[JENKINS-34650] Allow global libraries to bypass the sandbox

Type: New Feature
Resolution: Fixed
Priority: Major
Component/s: pipeline
Labels:
- groovy
- permissions

Similar Issues:
Powered by SuggestiMate

Show
Epic Link:
Pipeline Sandbox

Although you are required to have RUN_SCRIPTS to push anything to workflowLibs, the code is run under the same sandbox settings as the main Pipeline scripts. In the case of a Pipeline script using whole-script approval, it makes sense to be checking RUN_SCRIPTS for libraries. But in the case of Pipeline scripts configured to use the Groovy sandbox, the workflowLibs code is also run in the sandbox—a pointless restriction, since only a trusted user could have written that code. You would expect that the library code would be trusted and run in a privileged mode, so it could safely encapsulate otherwise unsafe method calls.

is blocking

JENKINS-32731 Allow plugins to contribute to Pipeline global library

Resolved

is related to

JENKINS-26538 Less-trusted workflow-cps-global-lib

Resolved

relates to

JENKINS-31155 Workflow shared library improvements

Closed

JENKINS-37011 Provide a way to write full-fledged Steps in CPS-transformed Groovy

Resolved

links to

Groovy CPS change

PR 2

workflow-cps-global-lib-plugin #8

workflow-cps-plugin PR #33

(3 links to)

Assignee:: Kohsuke Kawaguchi

Reporter:: Jesse Glick

Votes:: 0 Vote for this issue

Watchers:: 7 Start watching this issue

Created:: 2016-05-06 16:39

Updated:: 2016-10-31 21:52

Resolved:: 2016-08-04 19:27

Jenkins

Details

Description

Attachments

Issue Links

Activity

People

Dates