https://github.com/jenkinsci/swarm-plugin/pull/601#pullrequestreview-…

…1779224347

docs/security.adoc

@@ -29,27 +29,28 @@ Swarm requires a user with the following permissions:
 
 * *Overall/Read*
 * *Agent/Create*
+* *Agent/Connect*
 * *Agent/Configure* (_not_ required when using the project-based Matrix Authorization Strategy)
 
 == Examples
 
 === Matrix-based security
 
-A common practice is to grant *Overall/Read* permission to either anonymous or authenticated users, leaving the dedicated Swarm user with only the *Agent/Create* and *Agent/Configure* permissions:
+A common practice is to grant *Overall/Read* permission to either anonymous or authenticated users, leaving the dedicated Swarm user with only *Agent/Create*, *Agent/Connect*, and *Agent/Configure* permissions:
 
 image:images/matrixBasedSecurity.png[image]
 
 === Project-based Matrix Authorization Strategy
 
-A common practice is to grant *Overall/Read* permission to either anonymous or authenticated users, leaving the dedicated Swarm user with only the *Agent/Create* permission:
+A common practice is to grant *Overall/Read* permission to either anonymous or authenticated users, leaving the dedicated Swarm user with only *Agent/Create* and *Agent/Connect* permissions:
 
 image:images/projectBasedMatrixAuthorizationStrategy.png[image]
 
 NOTE: Unlike matrix-based security, the project-based Matrix Authorization Strategy does not require *Agent/Configure* permission.
 
 === Role-Based Strategy
 
-A common practice is to create a read-only role with *Overall/Read* permission, leaving a dedicated Swarm role with only the *Agent/Create* and *Agent/Configure* permissions:
+A common practice is to create a read-only role with *Overall/Read* permission, leaving a dedicated Swarm role with only *Agent/Create*, *Agent/Connect*, and *Agent/Configure* permissions:
 
 image:images/roleBasedStrategyManage.png[image]
 

plugin/src/main/java/hudson/plugins/swarm/PluginImpl.java

@@ -136,6 +136,7 @@ public void doCreateSlave(
         Jenkins jenkins = Jenkins.get();
 
         jenkins.checkPermission(Computer.CREATE);
+        jenkins.checkPermission(Computer.CONNECT);
 
         List<NodeProperty<Node>> nodeProperties = new ArrayList<>();
 

plugin/src/test/java/hudson/plugins/swarm/test/GlobalSecurityConfigurationBuilder.java

@@ -104,8 +104,9 @@ public void build() throws IOException {
             // Needed for the [optional] Jenkins version check as well as CSRF.
             strategy.add(Jenkins.READ, new PermissionEntry(AuthorizationType.EITHER, "authenticated"));
 
-            // Needed to create the agent.
+            // Needed to create and connect the agent.
             strategy.add(Computer.CREATE, new PermissionEntry(AuthorizationType.EITHER, swarmUsername));
+            strategy.add(Computer.CONNECT, new PermissionEntry(AuthorizationType.EITHER, swarmUsername));
 
             /*
              * The following is necessary because
@@ -119,8 +120,11 @@ public void build() throws IOException {
         } else if (authorizationStrategy instanceof RoleBasedAuthorizationStrategy) {
             Role admin = new Role("admin", ".*", Set.of(Jenkins.ADMINISTER.getId()), "Jenkins administrators");
             Role readOnly = new Role("readonly", ".*", Set.of(Jenkins.READ.getId()), "Read-only users");
-            Role swarm =
-                    new Role("swarm", ".*", Set.of(Computer.CREATE.getId(), Computer.CONFIGURE.getId()), "Swarm users");
+            Role swarm = new Role(
+                    "swarm",
+                    ".*",
+                    Set.of(Computer.CREATE.getId(), Computer.CONNECT.getId(), Computer.CONFIGURE.getId()),
+                    "Swarm users");
 
             SortedMap<Role, Set<String>> roleMap = new TreeMap<>();
             roleMap.put(admin, Set.of(adminUsername));