Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-47593

can not to be online without permission

    XMLWordPrintable

Details

    • Bug
    • Status: Resolved (View Workflow)
    • Critical
    • Resolution: Fixed
    • ec2-plugin
    • None

    Description

      After upgrade to 2.86 plugin need extra permission for dynamic script  to make slave online via ssh connection. 

      I can not use "In-process Script Approval" because this script look like 
      'ssh user@123.212.12.232 ....' and it is dynamic! 

      Attachments

        Issue Links

          Activity

            pperzyna Piotr Perzyna created issue -
            pperzyna Piotr Perzyna made changes -
            Field Original Value New Value
            Description After upgrade to 2.86 plugin need extra permission for dynamic script to make slave online.  After upgrade to 2.86 plugin need extra permission for dynamic script  to make slave online via ssh connection. 

            I can not use "In-process Script Approval" because this script look like 
            'ssh user@123.212.12.232 ....' and it is dynamic! 
            jglick Jesse Glick made changes -
            Component/s command-launcher-plugin [ 23169 ]
            Component/s ec2-plugin [ 15625 ]
            Assignee Francis Upton [ francisu ]
            jglick Jesse Glick added a comment -

            Seems an issue with EC2UnixLauncher.

            jglick Jesse Glick added a comment - Seems an issue with EC2UnixLauncher .
            jglick Jesse Glick made changes -
            Component/s ec2-plugin [ 15625 ]
            Component/s command-launcher-plugin [ 23169 ]
            Assignee Francis Upton [ francisu ]
            jglick Jesse Glick made changes -
            Link This issue is blocking JENKINS-47393 [ JENKINS-47393 ]
            matt_zeemann Matt Zeemann added a comment -

            While this gets fixed, are there any known workarounds? 

            matt_zeemann Matt Zeemann added a comment - While this gets fixed, are there any known workarounds? 
            pperzyna Piotr Perzyna added a comment -

            Yes, i have!  You can use native java ssh - just uncheck ssh option in config

            pperzyna Piotr Perzyna added a comment - Yes, i have!  You can use native java ssh - just uncheck ssh option in config

            Since the script to validate is well-known, and the arguments are dynamic (therefore hard to approve), should the plugin use the constructor that pre-approves the script?   

            https://github.com/jenkinsci/command-launcher-plugin/blob/master/src/main/java/hudson/slaves/CommandLauncher.java#L82-L87 

            kulinski Chris Kulinski added a comment - Since the script to validate is well-known, and the arguments are dynamic (therefore hard to approve), should the plugin use the constructor that pre-approves the script?    https://github.com/jenkinsci/command-launcher-plugin/blob/master/src/main/java/hudson/slaves/CommandLauncher.java#L82-L87  

            We needed to use the "ssh option" in config, so we patched `EC2UnixLauncher` to use the other constructor for `CommandLauncher`

            We also had to install the new command-launcher-plugin.  It seems the code likely gets a ClassNotFoundException for CommandLauncher, since its been moved to its own plugin. 

            kulinski Chris Kulinski added a comment - We needed to use the "ssh option" in config, so we patched `EC2UnixLauncher` to use the other constructor for `CommandLauncher` We also had to install the new command-launcher-plugin.  It seems the code likely gets a ClassNotFoundException for CommandLauncher, since its been moved to its own plugin. 
            danielbeck Daniel Beck added a comment -

            kulinski This should not be happening; Jenkins should identify an upgrade and install newly detached plugins. Please file a new issue and file as many details as possible; ideally steps to reproduce and logs of the first Jenkins startup after update. Ping me in the description or a comment.

            danielbeck Daniel Beck added a comment - kulinski This should not be happening; Jenkins should identify an upgrade and install newly detached plugins. Please file a new issue and file as many details as possible; ideally steps to reproduce and logs of the first Jenkins startup after update. Ping me in the description or a comment.
            jglick Jesse Glick added a comment -

            To be clear, the “this” that should not be happening is the NoClassDefFoundError or whatever it is. The need to manually approve a command-line launch string is an acknowledged issue.

