[JIRA] [groovy-postbuild-plugin] (JENKINS-32681) Option to disable script security approval

[schristou88@gmail.com (JIRA)]

Steven Christou created an issue

Jenkins / JENKINS-32681 Option to disable script security approval Issue Type: Improvement Assignee: wolfs Components: groovy-postbuild-plugin, script-security-plugin Created: 28/Jan/16 10:51 PM Priority: Trivial Reporter: Steven Christou It would be nice to have an option in Manage Jenkins -> Configure Security to disable the need for approval process for the groovy-postbuild plugin. By default the script security plugin is enabled and with no method for disabling, or ignoring an entire project. Add Comment

This message was sent by Atlassian JIRA (v6.4.2#64017-sha1:e244265)

[dbeck@cloudbees.com (JIRA)]

Daniel Beck commented on JENKINS-32681

Re: Option to disable script security approval What's the rationale for this? When you have Overall/RunScripts, there's no sandbox/approval (or is there on Groovy Postbuild?). If you don't, there must be.

Add Comment

[schristou88@gmail.com (JIRA)]

Steven Christou commented on JENKINS-32681

Re: Option to disable script security approval

The sandbox approval does not work with the Overall\RunScript permission. It still posts a request to have the script approved: Sandbox mode: Groovy script failed: org.jenkinsci.plugins.scriptsecurity.sandbox.RejectedAccessException: Scripts not permitted to use method org.jvnet.hudson.plugins.groovypostbuild.GroovyPostbuildRecorder$BadgeManager getHudson at org.jenkinsci.plugins.scriptsecurity.sandbox.whitelists.StaticWhitelist.rejectMethod(StaticWhitelist.java:150) Non-Sanbox mode: ERROR: Failed to evaluate groovy script. org.jenkinsci.plugins.scriptsecurity.scripts.UnapprovedUsageException: script not yet approved for use at org.jenkinsci.plugins.scriptsecurity.scripts.ScriptApproval.using(ScriptApproval.java:428) at org.jenkinsci.plugins.scriptsecurity.sandbox.groovy.SecureGroovyScript.evaluate(SecureGroovyScript.java:166) at org.jvnet.hudson.plugins.groovypostbuild.GroovyPostbuildRecorder.perform(GroovyPostbuildRecorder.java:362) The title of this should most likely be switched to allow for Overall\RunScript to work with the groovy postbuild plugin. Can be reproduced by having the groovy script manager.hudson.getItemByFullName("JOBNAME");

Add Comment

[jglick@cloudbees.com (JIRA)]

Jesse Glick resolved as Not A Defect

UnapprovedUsageException is not the same as RejectedAccessException.

Jenkins / JENKINS-32681

Option to disable script security approval

Change By: Jesse Glick Status: Open Resolved Resolution: Not A Defect

Add Comment

[bkrische@ra.rockwell.com (JIRA)]

Brian Krische commented on JENKINS-32681

Re: Option to disable script security approval Why was this closed? This seems like a legitimate request. The use case would be: A Jenkins administrator and/or a group of trusted users are the only ones able to create jobs. Regular users are only able run jobs. If the job creators need functionality outside of the whitelisted/sandbox methods; then they have to approve those scripts. If you have a lot of jobs or your job configurations come from automated methods (version control, provisioning software like puppet or chef); it's not exactly easy or efficient to have another step to approve the scripts. In the scenario I describe (trusted job creators and script writers but "untrusted" job runners), script security isn't needed. In that scenario, administrators should be able to disable script security for Groovy Postbuild so that it works like it did prior to the 2.0 release.

Add Comment

[dbeck@cloudbees.com (JIRA)]

Daniel Beck commented on JENKINS-32681

Re: Option to disable script security approval

Jesse Glick Aren't scripts configured by people with Overall/RunScripts automatically approved?

