I am using TeamCity 10 and have a build configuration that uses a number of build parameters. Of these parameters a subset are prompted for when triggering a build and are required.
I am attempting to create a new role in TeamCity with VERY limited permissions that will only allow the user to view specific projects and trigger builds. In order for this user to be able to specify the required parameters I have to give them the TC 'Customize Build Parameters' permission. Unfortunately this also gives them the ability to change ALL build parameters and can lead to problems/confusion. Is there anyway to choose the specific build parameters the user is able to change instead of them gaining access to all?
I was able to create parameters that the low privilege users could not edit/view by configuring the parameters to be "read only" or "hidden". The parameters I wanted the users to be able to change are configured as regular parameters which can be edited from the Run Build modal.
Related
I am trying to run a job including a task that needs to multiple run in parallel using different parameter values.
I understand that this is possible based on this post:
https://docs.databricks.com/data-engineering/jobs/jobs.html#maximum-concurrent-runs
But I can't figure out how.
To create trigger on multiple jobs using Databricks UI, follow below path
Workflows > Jobs > Create
Here give Task name and select Type, Source and Path.
You can Add parameters as shown in the screenshot below.
In Advanced options you can Add dependent libraries, Edit email notifications, Edit retry policy, Edit timeout.
All,
I have no idea how Windows service works, just curious when we register a windows service(such as auto run a server after reboot), if it requires a user profile to load info(such as pulling data from somewhere else), what user profile does it load?
Thanks,
You can select what user run each service registered and the system comes with users assigned per service. The most used by the system is SYSTEM.
To check this you have to:
Go to services.
Right click on the desired service and properties.
Go to the Log on tab and check.
If the Local System account is selected the username is SYSTEM which has special permissions on almost all folder and Windows sections including users' profiles data.
By the other hand if you would like to do something special with an specific account you can tell the system the service will start with the account specified. Just make sure to update the password information every time the user change it.
Regards,
Luis
I would like my build job to not build on specific teamcity agents and there is no common pattern for the build agent names. Is there a way I can isolate multiple agents from getting picked up by a single job.
For example I can make sure that the build job does not pick up 1 agent using the following parameter.
teamcity.agent.name
does not match
agent-001
How can I similarly tell the teamcity job to not run on the following agents as well.
"123-agent"
"my_agent"
"test_agent"
"agent_do_not_use"
I cannot use the same parameter, teamcity.agent.name with does not match for multiple agents.
Can you all teamcity experts help me out here please on what is the best way to achieve this.
You can add agent requirement with "does not match" condition which accepts regular expression and set it to:
123-agent|my_agent|test_agent|agent_do_not_use
Using an agent requirement based on presence (or absence) of a specific property coming from agent's buildAgent.properties file would probably be a better solution to using agent names in the requirement.
Alternative means to manage agent's compatibility are: use agent pools and use agent's Compatible Configurations set to a limited set.
You can add a specific parameter inside the agent configuration on the local machine inside: C:\BuildAgent\conf\buildAgent.properties
Then, you can add something specific like: system.Is<MyFeature>Available=True
Then, in teamcity configuration, you will add an Agent Requirement with this parameter.
We're using TeamCity 9 and have a pool of agents, only some of which can run a particular job we've created. It's going to be a while before a new pool can be created with new agents, and in the meantime we would like to set this job to run only on specific ones.
In the configuration settings we can choose system.agent.name, but that only allows us one agent. Is there a way to configure things so that I can run on multiple agents based on their name, so that, say teamcity_agent01, teamcity_agent07 and teamcity_agent12 are eligible?
If the capabilities you want on the agent expose environment variables you can have a command line step refer to the environment variable and that will scope the job to a suitable agent.
e.g.
echo "%env.PATH_TO_GIT%"
You can add environment variables to your agents like this
open file “/conf/buildAgent.properties” at agent
system. This file contains parameters in key=value format.
To add a system properties add line like -> system.os=Linux
To add an environment variable add line like ->
env.JAVA_HOME=/home/java/jdk1.6.0_13 the
The beauty of this is that as you add more capabilities and agents then you don't need to revisit each job to change where it can run
For Teamcity 9.x
Next to the Projects, and Changes select Agents.
Select the agent that you want to run specific jobs on.
Select the "Compatible Configurations" tab.
On the "Current run configuration policy" dropdown select "Run assgined configurations only"
Click on the "+ Assign configuration" button.
Compatible configurations are colored blue. Select as you wish.
The timing of the configurations and when they should run can be configured under each build configuration triggers tab.
AFAIK when I set up my Azure roles I have only one way to specify how much priviledges the process running role code will have - by using <Runtime executionContext> XML tag.
However this looks coarse grained. If I specify "elevated" my code runs under "Local system" which is unlimited priviledges and if I specify "limited" my code runs under some low priviledges user that doesn't have priviledges my code needs.
Is there some convenient way to run Azure role code under some custom user that has limited priviledges that I myself would control?
Right now, your code will already run as a limited user. In fact, there are no users on the VM - it is using a SID injection technique to get a security context at all. From your question, it seems like you need more than a normal user, but less than an admin?
If you really want to have different permissions, you need to create some users (use Startup tasks and net add or DirectoryServices) and set permissions. All of this is scriptable.
The more challenging part comes now to run your code as that user. For this, you need to do what is called impersonation. Your more privileged code (an admin process typically) can obtain a token for a local user and use that to impersonate a user. The code then runs as the user and is restricted. Impersonation is a well covered topic in .NET and other languages.
If you want a clever example of running code as another user, check this post by David Aiken:
http://www.davidaiken.com/2011/01/19/running-azure-startup-tasks-as-a-real-user/