[JENKINS-32468] Pause script on sandbox rejection and give an admin a chance to approve & resume

Type: New Feature
Resolution: Unresolved
Priority: Major
Component/s: workflow-cps-plugin
Labels:
- evergreen

Similar Issues:
Powered by SuggestiMate

Show
Epic Link:
Pipeline Sandbox

org.jenkinsci.plugins.scriptsecurity.sandbox.RejectedAccessException: Scripts not permitted to use method java.util.Collection addAll java.util.Collection
	at org.jenkinsci.plugins.scriptsecurity.sandbox.whitelists.StaticWhitelist.rejectMethod(StaticWhitelist.java:150)
	at org.jenkinsci.plugins.scriptsecurity.sandbox.groovy.SandboxInterceptor.onMethodCall(SandboxInterceptor.java:79)
	at org.kohsuke.groovy.sandbox.impl.Checker$1.call(Checker.java:149)
	at org.kohsuke.groovy.sandbox.impl.Checker.checkedCall(Checker.java:146)
	at com.cloudbees.groovy.cps.sandbox.SandboxInvoker.methodCall(SandboxInvoker.java:15)
	at WorkflowScript.withJavaEnv(WorkflowScript:94)
	at WorkflowScript.run(WorkflowScript:42)
	at ___cps.transform___(Native Method)
	at com.cloudbees.groovy.cps.impl.ContinuationGroup.methodCall(ContinuationGroup.java:69)
	at com.cloudbees.groovy.cps.impl.FunctionCallBlock$ContinuationImpl.dispatchOrArg(FunctionCallBlock.java:106)
	at com.cloudbees.groovy.cps.impl.FunctionCallBlock$ContinuationImpl.fixArg(FunctionCallBlock.java:79)
	at sun.reflect.GeneratedMethodAccessor442.invoke(Unknown Source)
	at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
	at java.lang.reflect.Method.invoke(Method.java:606)
	at com.cloudbees.groovy.cps.impl.ContinuationPtr$ContinuationImpl.receive(ContinuationPtr.java:72)
	at com.cloudbees.groovy.cps.impl.LocalVariableBlock$LocalVariable.get(LocalVariableBlock.java:33)
	at com.cloudbees.groovy.cps.LValueBlock$GetAdapter.receive(LValueBlock.java:30)
	at com.cloudbees.groovy.cps.impl.LocalVariableBlock.evalLValue(LocalVariableBlock.java:22)
	at com.cloudbees.groovy.cps.LValueBlock$BlockImpl.eval(LValueBlock.java:55)
	at com.cloudbees.groovy.cps.LValueBlock.eval(LValueBlock.java:16)
	at com.cloudbees.groovy.cps.Next.step(Next.java:58)
	at com.cloudbees.groovy.cps.Continuable.run0(Continuable.java:145)
	at org.jenkinsci.plugins.workflow.cps.SandboxContinuable.access$001(SandboxContinuable.java:19)
	at org.jenkinsci.plugins.workflow.cps.SandboxContinuable$1.call(SandboxContinuable.java:33)
	at org.jenkinsci.plugins.workflow.cps.SandboxContinuable$1.call(SandboxContinuable.java:30)
	at org.jenkinsci.plugins.scriptsecurity.sandbox.groovy.GroovySandbox.runInSandbox(GroovySandbox.java:106)
	at org.jenkinsci.plugins.workflow.cps.SandboxContinuable.run0(SandboxContinuable.java:30)
	at org.jenkinsci.plugins.workflow.cps.CpsThread.runNextChunk(CpsThread.java:164)
	at org.jenkinsci.plugins.workflow.cps.CpsThreadGroup.run(CpsThreadGroup.java:274)
	at org.jenkinsci.plugins.workflow.cps.CpsThreadGroup.access$000(CpsThreadGroup.java:74)
	at org.jenkinsci.plugins.workflow.cps.CpsThreadGroup$2.call(CpsThreadGroup.java:183)
	at org.jenkinsci.plugins.workflow.cps.CpsThreadGroup$2.call(CpsThreadGroup.java:181)
	at org.jenkinsci.plugins.workflow.cps.CpsVmExecutorService$2.call(CpsVmExecutorService.java:47)
	at java.util.concurrent.FutureTask.run(FutureTask.java:262)
	at hudson.remoting.SingleLaneExecutorService$1.run(SingleLaneExecutorService.java:112)
	at jenkins.util.ContextResettingExecutorService$1.run(ContextResettingExecutorService.java:28)
	at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:471)
	at java.util.concurrent.FutureTask.run(FutureTask.java:262)
	at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145)
	at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615)
	at java.lang.Thread.run(Thread.java:745)
Finished: FAILURE

