-
New Feature
-
Resolution: Unresolved
-
Major
-
Ubuntu 14.04 LTS
OpenJDK 1.7 IcedTea
Jenkins ver. 1.635
Script Security Plugin 1.15
Groovy Postbuild 2.2.2
The Groovy Postbuild plugin doesn't appear to adhere to the Jenkins.RUN_SCRIPTS permission at all. I'm generating jobs using the Job DSL Plugin and have given the RUN_SCRIPTS permission to the anonymous user.
When I generate scripts this plugin still requires the script approval.
Authentication is enabled but anonymous is given RunScripts permission. I would assume anybody would be able to create scripts (including the Job DSL plugin generated jobs).
- is duplicated by
-
JENKINS-40118 Many script approvals pending after upgrading Jenkins
-
- Resolved
-
[JENKINS-31201] Job DSL support for ScriptApproval (was: Groovy postbuild ignores RUN_SCRIPTS permission)
Sam Gleske
created issue -
Sam Gleske
made changes -
| Link | New: This issue is related to JENKINS-22661 [ JENKINS-22661 ] |
Sam Gleske
made changes -
| Description |
Original:
This plugin doesn't appear to adhere to the {{Jenkins.RUN_SCRIPTS}} permission at all. I'm generating jobs using the Job DSL Plugin and have given the {{RUN_SCRIPTS}} permission to the {{anonymous}} user. When I generate scripts then this plugin still requires the script approval. Authentication is enabled but anonymous is given RunScripts permission. I would assume anybody would be able to create scripts (including the Job DSL plugin generated jobs). |
New:
The Groovy Postbuild plugin doesn't appear to adhere to the {{Jenkins.RUN_SCRIPTS}} permission at all. I'm generating jobs using the Job DSL Plugin and have given the {{RUN_SCRIPTS}} permission to the {{anonymous}} user. When I generate scripts then this plugin still requires the script approval. Authentication is enabled but anonymous is given RunScripts permission. I would assume anybody would be able to create scripts (including the Job DSL plugin generated jobs). |
Sam Gleske
made changes -
| Description |
Original:
The Groovy Postbuild plugin doesn't appear to adhere to the {{Jenkins.RUN_SCRIPTS}} permission at all. I'm generating jobs using the Job DSL Plugin and have given the {{RUN_SCRIPTS}} permission to the {{anonymous}} user. When I generate scripts then this plugin still requires the script approval. Authentication is enabled but anonymous is given RunScripts permission. I would assume anybody would be able to create scripts (including the Job DSL plugin generated jobs). |
New:
The Groovy Postbuild plugin doesn't appear to adhere to the {{Jenkins.RUN_SCRIPTS}} permission at all. I'm generating jobs using the Job DSL Plugin and have given the {{RUN_SCRIPTS}} permission to the {{anonymous}} user. When I generate scripts this plugin still requires the script approval. Authentication is enabled but anonymous is given RunScripts permission. I would assume anybody would be able to create scripts (including the Job DSL plugin generated jobs). |
Sam Gleske
added a comment - I reverse engineered how script approvals work and automatically approve scripts via hashing. I didn't have time for an upstream fix for this and I don't know what it would be.
Sam Gleske
added a comment - I reverse engineered how script approvals work and automatically approve scripts via hashing. I didn't have time for an upstream fix for this and I don't know what it would be. Sam Gleske
added a comment - The workaround in Job DSL is essentially:
job {
publishers {
def groovyscript = "some groovy script"
groovyPostBuild(groovyscript, Behavior.DoNothing)
//pre-approve post-build groovy scripts
def scriptApproval = Jenkins.instance.getExtensionList('org.jenkinsci.plugins.scriptsecurity.scripts.ScriptApproval')[0]
scriptApproval.approveScript(scriptApproval.hash(groovyscript, 'groovy'))
}
}
Sam Gleske
added a comment - The workaround in Job DSL is essentially:
job {
publishers {
def groovyscript = "some groovy script"
groovyPostBuild(groovyscript, Behavior.DoNothing)
//pre-approve post-build groovy scripts
def scriptApproval = Jenkins.instance.getExtensionList( 'org.jenkinsci.plugins.scriptsecurity.scripts.ScriptApproval' )[0]
scriptApproval.approveScript(scriptApproval.hash(groovyscript, 'groovy' ))
}
}
| Link | Original: This issue is related to JENKINS-22661 [ JENKINS-22661 ] |
Nothing specific to Groovy Postbuild.
The originally reported situation is nonsensical. If you granted anonymous RUN_SCRIPTS, it is game over—you may as well disable security altogether, in which case script approval is also skipped.
The legitimate case is that you have a secured instance in which there is an administrator who is the only one able to create jobs (otherwise anyone could create a Job DSL project), and you want projects created via DSL to have their scripts preapproved. This probably requires a new API in script-security and a call to that API from job-dsl in createNewItem/updateExistingItem to associate a user with the item. (Really that user ought to have been defined by the authorize-project plugin, and job-dsl itself should use script-security to guard scripts. As written, it can only be used in an installation in which no one other than superusers have any write permissions, and all SCM commits are trusted.)
| Component/s | New: job-dsl-plugin [ 16720 ] | |
| Component/s | Original: groovy-postbuild-plugin [ 15685 ] | |
| Assignee | Original: Stefan Wolf [ wolfs ] | |
| Issue Type | Original: Bug [ 1 ] | New: New Feature [ 2 ] |
| Labels | New: api security | |
| Summary | Original: Groovy postbuild ignores RUN_SCRIPTS permission | New: Job DSL support for ScriptApproval (was: Groovy postbuild ignores RUN_SCRIPTS permission) |
Possibly related to JENKINS-22661? The behavior seems different, though.