Approve workflow script from Job DSL plugin

[David Resnick]

I have a workflow script that I set in the workflow job Groovy CPS DSL textbox via Job DSL. The problem is that though security on the server is set to "logged in users can do anything", apparently the script is not set as "Jenkins administrator".

How can I have the workflow job script updated via Job DSL without having to approve the script each time it changes?

This is the general layout of the Job DSL:

def flow = '''

node {

  git url: 'ssh://g...@git.com/repo.git'

}

'''

workflowJob('job1') {

  triggers {

      scm('# triggered by post-commit hook')

  }

  definition {

    cps {

      script(flow)

    }

  }

}

Jenkins is 1.609.1, workflow 1.8, job dsl 1.35.

Thanks,

David

[Jesse Glick]

On Tuesday, July 21, 2015 at 4:17:51 PM UTC-4, David Resnick wrote:

How can I have the workflow job script updated via Job DSL without having to approve the script each time it changes?

If the Job DSL plugin supports setting sandbox=true here, use that. However it would be a nice enhancement for the Job DSL integration to automatically approve a flow definition with sandbox=false that it creates. (Job DSL builds have unrestricted access to Jenkins so anything created that way can be assumed to be from a superuser. I am not even sure how you would secure a Jenkins installation containing this plugin, unless you are using only basic security levels like “any logged-in user”.)

[David Resnick]

I've set the script to be sandboxed in the Job DSL script, though it looks link only a marginal improvement because of the need to approve missing method signatures.

What would the Job DSL plugin need to do to automatically approve the non-sandboxed script it sets in a job? As you mention, security here is already being by-passed when the Job DSL plugin is in use.

- David

[Kanstantsin Shautsou]

When i'm adding script manually in job it approved, when converting to dsl - it requires approval. This is not very convenient.