Apparently every method that I invoke, will one by one, throw an exception which says my method isn't approved but doesn't link to the "In-process Script Approval" page

is duplicated by

JENKINS-49890 Allow inline script approvals for admins when looking at Pipeline logs

Resolved

is related to

JENKINS-33614 Link to script approval from build console

Resolved

R. Tyler Croy created issue - 2016-01-15 01:51

Jesse Glick added a comment - 2016-03-23 19:51

Would be easy to display a link to the approval page if the viewer is an administrator.

Ideally there would be an option to pause the script while an administrator decides whether to approve or reject the method. This would however require an API change in script-security and some other machinery in workflow-cps to throw CpsCallableInvocation with the right continuation.

Jesse Glick added a comment - 2016-03-23 19:51 Would be easy to display a link to the approval page if the viewer is an administrator. Ideally there would be an option to pause the script while an administrator decides whether to approve or reject the method. This would however require an API change in script-security and some other machinery in workflow-cps to throw CpsCallableInvocation with the right continuation.

Jesse Glick made changes - 2016-06-06 19:19

Epic Link

New: JENKINS-35391 [ 171184 ]

Jesse Glick added a comment - 2016-06-06 19:20

Or perhaps the call could simply block the Java thread. TBD how well this works w.r.t. (a) update of metadata about the build, such as WorkflowRun.copyLogs; (b) Jenkins restarts.

Jesse Glick added a comment - 2016-06-06 19:20 Or perhaps the call could simply block the Java thread. TBD how well this works w.r.t. (a) update of metadata about the build, such as WorkflowRun.copyLogs ; (b) Jenkins restarts.

R. Tyler Croy made changes - 2016-07-25 23:52

Workflow

Original: JNJira [ 168104 ]

New: JNJira + In-Review [ 182969 ]

Andrew Bayer made changes - 2016-08-26 21:50

Component/s

New: pipeline-general [ 21692 ]

Andrew Bayer made changes - 2016-08-26 21:53

Component/s

Original: workflow-plugin [ 18820 ]

Jesse Glick made changes - 2016-08-29 20:16

Component/s		New: workflow-cps-plugin [ 21713 ]
Component/s	Original: pipeline [ 21692 ]

Jesse Glick made changes - 2016-08-29 20:45

Link

New: This issue is related to ~~JENKINS-33614~~ [ ~~JENKINS-33614~~ ]

Jesse Glick added a comment - 2018-02-22 20:24

Since ~~JENKINS-33614~~ is covering the link part, reinterpreting this as the pause approach.

Jesse Glick added a comment - 2018-02-22 20:24 Since JENKINS-33614 is covering the link part, reinterpreting this as the pause approach.

Jesse Glick made changes - 2018-02-22 20:24

Issue Type	Original: Task [ 3 ]	New: New Feature [ 2 ]
Priority	Original: Minor [ 4 ]	New: Major [ 3 ]
Summary	Original: Using Groovy methods from a sandbox doesn't tell the user how to approve/deal with exceptions	New: Pause script on sandbox rejection and give an admin a chance to approve & resume

Assignee:: Unassigned

Reporter:: R. Tyler Croy

Votes:: 2 Vote for this issue

Watchers:: 5 Start watching this issue

Created:: 2016-01-15 01:51

Updated:: 2018-09-28 10:00

Jenkins

Details

Description

Attachments

Issue Links

Activity

Collapse comment: Jesse Glick added a comment - 2016-03-23 19:51

Expand comment: Jesse Glick added a comment - 2016-03-23 19:51

Collapse comment: Jesse Glick added a comment - 2016-06-06 19:20

Expand comment: Jesse Glick added a comment - 2016-06-06 19:20

Collapse comment: Jesse Glick added a comment - 2018-02-22 20:24

Expand comment: Jesse Glick added a comment - 2018-02-22 20:24

People

Dates