Add Comment

[cameron.adams@itv.com (JIRA)]

Cameron I commented on JENKINS-32681

Re: Option to disable script security approval

Hi there, yes I agree with Brian. We set up our jobs with puppet. There's no need to manually approve our pipeline scripts as they're controlled via puppet anyway. The option of not allowing a disable feature means there must be a manual step, and in a configuration management environment thats not necessary and goes against the ethos of automation. Is there any chance to reopen this? Cheers

Add Comment

[dbeck@cloudbees.com (JIRA)]

Daniel Beck commented on JENKINS-32681

Re: Option to disable script security approval

Cameron I https://wiki.jenkins-ci.org/display/JENKINS/Permissive+Script+Security+Plugin may be for you.

Add Comment

[cameron.adams@itv.com (JIRA)]

Cameron I commented on JENKINS-32681

Re: Option to disable script security approval

Ah, right yes I see that. Will give that a go instead. Thanks

Add Comment

[misha.nesterenko@gmail.com (JIRA)]

Misha Nesterenko commented on JENKINS-32681

Re: Option to disable script security approval

It seems that permissive plugin does not help. For example extended-choice-plugin goes directly to ScriptApproval which checks allowed hashes: try { scriptApproval.configuring(groovyScript, GroovyLanguage.get(), ApprovalContext.create()); scriptApproval.using(groovyScript, GroovyLanguage.get()); } catch(UnapprovedUsageException uUE) { result = false; } catch(UnapprovedClasspathException uCE) { result = false; } That would be great either to auto approve all scripts (or with some conditions) or approve scripts without user interation (i.e. with web service endpoint).

Add Comment

This message was sent by Atlassian JIRA (v7.1.7#71011-sha1:2526d7c)

[VictorMartinezRubio@gmail.com (JIRA)]

Victor Martinez commented on JENKINS-32681

Re: Option to disable script security approval

Hi there, I've tried to setup : Permissive Script Security Plugin to disable this security approval process but still same issue groovy setup System.setProperty("org.jenkinsci.plugins.permissivescriptsecurity.PermissiveWhitelist.enabled","true") java opts -Dpermissive-script-security.enabled=true groovy postbuild stuff pattern = ~/^FOUND_EXPIRED_.*/ manager.build.logFile.eachLine { line -> matcher = pattern.matcher(line) if(matcher.matches()) { manager.buildUnstable() } } log error

ERROR: Failed to evaluate groovy script. org.jenkinsci.plugins.scriptsecurity.scripts.UnapprovedUsageException: script not yet approved for

use at org.jenkinsci.plugins.scriptsecurity.scripts.ScriptApproval.using(ScriptApproval.java:459) at org.jenkinsci.plugins.scriptsecurity.sandbox.groovy.SecureGroovyScript.evaluate(SecureGroovyScript.java:168) at org.jvnet.hudson.plugins.groovypostbuild.GroovyPostbuildRecorder.perform(GroovyPostbuildRecorder.java:362) at hudson.tasks.BuildStepMonitor$1.perform(BuildStepMonitor.java:20) at hudson.model.AbstractBuild$AbstractBuildExecution.perform(AbstractBuild.java:779) at hudson.model.AbstractBuild$AbstractBuildExecution.performAllBuildSteps(AbstractBuild.java:720) at hudson.model.Build$BuildExecution.post2(Build.java:185) at hudson.model.AbstractBuild$AbstractBuildExecution.post(AbstractBuild.java:665) at hudson.model.Run.execute(Run.java:1745) at hudson.model.FreeStyleBuild.run(FreeStyleBuild.java:43) at hudson.model.ResourceController.execute(ResourceController.java:98) at hudson.model.Executor.run(Executor.java:404) Configuration: script-security 1.21 groovy 1.29 groovy-postbuild permissive-script-security 0.1 jenkins 2.19.1 Any ideas?

Add Comment

[dbeck@cloudbees.com (JIRA)]

Daniel Beck commented on JENKINS-32681

Re: Option to disable script security approval

Victor Martinez Looks like you may need to enable the sandbox rather than have whole-script approval?

Add Comment

[owood@cloudbees.com (JIRA)]

Owen Wood reopened an issue

This also affects Additonal Classpath - Classpath Entries. Groovy script failed: org.jenkinsci.plugins.scriptsecurity.scripts.UnapprovedClasspathException: classpath entry Enabling sandbox does not help System.setProperty("org.jenkinsci.plugins.permissivescriptsecurity.PermissiveWhitelist.enabled","true") does not help

Jenkins / JENKINS-32681

Option to disable script security approval

Change By: Owen Wood Resolution: Not A Defect Status: Resolved Reopened

Add Comment

[jglick@cloudbees.com (JIRA)]

Jesse Glick resolved as Not A Defect

Owen Wood not sure what you are seeing exactly but sounds unrelated; perhaps JENKINS-37599.

Jenkins / JENKINS-32681 Option to disable script security approval

Change By: Jesse Glick Status: Reopened Resolved Resolution: Not A Defect

Add Comment

[VictorMartinezRubio@gmail.com (JIRA)]

Victor Martinez commented on JENKINS-32681

Re: Option to disable script security approval Daniel Beck, it works fine after using the sandbox checkbox as you suggested, thanks so much. I did assume something else about the sandbox flag. Sorry about this false alarm Thanks again

Add Comment

[prince96raj@gmail.com (JIRA)]

Prince Raj Kumar commented on JENKINS-32681

Re: Option to disable script security approval

One of the work-around might be using authorize-project plugin. It is working in my case. Just need to configure the build execution with admin user. Configuration detail steps has given on the plugin page.

Add Comment

This message was sent by Atlassian JIRA (v7.3.0#73011-sha1:3c73d0e)

[prince96raj@gmail.com (JIRA)]

Prince Raj Kumar edited a comment on JENKINS-32681

Re: Option to disable script security approval

One of the work-around might be using authorize-project plugin. It is working in my case. Just need to configure the build execution with admin user. Configuration detail steps has given on the plugin page.

Plugin wiki link: https://wiki.jenkins.io/display/JENKINS/Authorize+Project+plugin

Add Comment

[mksd@mekomsolutions.com (JIRA)]

Dimitri R commented on JENKINS-32681

Re: Option to disable script security approval

Looks like you may need to enable the sandbox rather than have whole-script approval? Thanks Daniel Beck, this hint put me on the right track. So I had this one Groovy script that I use in a job to trigger downstream jobs (with hudson.model.Hudson.instance.queue.schedule(..)), this required it to not be sandboxed and to be approved. The latter was problematic in my automation context. What worked for me on Jenkins 2.141 was Install the Permissive Script Security plugin 0.3. Start Jenkins with the Java option -Dpermissive-script-security.enabled=true. Note that I'm using the Docker container so here is how I do that: ENV JAVA_OPTS="-Dpermissive-script-security.enabled=true" Sandbox the script.

Add Comment

This message was sent by Atlassian Jira (v7.11.2#711002-sha1:fdc329d)

[jglick@cloudbees.com (JIRA)]

Jesse Glick commented on JENKINS-32681

Re: Option to disable script security approval

I had this one Groovy script that I use in a job to trigger downstream jobs Note that if you are using Pipeline, this can be done much more simply and safely using the build step.

Add Comment

[ace_11_89@yahoo.com (JIRA)]

Adrian Vlad commented on JENKINS-32681

Re: Option to disable script security approval

Why does Groovy Postbuild need Overall/Administer permission if Script Security is used to approve or whitelist scripts and methods? This is a stopper for me because I use Authorize Project plugin to run the jobs as the user who triggered the build, but most of the users that will trigger builds will not have administer rights. This setup will fail all the builds that have groovy postbuild set up and triggered by regular users.

Add Comment

[jglick@cloudbees.com (JIRA)]

Jesse Glick commented on JENKINS-32681

Re: Option to disable script security approval

Why does Groovy Postbuild need Overall/Administer permission if Script Security is used to approve or whitelist scripts and methods?

Perhaps predates script security integration, and you are the first to try using it with authorize-project. Best to file a separate bug report in groovy-postbuild for it.

Add Comment

[ace_11_89@yahoo.com (JIRA)]

Adrian Vlad commented on JENKINS-32681

Re: Option to disable script security approval

I just opened a new bug (https://issues.jenkins-ci.org/browse/JENKINS-54262). Thank you for the suggestion.

Add Comment