Allow importing local classes when the build is running as an administrator
119 views
Skip to first unread message
Jakub Bocheński
Apr 26, 2017, 8:13:34 AM4/26/17
to job-dsl-plugin, ma...@daniel-spilker.com
Hi,
I wanted to move the discussion here, as suggested on JIRA
I wanted to move the discussion here, as suggested on JIRA
Imported code is neither executed in the script security sandbox nor checked for approval by an administrator. Anyone with permission to modify the code will effectively gain administrative privileges in Jenkins. To fix that problem, the classpath is not extended by the "Additional classpath" or the script directory. And thus importing code is not possible when script security for Job DSL is enabled.
Daniel Spilker on https://issues.jenkins-ci.org/browse/JENKINS-43726?focusedCommentId=297093&page=com.atlassian.jira.plugin.system.issuetabpanels%3Acomment-tabpanel#comment-297093
I think above doesn't apply when one is running the dsl job as an administrator user (to enable a workflow where the scripts are pulled from SCM without needing additional approval).
Anyone with write permission to the SCM repository already can run arbitrary code and it's a feature of this kind of workflow.
Enabling this seems much easier than doing a full "secure import of scripts" feature.
I think above doesn't apply when one is running the dsl job as an administrator user (to enable a workflow where the scripts are pulled from SCM without needing additional approval).
Anyone with write permission to the SCM repository already can run arbitrary code and it's a feature of this kind of workflow.
Enabling this seems much easier than doing a full "secure import of scripts" feature.
Sam Sieber
May 29, 2017, 9:53:20 PM5/29/17
to job-dsl-plugin, ma...@daniel-spilker.com
I'd like to second this sentiment.
If it's not feasible to allow import of workspace code when running as administrator, would it be possible to add "library" repositories approved for import globally, like pipelines let you: https://jenkins.io/doc/book/pipeline/shared-libraries/ ?
I personally don't see the harm in allowing certain jobs to be run as admin in order to gain the ability to gain workspace auth - people say that it's a glaring security weakness because if people get access to the git access, then they can do anything on the Jenkins server. The pipeline shared libraries have the same problem though, so that doesn't hold water with me (if we're talking about restricting it to admins).
Even if it doesn't satisfy full security needs, I'd love to have the middle ground of "only admins can run jobs that import local files" as a mode. It'd be more secure than we have to do right now.
I'd even try to take a whack at implementing it myself if I was pointed in the right direction.
Sumit Agarwal
Oct 19, 2017, 5:13:50 AM10/19/17
to job-dsl-plugin
I just posted a new message on this. Is it possible to load Global Libraries in jobDSL?
If not then how would you load Groovy DSL shared code in Jenkins so that it can work with script security enabled?
Reply all
Reply to author
Forward
0 new messages