-
Bug
-
Resolution: Unresolved
-
Major
-
None
The three components referenced here appear to be participating in an upgrade-hell scenario from which there is no escape. After upgrading to the latest recommended versions (groovy-2.0, ScriptSecuityPlugin-1.34 Role-Based-Auth-Strategy-2.6.0), If you have System groovy scripts in your instance, and are using the role-based security plugin as a user with admin privileges, then running a job that calls a system groovy script fails over and over with errors on each groovy method call. When it fails, going into the In-process Script approval, offers me only the choice of approving a groovy method call, which is NOT what I want to do! Nothing in the UI permits me to do what I DO want to do, that is to approve the whole script. If I approve the groovy method call and attempt to run my job again, then that method call is ok, but the next line of the script produces an error. I suppose I could approve each method call, but that is only making things less secure!
Again, something in the UI should allow me to approve the script and nothing does. Thus all the security fixes are useless to me because I can't install them and run my System groovy scripts.
UPDATE: I've amended this to remove mention of the Role Based Auth Strategy plugin. That appears to have been an unrelated red herring. The issue, as Oleg describes, is simply that when a script file is specified, one is not given the opportunity to approve the whole script but only to approve each method call line-by-line.
[JENKINS-47072] Unable to upgrade Jenkins plugins due to Groovy security
Steve Cohen
created issue -
Steve Cohen
made changes -
| Issue Type | Original: Story [ 10002 ] | New: Bug [ 1 ] |
Steve Cohen
made changes -
| Priority | Original: Minor [ 4 ] | New: Major [ 3 ] |
Steve Cohen
made changes -
| Description |
Original:
The three components referenced here appear to be participating in an upgrade-hell scenario from which there is no escape. After upgrading to the latest recommended versions (groovy-2.0, ScriptSecuityPlugin-1.34 Role-Based-Auth-Strategy-2.6.0), If you have System groovy scripts in your instance, and are using the role-based security plugin as a user with admin privileges, then running a job that calls a system groovy script fails over and over with errors on a groovy method call. When it fails, going into the In-process Script approval, offers me only the choice of approving a groovy method call, which is NOT what I want to do! Nothing in the UI permits me to do what I DO want to do, that is to approve the whole script. If I approve the groovy method call and attempt to run my job again, then that method call is ok, but the next line of the script produces an error. I suppose I could approve each method call, but that is only making things less secure! Again, something in the UI should allow me to approve the script and nothing does. Thus all the security fixes are useless to me because I can't install them and run my System groovy scripts. |
New:
The three components referenced here appear to be participating in an upgrade-hell scenario from which there is no escape. After upgrading to the latest recommended versions (groovy-2.0, ScriptSecuityPlugin-1.34 Role-Based-Auth-Strategy-2.6.0), *If you have System groovy scripts in your instance*, and are using the role-based security plugin as a user with admin privileges, then running a job that calls a system groovy script fails over and over with errors on each groovy method call. When it fails, going into the In-process Script approval, offers me only the choice of approving a groovy method call, which is NOT what I want to do! Nothing in the UI permits me to do what I DO want to do, that is to approve the whole script. If I approve the groovy method call and attempt to run my job again, then that method call is ok, but the next line of the script produces an error. I suppose I could approve each method call, but that is only making things less secure! Again, something in the UI should allow me to approve the script and nothing does. Thus all the security fixes are useless to me because I can't install them and run my System groovy scripts. |
| Component/s | New: _unsorted [ 19622 ] | |
| Component/s | Original: role-strategy-plugin [ 15758 ] |
The only reason I mention Role-Strategy is that someone who was trying to help me noticed that such an issue did not occur in another instance he was accessing that did not have it installed and used a different security mechanism. I agree, the issue probably resides elsewhere. I am uploading the script. There is no issue in running this script with groovy-1.2.9 and ScriptSecuirty-1.2.6. In the screenshot you can see that only method approvals are ever shown, never script approvals. I never get the opprortunity to approve the script with groovy-2.0 and ScriptSecurity-1.3.4
Steve Cohen
added a comment - - edited The only reason I mention Role-Strategy is that someone who was trying to help me noticed that such an issue did not occur in another instance he was accessing that did not have it installed and used a different security mechanism. I agree, the issue probably resides elsewhere. I am uploading the script. There is no issue in running this script with groovy-1.2.9 and ScriptSecuirty-1.2.6. In the screenshot you can see that only method approvals are ever shown, never script approvals. I never get the opprortunity to approve the script with groovy-2.0 and ScriptSecurity-1.3.4
Steve Cohen
made changes -
| Attachment | New: ListProjects.groovy [ 39938 ] |
Steve Cohen
made changes -
| Attachment | New: sc1478_1506092433448.png [ 39939 ] |
System Groovy scripts do not use the Script security plugin. Likely here you mean a plugin, which has been migrated to Script Security and which supports the Sandbox mode only. Please provide examples of scripts which concern you