[JENKINS-34650] Allow global libraries to bypass the sandbox

Type: New Feature
Resolution: Fixed
Priority: Major
Component/s: pipeline
Labels:
- groovy
- permissions

Similar Issues:
Powered by SuggestiMate

Show
Epic Link:
Pipeline Sandbox

Although you are required to have RUN_SCRIPTS to push anything to workflowLibs, the code is run under the same sandbox settings as the main Pipeline scripts. In the case of a Pipeline script using whole-script approval, it makes sense to be checking RUN_SCRIPTS for libraries. But in the case of Pipeline scripts configured to use the Groovy sandbox, the workflowLibs code is also run in the sandbox—a pointless restriction, since only a trusted user could have written that code. You would expect that the library code would be trusted and run in a privileged mode, so it could safely encapsulate otherwise unsafe method calls.

is blocking

JENKINS-32731 Allow plugins to contribute to Pipeline global library

Resolved

is related to

JENKINS-26538 Less-trusted workflow-cps-global-lib

Resolved

relates to

JENKINS-31155 Workflow shared library improvements

Closed

JENKINS-37011 Provide a way to write full-fledged Steps in CPS-transformed Groovy

Resolved

links to

Groovy CPS change

PR 2

workflow-cps-global-lib-plugin #8

workflow-cps-plugin PR #33

(3 links to)

Jesse Glick created issue - 2016-05-06 16:39

Jesse Glick added a comment - 2016-05-06 16:40

~~JENKINS-26538~~ requests the converse, in a sense: libraries that regular users could upload but which could not run unsafe methods.

Jesse Glick added a comment - 2016-05-06 16:40 JENKINS-26538 requests the converse, in a sense: libraries that regular users could upload but which could not run unsafe methods.

Jesse Glick made changes - 2016-05-06 16:40

Link

New: This issue is related to ~~JENKINS-26538~~ [ ~~JENKINS-26538~~ ]

Jesse Glick made changes - 2016-05-06 16:47

Remote Link

New: This issue links to "PR 2 (Web Link)" [ 14275 ]

Jesse Glick made changes - 2016-06-06 19:18

Epic Link

New: JENKINS-35391 [ 171184 ]

Kohsuke Kawaguchi added a comment - 2016-07-25 21:49

I'm going to work on this in the context of https://github.com/cloudbees/groovy-cps/pull/36

Kohsuke Kawaguchi added a comment - 2016-07-25 21:49 I'm going to work on this in the context of https://github.com/cloudbees/groovy-cps/pull/36

Kohsuke Kawaguchi made changes - 2016-07-25 21:49

Remote Link

New: This issue links to "Groovy CPS change (Web Link)" [ 14658 ]

R. Tyler Croy made changes - 2016-07-25 23:52

Workflow

Original: JNJira [ 170820 ]

New: JNJira + In-Review [ 184058 ]

Kohsuke Kawaguchi made changes - 2016-07-26 20:20

Remote Link

New: This issue links to "workflow-cps-plugin PR #33 (Web Link)" [ 14662 ]

Kohsuke Kawaguchi added a comment - 2016-07-26 20:28

This is the entry point into this series of changes

Kohsuke Kawaguchi added a comment - 2016-07-26 20:28 This is the entry point into this series of changes

Kohsuke Kawaguchi made changes - 2016-07-26 20:28

Remote Link

New: This issue links to "workflow-cps-global-lib-plugin #8 (Web Link)" [ 14663 ]

Assignee:: Kohsuke Kawaguchi

Reporter:: Jesse Glick

Votes:: 0 Vote for this issue

Watchers:: 7 Start watching this issue

Created:: 2016-05-06 16:39

Updated:: 2016-10-31 21:52

Resolved:: 2016-08-04 19:27

Jenkins

Details

Description

Attachments

Issue Links

Activity

Collapse comment: Jesse Glick added a comment - 2016-05-06 16:40

Expand comment: Jesse Glick added a comment - 2016-05-06 16:40

Collapse comment: Kohsuke Kawaguchi added a comment - 2016-07-25 21:49

Expand comment: Kohsuke Kawaguchi added a comment - 2016-07-25 21:49

Collapse comment: Kohsuke Kawaguchi added a comment - 2016-07-26 20:28

Expand comment: Kohsuke Kawaguchi added a comment - 2016-07-26 20:28

People

Dates