diff options
Diffstat (limited to 'zuul/executor/server.py')
-rw-r--r-- | zuul/executor/server.py | 14 |
1 files changed, 12 insertions, 2 deletions
diff --git a/zuul/executor/server.py b/zuul/executor/server.py index 2b08d5bc7..4e909491a 100644 --- a/zuul/executor/server.py +++ b/zuul/executor/server.py @@ -859,6 +859,7 @@ class AnsibleJob(object): self.library_dir = os.path.join(plugin_dir, 'library') self.action_dir = os.path.join(plugin_dir, 'action') self.action_dir_general = os.path.join(plugin_dir, 'actiongeneral') + self.action_dir_trusted = os.path.join(plugin_dir, 'actiontrusted') self.callback_dir = os.path.join(plugin_dir, 'callback') self.lookup_dir = os.path.join(plugin_dir, 'lookup') self.filter_dir = os.path.join(plugin_dir, 'filter') @@ -2049,13 +2050,22 @@ class AnsibleJob(object): # 10s to respond config.write('timeout = 30\n') - # We need at least the general action dir as this overwrites the - # command action plugin for log streaming. + # We need the general action dir to make the zuul_return plugin + # available to every job. action_dirs = [self.action_dir_general] if not trusted: + # Untrusted jobs add the action dir which makes sure localhost + # modules are restricted where needed. Further the command + # plugin needs to be restricted and also inject zuul_log_id + # to make log streaming work. action_dirs.append(self.action_dir) config.write('lookup_plugins = %s\n' % self.lookup_dir) + else: + # Trusted jobs add the actiontrusted dir which adds the + # unrestricted command plugin to inject zuul_log_id to make + # log streaming work. + action_dirs.append(self.action_dir_trusted) config.write('action_plugins = %s\n' % ':'.join(action_dirs)) |