Re: Running test cases as different user in Jenkins
Using unix groups looks like the correct approach here. I gave a try. It woks fine. Thanks. Now, since I maintain a centralized jenkins instance that are used by different groups and want to run the test cases as application user(u2, u3, ...) rather than jenkins runtime user (u1). Is there a way I can invoke the maven and ant targets as a different user (u2) than my jenkins run user(u1). In case of shell scripts I can do someting like sudo -u u2 run_script.sh. But I am not able to figure out how to do this for maven and ant steps. On Thursday, 3 July 2014 19:12:11 UTC+5:30, Fritz Elfert wrote: > > -BEGIN PGP SIGNED MESSAGE- > Hash: SHA1 > > On 07/03/2014 02:23 PM, varun srivastava wrote: > > > Not really a jenkins question. More like a generic Unix question: > "How to share certain directories or files between different users, > where each user shall be able to write/delete" > > Solution: > That's what groups are intended for. > Create a dedicated group for this and make all participating users a > member of this group. Then, give directories rwx permissions for that > group and files at least rw permissions for that group. > > CU > -Fritz > -BEGIN PGP SIGNATURE- > Version: GnuPG v1 > Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ > > iEYEARECAAYFAlO1XWoACgkQboM4mAMyprAOpACfUwVSbHkYE2fpnVIHI1wuG1Ba > OBEAoJPZ7gUEsREYIJFaaBBgB4F9Ky7u > =OlDa > -END PGP SIGNATURE- > -- You received this message because you are subscribed to the Google Groups "Jenkins Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to jenkinsci-users+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
RE: Running test cases as different user in Jenkins
The slave(s) do not need to be launched from the same account that runs the slave. You can run the master as j1, Then create 2 ssh keys and put one as u1 and the other as u2. Only give j1 the private key – then lauch the slaves as u1 and u2 from j1. That way u1 has no access to u2 and u2 has no access to u1. Does that no accomplish what you require? /James From: jenkinsci-users@googlegroups.com [mailto:jenkinsci-users@googlegroups.com] On Behalf Of varun srivastava Sent: 03 July 2014 14:20 To: jenkinsci-users@googlegroups.com Subject: Re: Running test cases as different user in Jenkins My Jenkins instance is running as u1. Launching a slave as u2 might require some permission to u1. I can get only restricted set of permission for u1 to do anything as u2. I launch my slave using following unix command ssh hostname java -jar /data/jenkins/slave.jar If u1 is granted permission to launch slave as u2 using above command, there is no restriction on what all commands can be launched on the slave which is not desirable. On Thu, Jul 3, 2014 at 6:34 PM, Mark Waite mailto:mark.earl.wa...@gmail.com>> wrote: Maybe I stated poorly what I was suggesting. Don't allow u1 to sudo to u2 and don't allow u2 to sudo to u1. Create two separate jobs, one that runs as user u1 on the slave that is running as u1, and the other that runs as user u2 on the slave running as u2. Use "copy artifacts" or a similar technique to copy from the u1 job to the u2 job so that the files in the u2 job will always be owned by user u2. Mark Waite On Thu, Jul 3, 2014 at 6:57 AM, varun srivastava mailto:varun.itbh...@gmail.com>> wrote: Thanks Mark, But running the slave node as u2 would mean that u1 can run any command as u2 (equivalent to giving complete sudo permission for u2). I have restriction that u1 can sudo as u2 only for running test command/script. On Thu, Jul 3, 2014 at 6:23 PM, Mark Waite mailto:mark.earl.wa...@gmail.com>> wrote: Could you change the requirements a little to simplify? For example, what if you had a slave that was running as user "u2" and performed all its work as user "u2". It could copy the build results from the job which had been performed as user "u1", then execute the tests as user "u2". Mark Waite On Thu, Jul 3, 2014 at 6:23 AM, varun srivastava mailto:varun.itbh...@gmail.com>> wrote: Hi, I have a centralized jenkins setup run as user u1. Different projects are set up on this instance. For running some testcases in some project, application user u2 permission is required. So I have granted permission to u1 to sudo as u2 only for running the test script/command. For example u1 can sudo -u u2 run_test.sh Now the problem is that the workspace is checked out as u1 but the test output files are generated with owner as u2. So I am not able to clean up the workspace as it contains files owned by both u1 and u2 and my cleanup plugin is run as u1. Does any one has any solution for setting this up or do we have a plugin that can clean up the workspace as different user. Summarizing the requirement : 1. Run jenkins as u1 2. Checkout and build project as u1. 3. Run test cases as u2. Note that u1 will have permission to sudo as u2 only for running restricted set of commands. 4. Able to clean up the workspace post build properly (that may contain files owned by both u1 and u2) Thanks, Varun -- You received this message because you are subscribed to the Google Groups "Jenkins Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to jenkinsci-users+unsubscr...