index;


--- a/core/src/main/java/hudson/model/queue/SubTask.java
+++ b/core/src/main/java/hudson/model/queue/SubTask.java
@@ -32,6 +32,7 @@ import hudson.model.ResourceActivity;
 import hudson.security.ACL;
 import org.acegisecurity.Authentication;

+import javax.annotation.Nonnull;
 import java.io.IOException;

 /**
@@ -97,5 +98,5 @@ public interface SubTask extends ResourceActivity {
     * @since 1.520
     * @see Tasks#getIdentityOf(SubTask)
     */
-    Authentication getIdentity();
+    @Nonnull Authentication getIdentity();
 }
--- a/core/src/main/resources/hudson/model/Messages.properties
+++ b/core/src/main/resources/hudson/model/Messages.properties
@@ -186,6 +186,7 @@ ManageJenkinsAction.DisplayName=Manage Jenkins
 MultiStageTimeSeries.EMPTY_STRING=
 Node.BecauseNodeIsReserved={0} is reserved for jobs tied to it
 Node.LabelMissing={0} doesn''t have label {1}
+Node.LackingBuildPermission={0} doesn''t have a permission to run on {1}
 Queue.AllNodesOffline=All nodes of label ''{0}'' are offline
 Queue.BlockedBy=Blocked by {0}
 Queue.HudsonIsAboutToShutDown=Jenkins is about to shut down