Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-47072

Unable to upgrade Jenkins plugins due to Groovy security

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Unresolved
    • Icon: Major Major
    • groovy-plugin
    • None

      The three components referenced here appear to be participating in an upgrade-hell scenario from which there is no escape.  After upgrading to the latest recommended versions (groovy-2.0, ScriptSecuityPlugin-1.34 Role-Based-Auth-Strategy-2.6.0),  If you have System groovy scripts in your instance, and are using the role-based security plugin as a user with admin privileges, then running a job that calls a system groovy script fails over and over with errors on each groovy method call.  When it fails, going into the In-process Script approval, offers me only the choice of approving a groovy method call, which is NOT what I want to do!  Nothing in the UI permits me to do what I DO want to do, that is to approve the whole script.  If I approve the groovy method call and attempt to run my job again, then that method call is ok, but the next line of the script produces an error.  I suppose I could approve each method call, but that is only making things less secure! 

      Again, something in the UI should allow me to approve the script and nothing does.  Thus all the security fixes are useless to me because I can't install them and run my System groovy scripts.

       

      UPDATE:  I've amended this to remove mention of the Role Based Auth Strategy plugin.  That appears to have been an unrelated red herring.  The issue, as Oleg describes, is simply that when a script file is specified, one is not given the opportunity to approve the whole script but only to approve each method call line-by-line.

       

            vjuranek vjuranek
            sc1478 Steve Cohen
            Votes:
            0 Vote for this issue
            Watchers:
            4 Start watching this issue

              Created:
              Updated: