Use scriptler without ADMINISTRATOR privilege

295 views
Skip to first unread message

nicolas de loof

unread,
Sep 20, 2011, 7:43:27 AM9/20/11
to jenkin...@googlegroups.com
Hi,

I'd like to envolve Scriptler plugin to support this use case :

I have a set of scripts configured on my instance, those script are considered "safe"
I want non-ADMINISTRATOR users to be able to execute them, i.e. :
1 - don't have ability to edit the script so that they can execute arbitrary code
2 - some way to pass parameters (as editing the script isn't an option anymore)
3 - execute script without admin check

I thing step 2 could be a more general purpose improvement : have some way for a script to declare parameters and expose them in U.I.

wdyt ?

Linards Liepiņš

unread,
Sep 20, 2011, 7:52:49 AM9/20/11
to jenkin...@googlegroups.com
S E C U R I T Y compromising idea :( Only real reason Jenkins is used in worldwide coopartions is that Jenkins allows to exec any kind of job ONLY WITH Administrator privileges ... any passthrough is potential security hole bcause developers cannot predict each and every usecase of such unauthorized but valid usecases of environment ...

2011/9/20 nicolas de loof <nicolas...@gmail.com>



--
A.C. Linards L.

domi

unread,
Sep 20, 2011, 1:50:57 PM9/20/11
to jenkin...@googlegroups.com
Actually this is on my todo list…
the idea is to provide a BuildStep which is able to a provide a drop down with a set of defined scripts configured in scriptler (with the ability to pass in parameters) - this way we should be able to do it in a secure way,
…unfortunately I did not find time to implement it yet… feel free to start it :)
/Domi

nicolas de loof

unread,
Oct 9, 2011, 7:19:57 AM10/9/11
to jenkin...@googlegroups.com, do...@fortysix.ch
Hi Domi,

I was planing some cycles to implement this feature - at least, first steps.

Running as non admin will require to skip the script edit view, but let user pass parameters. This could be useful anyway even for admins
How could we define the parameters required by a script ?
- Either have a scriptler admin view to let admin define script parameters
- Or do it directly based on some script metadata, for example using some jsp-header-tag-syntax :

// @parameter name="foor" description="..."
Groovy script using foo as a global variable in GroovyShell context

wdyt ?

2011/9/20 domi <do...@fortysix.ch>

domi

unread,
Oct 9, 2011, 3:20:26 PM10/9/11
to jenkin...@googlegroups.com
Hi nicolas,

good to hear from you!
I think we would be better to extend this plugin: https://wiki.jenkins-ci.org/display/JENKINS/Config+File+Provider+Plugin
I'm already about to extend it to support editing shell scripts and provide the script via build step. It will also allow to pass arguments to the script at execution time.
So I think it would perfectly match to have the same for groovy.
btw. there is already a branch with the support for the script: https://github.com/jenkinsci/config-file-provider-plugin/tree/script_buildstep
If it is not to urgent for you, give me some more time and I'll finish the script implementation first - this will definitely make it easier to support groovy too after this.
what do you think?

btw. would love to join your hackathon - but its a bit far… :(
regards Domi 

nicolas de loof

unread,
Oct 10, 2011, 6:44:14 AM10/10/11
to jenkin...@googlegroups.com
I'll have a look to get more familiar with the config file provider

So, your idea is to have a buildstep to expose a list of "config file" (groovy/schell/?) scripts
Wouldn't this partially overlap with the groovy plugin https://wiki.jenkins-ci.org/display/JENKINS/Groovy+plugin ? We should expose groovy scripts as an alternative to manual editing

No urgency, let me know when you have script implementation running, for sure it may be a first step before supporting other script languages and integration. I'll take a look at this plugin I'm not yet familiar with




2011/10/9 domi <do...@fortysix.ch>

Vojtech Juranek

unread,
Oct 10, 2011, 10:01:23 AM10/10/11
to jenkin...@googlegroups.com
I don't see any significat overlap with groovy plugin. Groovy provides system
groovy build step, which can be edit (or store, to be precise) only by user
with admin access and run by any user with right running build, but Scripter
plugin could provide ability to manage these script centally so I see
definitely benefits in integration with scriptler plugin

> I'll have a look to get more familiar with the config file provider
>
> So, your idea is to have a buildstep to expose a list of "config file"
> (groovy/schell/?) scripts
> Wouldn't this partially overlap with the groovy plugin
> https://wiki.jenkins-ci.org/display/JENKINS/Groovy+plugin ? We should
> expose groovy scripts as an alternative to manual editing
>
> No urgency, let me know when you have script implementation running, for
> sure it may be a first step before supporting other script languages and
> integration. I'll take a look at this plugin I'm not yet familiar with
>
>
>
>
> 2011/10/9 domi <do...@fortysix.ch>
>
> > Hi nicolas,
> >
> > good to hear from you!
> > I think we would be better to extend this plugin:
> > https://wiki.jenkins-ci.org/display/JENKINS/Config+File+Provider+Plugin
> > I'm already about to extend it to support editing shell scripts and
> > provide the script via build step. It will also allow to pass arguments
> > to the script at execution time.
> > So I think it would perfectly match to have the same for groovy.
> > btw. there is already a branch with the support for the script:
> > https://github.com/jenkinsci/config-file-provider-plugin/tree/script_buil

> > dstep If it is not to urgent for you, give me some more time and I'll

Reply all
Reply to author
Forward
0 new messages