Skip to content

Commit

Permalink
Browse files Browse the repository at this point in the history
[FIXED JENKINS-25326] Elevates to SYSTEM when handling throttling in …
…executor threads.
  • Loading branch information
ikedam committed Feb 21, 2016
1 parent d2f6ca4 commit 0923414
Showing 1 changed file with 44 additions and 1 deletion.
Expand Up @@ -13,6 +13,8 @@
import hudson.model.labels.LabelAtom;
import hudson.model.queue.CauseOfBlockage;
import hudson.model.queue.QueueTaskDispatcher;
import hudson.security.ACL;
import hudson.security.NotSerilizableSecurityContext;

import java.util.List;
import java.util.Set;
Expand All @@ -21,11 +23,34 @@
import javax.annotation.CheckForNull;
import javax.annotation.Nonnull;

import org.acegisecurity.context.SecurityContext;
import org.acegisecurity.context.SecurityContextHolder;

import jenkins.model.Jenkins;

@Extension
public class ThrottleQueueTaskDispatcher extends QueueTaskDispatcher {

@Override
public CauseOfBlockage canTake(Node node, Task task) {
if (Jenkins.getAuthentication() == ACL.SYSTEM) {
return canTakeImpl(node, task);
}

// Throttle-concurrent-builds requires READ permissions for all projects.
SecurityContext orig = SecurityContextHolder.getContext();
NotSerilizableSecurityContext auth = new NotSerilizableSecurityContext();
auth.setAuthentication(ACL.SYSTEM);
SecurityContextHolder.setContext(auth);

try {
return canTakeImpl(node, task);
} finally {
SecurityContextHolder.setContext(orig);
}
}

private CauseOfBlockage canTakeImpl(Node node, Task task) {

ThrottleJobProperty tjp = getThrottleJobProperty(task);

Expand All @@ -35,7 +60,7 @@ public CauseOfBlockage canTake(Node node, Task task) {
}

if (tjp!=null && tjp.getThrottleEnabled()) {
CauseOfBlockage cause = canRun(task, tjp);
CauseOfBlockage cause = canRunImpl(task, tjp);
if (cause != null) return cause;

if (tjp.getThrottleOption().equals("project")) {
Expand Down Expand Up @@ -124,6 +149,24 @@ private boolean shouldBeThrottled(@Nonnull Task task, @CheckForNull ThrottleJobP
}

public CauseOfBlockage canRun(Task task, ThrottleJobProperty tjp) {
if (Jenkins.getAuthentication() == ACL.SYSTEM) {
return canRunImpl(task, tjp);
}

// Throttle-concurrent-builds requires READ permissions for all projects.
SecurityContext orig = SecurityContextHolder.getContext();
NotSerilizableSecurityContext auth = new NotSerilizableSecurityContext();
auth.setAuthentication(ACL.SYSTEM);
SecurityContextHolder.setContext(auth);

try {
return canRunImpl(task, tjp);
} finally {
SecurityContextHolder.setContext(orig);
}
}

private CauseOfBlockage canRunImpl(Task task, ThrottleJobProperty tjp) {
if (!shouldBeThrottled(task, tjp)) {
return null;
}
Expand Down

0 comments on commit 0923414

Please sign in to comment.