            jglick Jesse Glick added a comment - To be clear, the “this” that should not be happening is the NoClassDefFoundError or whatever it is. The need to manually approve a command-line launch string is an acknowledged issue.
            wfollonier Wadeck Follonier made changes -
            Remote Link This issue links to "#244 (ec2) (Web Link)" [ 18119 ]
            wfollonier Wadeck Follonier made changes -
            Remote Link This issue links to "#244 (ec2) (Web Link)" [ 18119 ]
            atanistra Artur Tanistra made changes -
            Rank Ranked higher
            atanistra Artur Tanistra made changes -
            Rank Ranked higher
            wfollonier Wadeck Follonier made changes -
            Status Open [ 1 ] In Progress [ 3 ]
            wfollonier Wadeck Follonier made changes -
            Assignee Francis Upton [ francisu ] Wadeck Follonier [ wfollonier ]
            jamesdumay James Dumay made changes -
            Remote Link This issue links to "CloudBees Internal OSS-2545 (Web Link)" [ 18254 ]

            Code changed in jenkins
            User: Wadeck Follonier
            Path:
            src/main/java/hudson/plugins/ec2/ssh/EC2UnixLauncher.java
            http://jenkins-ci.org/commit/ec2-plugin/ae2bf458ecad2a84d0d9a5f899977f4a6da82af6
            Log:
            JENKINS-47593[SECURITY-643] Allow command to be run without approval

            • use the second constructor of CommandLauncher to avoid being blocked by the security fix
            scm_issue_link SCM/JIRA link daemon added a comment - Code changed in jenkins User: Wadeck Follonier Path: src/main/java/hudson/plugins/ec2/ssh/EC2UnixLauncher.java http://jenkins-ci.org/commit/ec2-plugin/ae2bf458ecad2a84d0d9a5f899977f4a6da82af6 Log: JENKINS-47593 [SECURITY-643] Allow command to be run without approval use the second constructor of CommandLauncher to avoid being blocked by the security fix
            danielbeck Daniel Beck added a comment - This was fixed as part of the 1.38 security update for the EC2 plugin.
            danielbeck Daniel Beck made changes -
            Resolution Fixed [ 1 ]
            Status In Progress [ 3 ] Resolved [ 5 ]

            Code changed in jenkins
            User: Francis Upton IV
            Path:
            pom.xml
            src/main/java/hudson/plugins/ec2/AmazonEC2Cloud.java
            src/main/java/hudson/plugins/ec2/SlaveTemplate.java
            src/main/java/hudson/plugins/ec2/UnixData.java
            src/main/java/hudson/plugins/ec2/ssh/EC2UnixLauncher.java
            src/main/resources/hudson/plugins/ec2/Messages.properties
            http://jenkins-ci.org/commit/ec2-plugin/180f7d0eae6031d67259a5d86d9d7d382f9eb05b
            Log:
            Jenkins 47593 avoid script block (#253)

            • JENKINS-47593[SECURITY-643] Allow command to be run without approval
            • use the second constructor of CommandLauncher to avoid being blocked by the security fix
            • - adding permission check on unsafe parameter modification
            • adding warning message in case someone is modifying the unsafe parameters
            • - also put the right check on the readResolve
            • regroup the permission error message
            • - change name of the required permission
            • [SECURITY-643] Fix exception during start of cloud config
            • [maven-release-plugin] prepare release ec2-1.38
            • [maven-release-plugin] prepare for next development iteration
            scm_issue_link SCM/JIRA link daemon added a comment - Code changed in jenkins User: Francis Upton IV Path: pom.xml src/main/java/hudson/plugins/ec2/AmazonEC2Cloud.java src/main/java/hudson/plugins/ec2/SlaveTemplate.java src/main/java/hudson/plugins/ec2/UnixData.java src/main/java/hudson/plugins/ec2/ssh/EC2UnixLauncher.java src/main/resources/hudson/plugins/ec2/Messages.properties http://jenkins-ci.org/commit/ec2-plugin/180f7d0eae6031d67259a5d86d9d7d382f9eb05b Log: Jenkins 47593 avoid script block (#253) JENKINS-47593 [SECURITY-643] Allow command to be run without approval use the second constructor of CommandLauncher to avoid being blocked by the security fix - adding permission check on unsafe parameter modification adding warning message in case someone is modifying the unsafe parameters - also put the right check on the readResolve regroup the permission error message - change name of the required permission [SECURITY-643] Fix exception during start of cloud config [maven-release-plugin] prepare release ec2-1.38 [maven-release-plugin] prepare for next development iteration

            People

              wfollonier Wadeck Follonier
              pperzyna Piotr Perzyna
              Votes:
              5 Vote for this issue
              Watchers:
              10 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: