Restrict a build step for a job name or user - jenkins

Is there a way to restrict a build step for a user. I have added a build step using the templates plugin, this template is for the deployment.
I do not want any users who has access to create a job or modify a job to be able to use this build step. The new build step that has been added should only be used by the the administrator.

If people can modifying Job configuration, they can get around any limitation you would place.
If your step can be executed post-build, I suggest to take a look at Promoted Builds plugin. The promotions can be configured to be limited to certain users only. But again, if a user has ability to change job configuration, they can overcome that easily.
The only way I can think of, is to have an external script (or preferably a compiled program than cannot be simply "read" with text editor) that is expecting a password that only you now, before executing whatever secret stuff that you want.

Related

How to select password from dropdown and pass it as parameter to jenkins job?

I have a problem. I use Jenkins to deploy application on machines. Depending on which machine i want to deploy new version I need to use different database passwords to run db migrations. I want to store credentials in Jenkins and for each deploy job select credentials set from dropdown which will be passed (just password ) to powershell script. I have Credentials Binding Plugin and Extended Choice Parameter Plugin. I thought it might help me with my problem, but I cannot find solution for this. Do you have any ideas how to achieve this?
As I understand, you need only to do two things:
add Credential Parameter in This project is parameterized section for possibility to select credentials set from dropdown.
enable Use secret text(s) or file(s) option in Build Environment section. This will allow you to take credentials of various sorts and use them from shell build steps and the like. Each binding will define an environment variable.
If you have already created Jenkins credentials like these:
then you will be available to run your job using Build with Parameters button and select needed credentials:
So, after configuring, you don't need to dig in job configuration each time, all possible credentials will be automatically loaded, you need only select the needed one when run a job.

Modify notifications on a running build in jenkins

I occasionally want to get notified when a particular jenkins job that is building finishes. Is there any way to do this?
Scripting it through the API would be fine. I already have the jenkins IRC bot that notifies me of many things, so if I could just dynamically modify the running job build, that would be enough to do what I want -- I'm just having a hard time finding how to accomplish that.
AFAIK, you cannot change a job's config while it's running.
Here is an idea: Use a post-build step to check for an external resource status (like a file containing an action by text) and running an action based on the content of the file.
The external file can be modified while the build is running, so when the post-build is executed, it will follow the logic defined based on the content of the file.
I hope this helps.
You can use email notifier, It will send you an email
https://wiki.jenkins-ci.org/display/JENKINS/Email-ext+plugin

How to post jenkins job result in jira?

I am running jobs in Jenkins. I want to share the Jenkins job result in Jira. I have tried various plugins but failed to achieve my objective.
https://wiki.jenkins-ci.org/display/JENKINS/JIRA+Plugin
If you also want to use this feature, you need to supply a valid user id/password. If you need the comment only to be visible to a certain JIRA group, e.g. Software Development, enter the groupname.
Now you also need to configure jobs. I figured you might not always have write access to the JIRA (say you have a Jenkins build for one of the Apache commons project that you depend on), so that's why this is optional.

Jenkins pipeline: How to prompt "Do you really want to build?"

We are using Jenkins with Pipeline Jobs and of course the awesome Jenkinsfile.
Twice now a developer accidentally clicked on the build button, which ended up causing a bit of chaos. I am trying to figure out if it is possible to have something like a popup that asks "Do you really want to start this build?".
Any ideas on this user related issue are welcome.
Have a look at the article Controlling the Flow with Stage, Lock, and Milestone in the Jenkins blog, which covers a bit more than only asking for confirmation.
Essentially, there is the input step, which requires user input to continue pipeline execution.
The problem with the input step as suggested by StephenKing is that you won't be able to run the build automatically anymore as it will always ask for the user to confirm the input step manually. This prevents "automatic builds" triggered e.g. by webhooks or CRON jobs.
One workaround is to have a timeout and the build is triggered if the timeout is over. Like that, a user can at least abort an unintended build. But this leads to significantly longer build times.
What we did in my old company was, that we created a so called "parametrized" build, which had a simple checkbox "Do you really want to build this job" that resulted in a flag REALLY_BUILD as an environment variable. You can then ask for ${REALLY_BUILD}==1 in the Jenkinsfile. Every time a developer triggers a build, he has to check the box, otherwise the build will not start / immediately stop.
When you trigger your job via a webhook, you can pass a parameter REALLY_BUILD as an URL parameter (see this comment in the Jenkins tracker) and access it in the Jenkinsfile as before.
Here is another resource for how to use parameters in Pipelines.

Disabling and enabling jobs in jenkins

Currently in order to enable or disable a job, a user must have Job Configure permissions in the Matrix-based security configuration.We would like to be able to manage the enable / disable job permission independently from the job configure permission.
There are some nightly jobs that we want every user to be able to enable and disable the project without touching/breaking the configuration.
Thanks
Provide a script for the users that will do this using the credentials of 'root' user and set only the execute bit on the script so that no one can read/copy it.
At least 3 ways to make a script:
HTTP POST request:
1.
curl -X POST http(s)://<your_jenkins_url>/jenkins/job/<nightly-build_job_name>/disable
2.
Use python JenkinsAPI.
Documentation is very good, easy to understand much like the API.
3.
The third one can be a script which will use jenkins-cli: accepted answer describes this well .
The Job Configure permission is bounded to the disable/enable function in each job, that's true.
One alternative to disable/enable jobs without the corresponding permission is to create new jobs which do this internally. For example, a job that needs job names as parameters, and disables them.
You could use curl + credentials of a Jenkins user with the Job Configure permission.
You could use plugins. For example, this script using the Job DSL Plugin:
job("jobname"){
using("jobname")
disabled(true)
}
For other options, check out this question.
You may try to install this plugin to get the enable/disable button for the individual project-
I checked in my Jenkins and I could see this:
But when I checked under plugins section I don't see this extra column plugin installed. Probably this is the default behavior in latest versions of Jenkins.

Resources