@googlegroups.com<mailto:jenkinsci-users+unsubscr...@googlegroups.com>. For more options, visit https://groups.google.com/d/optout. -- Thanks! Mark Waite -- You received this message because you are subscribed to a topic in the Google Groups "Jenkins Users" group. To unsubscribe from this topic, visit https://groups.google.com/d/topic/jenkinsci-users/mW2Dq0wbzWU/unsubscribe. To unsubscribe from this group and all its topics, send an email to jenkinsci-users+unsubscr...@googlegroups.com<mailto:jenkinsci-users+unsubscr...@googlegroups.com>. For more options, visit https://groups.google.com/d/optout. -- Thanks, Varun Kr Srivastava mobile- +91976033 -- You received this message because you are subscribed to the Google Groups "Jenkins Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to jenkinsci-users+unsubscr...@googlegroups.com<mailto:jenkinsci-users+unsubscr...@googlegroups.com>. For more options, visit https://groups.google.com/d/optout. -- Thanks! Mark Waite -- You received this message because you are subscribed to a topic in the Google Groups "Jenkins Users" group. To unsubscribe from this topic, visit https://groups.google.com/d/topic/jenkinsci-users/mW2Dq0wbzWU/unsubsc
Re: Running test cases as different user in Jenkins
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 07/03/2014 02:23 PM, varun srivastava wrote: Not really a jenkins question. More like a generic Unix question: "How to share certain directories or files between different users, where each user shall be able to write/delete" Solution: That's what groups are intended for. Create a dedicated group for this and make all participating users a member of this group. Then, give directories rwx permissions for that group and files at least rw permissions for that group. CU -Fritz -BEGIN PGP SIGNATURE- Version: GnuPG v1 Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iEYEARECAAYFAlO1XWoACgkQboM4mAMyprAOpACfUwVSbHkYE2fpnVIHI1wuG1Ba OBEAoJPZ7gUEsREYIJFaaBBgB4F9Ky7u =OlDa -END PGP SIGNATURE- -- You received this message because you are subscribed to the Google Groups "Jenkins Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to jenkinsci-users+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: Running test cases as different user in Jenkins
My Jenkins instance is running as u1. Launching a slave as u2 might require some permission to u1. I can get only restricted set of permission for u1 to do anything as u2. I launch my slave using following unix command ssh hostname java -jar /data/jenkins/slave.jar If u1 is granted permission to launch slave as u2 using above command, there is no restriction on what all commands can be launched on the slave which is not desirable. On Thu, Jul 3, 2014 at 6:34 PM, Mark Waite wrote: > Maybe I stated poorly what I was suggesting. > > Don't allow u1 to sudo to u2 and don't allow u2 to sudo to u1. Create two > separate jobs, one that runs as user u1 on the slave that is running as u1, > and the other that runs as user u2 on the slave running as u2. Use "copy > artifacts" or a similar technique to copy from the u1 job to the u2 job so > that the files in the u2 job will always be owned by user u2. > > Mark Waite > > > On Thu, Jul 3, 2014 at 6:57 AM, varun srivastava > wrote: > >> Thanks Mark, >> >> But running the slave node as u2 would mean that u1 can run any command >> as u2 (equivalent to giving complete sudo permission for u2). I have >> restriction that u1 can sudo as u2 only for running test command/script. >> >> >> On Thu, Jul 3, 2014 at 6:23 PM, Mark Waite >> wrote: >> >>> Could you change the requirements a little to simplify? >>> >>> For example, what if you had a slave that was running as user "u2" and >>> performed all its work as user "u2". It could copy the build results from >>> the job which had been performed as user "u1", then execute the tests as >>> user "u2". >>> >>> Mark Waite >>> >>> >>> On Thu, Jul 3, 2014 at 6:23 AM, varun srivastava < >>> varun.itbh...@gmail.com> wrote: >>> Hi, I have a centralized jenkins setup run as user u1. Different projects are set up on this instance. For running some testcases in some project, application user u2 permission is required. So I have granted permission to u1 to sudo as u2 only for running the test script/command. For example u1 can sudo -u u2 run_test.sh Now the problem is that the workspace is checked out as u1 but the test output files are generated with owner as u2. So I am not able to clean up the workspace as it contains files owned by both u1 and u2 and my cleanup plugin is run as u1. Does any one has any solution for setting this up or do we have a plugin that can clean up the workspace as different user. Summarizing the requirement : 1. Run jenkins as u1 2. Checkout and build project as u1. 3. Run test cases as u2. Note that u1 will have permission to sudo as u2 only for running restricted set of commands. 