Assigning agents to a specific user as "Agent Administrator"

Hello,

We have one bc(build configuration) that must behave differently depending on who's initiating the build.
To solve this, a concept of "Agent Administrator" may be necessary. Let me explain.

In our environenment, we have Public Agents, and Private Agents.

Public Agents run as a "agentUser" of the system, and has the "run configuration policy" of "Run all compatible configurations".
Private Agents run as an "agentAdmin" of the system, and has the "run configuration policy" of "Run selected configurations only".

We have a bc that performs InstallShield packaging, and digital signing.
Both Developers and SCM need to perform packaging.
However, digital signing must not be available to Developers.

In an ideal world, I would create a bc for packaging and a bc for signing. Unfortunately, signing is an itegral part of packaging and cannot be seperated.

Under current TeamCity, we must either
     1. have a duplicate set of bcs, one for Public Agents and the other for Private Agents, or
     2. modify the "compatible configurations" checkboxes many times throughout the day.
As you can imagine, neither is desireable.

I think this problem would be solved if there was a new role "Agent Administrator". Here's a short use case:

0. Build configuration "Package & Sign" is not allowed to run on "Private Agent 1", as specified by "run configuration policy".
1-1. "SCM" user is an "Agent Administrator" of "Private Agent 1".
1-2. "SCM" user opens a custom build dialog by clicking "...".
1-3. Under "Agent" drop down menu, "SCM" user is presented with "Private Agent 1" with a clear marking that "Private Agent 1" is not specified as an allowed bc under "run configuration policy".
1-4. "SCM" user selects "Private Agent 1" and runs the build.
2-1. "Developer" user is not an "Agent Administrator" of "Private Agent 1"
2-2. "Developer" user opens a custom build dialog by clicking "...".
2-3. Under "Agent" drop down menu, "Developer" user is NOT presented with "Private Agent 1".


"Agent Administrator" role can work much like Project Administrator. Consider an agent to be a project, which its management rights can be assigned to different users.


I would appreciate your input.

Thanks,
Calvin

5 comments
Comment actions Permalink

Calvin,

Sorry for the delay in replying.

Thank you for the thorough description of the case.

Looks like this can be filed as a feature to add a new permission: "Can run builds on any agent".
However, the initial goal for "compatible configurations" for the agent was not security, but rather logical resources structuring, so the the exact approach might not align well with the features already in place.
We have a request to introduce agent-scoped permissions, but it is not very popular so far.

Also, the downside of the approach described seems that you will need to analyze the current agent in your build script and either perform packaging or packaging+signing based on the agent it runs under. Moreover, the builds will looks very much alike in the builds history.

All in all, having sinle template and two different build configurations (one for packaging and one for signing_packaging) different only in several settings and agent requirements seem to be not so bad workaround so far.

0
Comment actions Permalink

Thanks Yegor. The use of the template sounds like a decent work-around for now.
However, please seriously consider implemeting an Agent Administrator role.

Generally speaking, "who you are" is a big factor in authentication. In TeamCity, the user who runs TeamCtiy Agent Service on an agent (different from the user who initiates the build from UI) represents the real identity of a build configuration.

This means that an Agent must be considered a user+machine combo, not just a machine.

In current TeamCity (as of 6.1), there isn't an easy way to tie the user who initiates the build with the user running the Agent Service.
Agent Administrator role will fill that gap.

Thanks for the amazing tool.

0
Comment actions Permalink

Here are several related issues in issue tracker:
TW-3670 - Separate permission to run build on disabled agent
TW-3171 - Allow to run build under specific user

0
Comment actions Permalink

TW-3171 looks very promising.
What's the projected release date for 6.5.3?

0

Please sign in to leave a comment.