[JIRA] (JENKINS-54262) Groovy Postbuild requires Overall/Administer permission

ace_11_89@yahoo.com (JIRA)

unread,

Oct 26, 2018, 2:58:02 AM10/26/18

to jenkinsc...@googlegroups.com

Adrian Vlad created an issue

Jenkins /

JENKINS-54262

Groovy Postbuild requires Overall/Administer permission

Issue Type:	Bug
Assignee:	Stefan Wolf
Components:	groovy-postbuild-plugin
Created:	2018-10-26 06:57
Priority:	Minor
Reporter:	Adrian Vlad

Although it uses script security and administrators can whitelist methods and approve scripts, Groovy Postbuild still requires that the user running it must have Overall/Administer permission: https://github.com/jenkinsci/groovy-postbuild-plugin/blob/master/src/main/java/org/jvnet/hudson/plugins/groovypostbuild/GroovyPostbuildRecorder.java#L364

This creates failed builds when using the Authorize Project plugin to run builds as the user that triggered them and most of the users that run builds are regular users.

Add Comment

This message was sent by Atlassian Jira (v7.11.2#711002-sha1:fdc329d)

jglick@cloudbees.com (JIRA)

unread,

Oct 30, 2018, 9:08:02 AM10/30/18

to jenkinsc...@googlegroups.com

Jesse Glick updated an issue

Jenkins /

JENKINS-54262

Groovy Postbuild requires Overall/Administer permission

Change By:	Jesse Glick
Labels:	permissions

Add Comment

jglick@cloudbees.com (JIRA)

unread,

Oct 30, 2018, 9:09:02 AM10/30/18

to jenkinsc...@googlegroups.com

Jesse Glick commented on

JENKINS-54262

Re: Groovy Postbuild requires Overall/Administer permission

CC Wadeck Follonier + Daniel Beck

Add Comment

xavier.xemaire@shks.de (JIRA)

unread,

May 29, 2019, 8:42:02 AM5/29/19

to jenkinsc...@googlegroups.com

Xavier Xemaire commented on

JENKINS-54262

Re: Groovy Postbuild requires Overall/Administer permission

We have the same problem.
We use the following Groovy postbuild script:

 
                                                                manager.addShortText(manager.build.getEnvironment(manager.listener)['dockerTag'])

We get the following exception:

 
                                                                hudson.security.AccessDeniedException2: ******(<userid>) is missing the Overall/Administer permission
	at hudson.security.ACL.checkPermission(ACL.java:68)
	at hudson.security.AccessControlled.checkPermission(AccessControlled.java:46)
	at org.jvnet.hudson.plugins.groovypostbuild.GroovyPostbuildRecorder.perform(GroovyPostbuildRecorder.java:347)
	at hudson.tasks.BuildStepMonitor$1.perform(BuildStepMonitor.java:20)
	at hudson.model.AbstractBuild$AbstractBuildExecution.perform(AbstractBuild.java:744)
	at hudson.model.AbstractBuild$AbstractBuildExecution.performAllBuildSteps(AbstractBuild.java:690)
	at hudson.model.Build$BuildExecution.post2(Build.java:186)
	at hudson.model.AbstractBuild$AbstractBuildExecution.post(AbstractBuild.java:635)
	at hudson.model.Run.execute(Run.java:1749)
	at hudson.model.FreeStyleBuild.run(FreeStyleBuild.java:43)
	at hudson.model.ResourceController.execute(ResourceController.java:97)
	at hudson.model.Executor.run(Executor.java:429)
Build step 'Groovy Postbuild' marked build as failure
 
                                                            

As we use also promotions in the job, we cannot use the badge plugin, as it works only in Jenkins pipelines.

Add Comment

ace_11_89@yahoo.com (JIRA)

unread,

May 29, 2019, 8:49:04 AM5/29/19

to jenkinsc...@googlegroups.com

Adrian Vlad commented on

JENKINS-54262

Re: Groovy Postbuild requires Overall/Administer permission

A workaround is using Flexible publish with an Execute system Groovy script.

In the script you can do

 
                                                                import com.jenkinsci.plugins.badge.action.BadgeAction;

def _envVars = build.getEnvironment(listener);

/* Run time */
build.addAction(BadgeAction.createShortText(hudson.Util.getTimeSpanString(System.currentTimeMillis() - build.getStartTimeInMillis()), "grey", "white", "0px", "white"));