4. Able to clean up the workspace post build properly (that may contain files owned by both u1 and u2) Thanks, Varun -- You received this message because you are subscribed to the Google Groups "Jenkins Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to jenkinsci-users+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout. >>> >>> >>> >>> -- >>> Thanks! >>> Mark Waite >>> >>> -- >>> You received this message because you are subscribed to a topic in the >>> Google Groups "Jenkins Users" group. >>> To unsubscribe from this topic, visit >>> https://groups.google.com/d/topic/jenkinsci-users/mW2Dq0wbzWU/unsubscribe >>> . >>> To unsubscribe from this group and all its topics, send an email to >>> jenkinsci-users+unsubscr...@googlegroups.com. >>> For more options, visit https://groups.google.com/d/optout. >>> >> >> >> >> -- >> Thanks, >> >> Varun Kr Srivastava >> mobile- +91976033 >> >> -- >> You received this message because you are subscribed to the Google Groups >> "Jenkins Users" group. >> To unsubscribe from this group and stop receiving emails from it, send an >> email to jenkinsci-users+unsubscr...@googlegroups.com. >> For more options, visit https://groups.google.com/d/optout. >> > > > > -- > Thanks! > Mark Waite > > -- > You received this message because you are subscribed to a topic in the > Google Groups "Jenkins Users" group. > To unsubscribe from this topic, visit > https://groups.google.com/d/topic/jenkinsci-users/mW2Dq0wbzWU/unsubscribe. > To unsubscribe from this group and all its topics, send an email to > jenkinsci-users+unsubscr...@googlegroups.com. > For more options, visit https://groups.google.com/d/optout. > -- Thanks, Varun Kr Srivastava mobile- +91976033 -- You received this message because you are subscribed to the Google Groups "Jenkins Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to jenkinsci-users+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: Running test cases as different user in Jenkins
Maybe I stated poorly what I was suggesting. Don't allow u1 to sudo to u2 and don't allow u2 to sudo to u1. Create two separate jobs, one that runs as user u1 on the slave that is running as u1, and the other that runs as user u2 on the slave running as u2. Use "copy artifacts" or a similar technique to copy from the u1 job to the u2 job so that the files in the u2 job will always be owned by user u2. Mark Waite On Thu, Jul 3, 2014 at 6:57 AM, varun srivastava wrote: > Thanks Mark, > > But running the slave node as u2 would mean that u1 can run any command as > u2 (equivalent to giving complete sudo permission for u2). I have > restriction that u1 can sudo as u2 only for running test command/script. > > > On Thu, Jul 3, 2014 at 6:23 PM, Mark Waite > wrote: > >> Could you change the requirements a little to simplify? >> >> For example, what if you had a slave that was running as user "u2" and >> performed all its work as user "u2". It could copy the build results from >> the job which had been performed as user "u1", then execute the tests as >> user "u2". >> >> Mark Waite >> >> >> On Thu, Jul 3, 2014 at 6:23 AM, varun srivastava > > wrote: >> >>> Hi, >>> >>> I have a centralized jenkins setup run as user u1. Different projects >>> are set up on this instance. For running some testcases in some project, >>> application user u2 permission is required. So I have granted permission to >>> u1 to sudo as u2 only for running the test script/command. For example u1 >>> can sudo -u u2 run_test.sh >>> Now the problem is that the workspace is checked out as u1 but the test >>> output files are generated with owner as u2. So I am not able to clean up >>> the workspace as it contains files owned by both u1 and u2 and my cleanup >>> plugin is run as u1. >>> >>> Does any one has any solution for setting this up or do we have a plugin >>> that can clean up the workspace as different user. >>> >>> Summarizing the requirement : >>> >>> 1. Run jenkins as u1 >>> 2. Checkout and build project as u1. >>> 3. Run test cases as u2. Note that u1 will have permission to sudo as u2 >>> only for running restricted set of commands. >>> 4. Able to clean up the workspace post build properly (that may contain >>> files owned by both u1 and u2) >>> >>> Thanks, >>> Varun >>> >>> -- >>> You received this message because you are subscribed to the Google >>> Groups "Jenkins Users" group. >>> To unsubscribe from this group and stop receiving emails from it, send >>> an email to jenkinsci-users+unsubscr...@googlegroups.com. >>> >>> For more options, visit https://groups.google.com/d/optout. >>> >> >> >> >> -- >> Thanks! >> Mark Waite >> >> -- >> You received this message because you are subscribed to a topic in the >> Google Groups "Jenkins Users" group. >> To unsubscribe from this topic, visit >> https://groups.google.com/d/topic/jenkinsci-users/mW2Dq0wbzWU/unsubscribe >> . >> To unsubscribe from this group and all its topics, send an email to >> jenkinsci-users+unsubscr...@googlegroups.com. >> For more options, visit https://groups.google.com/d/optout. >> > > > > -- > Thanks, > > Varun Kr Srivastava > mobile- +91976033 > > -- > You received this message because you are subscribed to the Google Groups > "Jenkins Users" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to jenkinsci-users+unsubscr...@googlegroups.com. > For more options, visit https://groups.google.com/d/optout. > -- Thanks! Mark Waite -- You received this message because you are subscribed to the Google Groups "Jenkins Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to jenkinsci-users+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: Running test cases as different user in Jenkins
Thanks Mark, But running the slave node as u2 would mean that u1 can run any command as u2 (equivalent to giving complete sudo permission for u2). I have restriction that u1 can sudo as u2 only for running test command/script. On Thu, Jul 3, 2014 at 6:23 PM, Mark Waite wrote: > Could you change the requirements a little to simplify? > > For example, what if you had a slave that was running as user "u2" and > performed all its work as user "u2". It could copy the build results from > the job which had been performed as user "u1", then execute the tests as > user "u2". > > Mark Waite > > > On Thu, Jul 3, 2014 at 6:23 AM, varun srivastava > wrote: > >> Hi, >> >> I have a centralized jenkins setup run as user u1. Different projects are >> set up on this instance. For running some testcases in some project, >> application user u2 permission is required. So I have granted permission to >> u1 to sudo as u2 only for running the test script/command. For example u1 >> can sudo -u u2 run_test.sh >> Now the problem is that the workspace is checked out as u1 but the test >> output files are generated with owner as u2. So I am not able to clean up >> the workspace as it contains files owned by both u1 and u2 and my cleanup >> plugin is run as u1. >> >> Does any one has any solution for setting this up or do we have a plugin >> that can clean up the workspace as different user. >> >> Summarizing the requirement : >> >> 1. Run jenkins as u1 >> 2. Checkout and build project as u1. >> 3. Run test cases as u2. Note that u1 will have permission to sudo as u2 >> only for running restricted set of commands. >> 4. Able to clean up the workspace post build properly (that may contain >> files owned by both u1 and u2) >> >> Thanks, >> Varun >> >> -- >> You received this message because you are subscribed to the Google Groups >> "Jenkins Users" group. >> To unsubscribe from this group and stop receiving emails from it, send an >> email to jenkinsci-users+unsubscr...@googlegroups.com. >> >> For more options, visit https://groups.google.com/d/optout. >> > > > > -- > Thanks! > Mark Waite > > -- > You received this message because you are subscribed to a topic in the > Google Groups "Jenkins Users" group. > To unsubscribe from this topic, visit > https://groups.google.com/d/topic/jenkinsci-users/mW2Dq0wbzWU/unsubscribe. > To unsubscribe from this group and all its topics, send an email to > jenkinsci-users+unsubscr...@googlegroups.com. > For more options, visit https://groups.google.com/d/optout. > -- Thanks, Varun Kr Srivastava mobile- +91976033 -- You received this message because you are subscribed to the Google Groups "Jenkins Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to jenkinsci-users+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: Running test cases as different user in Jenkins
Could you change the requirements a little to simplify? For example, what if you had a slave that was running as user "u2" and performed all its work as user "u2". It could copy the build results from the job which had been performed as user "u1", then execute the tests as user "u2". Mark Waite On Thu, Jul 3, 2014 at 6:23 AM, varun srivastava wrote: > Hi, > > I have a centralized jenkins setup run as user u1. Different projects are > set up on this instance. For running some testcases in some project, > application user u2 permission is required. So I have granted permission to > u1 to sudo as u2 only for running the test script/command. For example u1 > can sudo -u u2 run_test.sh > Now the problem is that the workspace is checked out as u1 but the test > output files are generated with owner as u2. So I am not able to clean up > the workspace as it contains files owned by both u1 and u2 and my cleanup > plugin is run as u1. > > Does any one has any solution for setting this up or do we have a plugin > that can clean up the workspace as different user. > > Summarizing the requirement : > > 1. Run jenkins as u1 > 2. Checkout and build project as u1. > 3. Run test cases as u2. Note that u1 will have permission to sudo as u2 > only for running restricted set of commands. > 4. Able to clean up the workspace post build properly (that may contain > files owned by both u1 and u2) > > Thanks, > Varun > > -- > You received this message because you are subscribed to the Google Groups > "Jenkins Users" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to jenkinsci-users+unsubscr...@googlegroups.com. > For more options, visit https://groups.google.com/d/optout. > -- Thanks! Mark Waite -- You received this message because you are subscribed to the Google Groups "Jenkins Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to jenkinsci-users+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
