When a job executes, it usually needs to access objects in CloudBees CD/RO. For example, a job step command may refer to a parameter value, which is a property associated with the job object. Or a step may invoke ectool to modify properties or any other CloudBees CD/RO state. This process leads to the following types of questions:
- Under which username does the job execute?
-
-
Procedures always run under the project principal user ID for the project that contains the procedure.
-
If a procedure invokes a subprocedure in another project, that subprocedure runs under its own project’s project principal and the project principal of its calling procedure.
-
When a procedure is running under multiple project principals, its steps can perform any operations that any one of its project principals allow.
-
- How does CloudBees CD/RO initialize job permissions when the job starts?
-
This question pertains to job object permissions. When a job starts, CloudBees CD/RO sets full access control entries on the job for the project principal and the user who launched the job—assuming the job was launched by a user and not a schedule.
- What permissions are needed to abort a job?
-
Aborting a job requires the Execute permission on the job. If a job is launched by a user, that user is given all privileges on the job. If a job is launched by a schedule, the schedule’s Execute permissions are copied to the job.
The access control system determines if jobs can be executed:
-
For a user to run a job without creating a schedule, the user must have the Execute permission on the top-level procedure being executed.
-
To create a schedule to run a procedure, a user must have the Modify permission for the project containing the schedule. After the schedule is created, no additional permissions are required to start jobs using the schedule.
-