Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-47593

can not to be online without permission

    XMLWordPrintable

Details

    • Bug
    • Status: Resolved (View Workflow)
    • Critical
    • Resolution: Fixed
    • ec2-plugin
    • None

    Description

      After upgrade to 2.86 plugin need extra permission for dynamic script  to make slave online via ssh connection. 

      I can not use "In-process Script Approval" because this script look like 
      'ssh user@123.212.12.232 ....' and it is dynamic! 

      Attachments

        Issue Links

          Activity

            jglick Jesse Glick added a comment -

            Seems an issue with EC2UnixLauncher.

            jglick Jesse Glick added a comment - Seems an issue with EC2UnixLauncher .
            matt_zeemann Matt Zeemann added a comment -

            While this gets fixed, are there any known workarounds? 

            matt_zeemann Matt Zeemann added a comment - While this gets fixed, are there any known workarounds? 
            pperzyna Piotr Perzyna added a comment -

            Yes, i have!  You can use native java ssh - just uncheck ssh option in config

            pperzyna Piotr Perzyna added a comment - Yes, i have!  You can use native java ssh - just uncheck ssh option in config

            Since the script to validate is well-known, and the arguments are dynamic (therefore hard to approve), should the plugin use the constructor that pre-approves the script?   

            https://github.com/jenkinsci/command-launcher-plugin/blob/master/src/main/java/hudson/slaves/CommandLauncher.java#L82-L87 

            kulinski Chris Kulinski added a comment - Since the script to validate is well-known, and the arguments are dynamic (therefore hard to approve), should the plugin use the constructor that pre-approves the script?    https://github.com/jenkinsci/command-launcher-plugin/blob/master/src/main/java/hudson/slaves/CommandLauncher.java#L82-L87  

            We needed to use the "ssh option" in config, so we patched `EC2UnixLauncher` to use the other constructor for `CommandLauncher`

            We also had to install the new command-launcher-plugin.  It seems the code likely gets a ClassNotFoundException for CommandLauncher, since its been moved to its own plugin. 

            kulinski Chris Kulinski added a comment - We needed to use the "ssh option" in config, so we patched `EC2UnixLauncher` to use the other constructor for `CommandLauncher` We also had to install the new command-launcher-plugin.  It seems the code likely gets a ClassNotFoundException for CommandLauncher, since its been moved to its own plugin. 
            danielbeck Daniel Beck added a comment -

            kulinski This should not be happening; Jenkins should identify an upgrade and install newly detached plugins. Please file a new issue and file as many details as possible; ideally steps to reproduce and logs of the first Jenkins startup after update. Ping me in the description or a comment.

            danielbeck Daniel Beck added a comment - kulinski This should not be happening; Jenkins should identify an upgrade and install newly detached plugins. Please file a new issue and file as many details as possible; ideally steps to reproduce and logs of the first Jenkins startup after update. Ping me in the description or a comment.
            jglick Jesse Glick added a comment -

            To be clear, the “this” that should not be happening is the NoClassDefFoundError or whatever it is. The need to manually approve a command-line launch string is an acknowledged issue.

            jglick Jesse Glick added a comment - To be clear, the “this” that should not be happening is the NoClassDefFoundError or whatever it is. The need to manually approve a command-line launch string is an acknowledged issue.

            Code changed in jenkins
            User: Wadeck Follonier
            Path:
            src/main/java/hudson/plugins/ec2/ssh/EC2UnixLauncher.java
            http://jenkins-ci.org/commit/ec2-plugin/ae2bf458ecad2a84d0d9a5f899977f4a6da82af6
            Log:
            JENKINS-47593[SECURITY-643] Allow command to be run without approval

            • use the second constructor of CommandLauncher to avoid being blocked by the security fix
            scm_issue_link SCM/JIRA link daemon added a comment - Code changed in jenkins User: Wadeck Follonier Path: src/main/java/hudson/plugins/ec2/ssh/EC2UnixLauncher.java http://jenkins-ci.org/commit/ec2-plugin/ae2bf458ecad2a84d0d9a5f899977f4a6da82af6 Log: JENKINS-47593 [SECURITY-643] Allow command to be run without approval use the second constructor of CommandLauncher to avoid being blocked by the security fix
            danielbeck Daniel Beck added a comment - This was fixed as part of the 1.38 security update for the EC2 plugin.

            Code changed in jenkins
            User: Francis Upton IV
            Path:
            pom.xml
            src/main/java/hudson/plugins/ec2/AmazonEC2Cloud.java
            src/main/java/hudson/plugins/ec2/SlaveTemplate.java
            src/main/java/hudson/plugins/ec2/UnixData.java
            src/main/java/hudson/plugins/ec2/ssh/EC2UnixLauncher.java
            src/main/resources/hudson/plugins/ec2/Messages.properties
            http://jenkins-ci.org/commit/ec2-plugin/180f7d0eae6031d67259a5d86d9d7d382f9eb05b
            Log:
            Jenkins 47593 avoid script block (#253)

            • JENKINS-47593[SECURITY-643] Allow command to be run without approval
            • use the second constructor of CommandLauncher to avoid being blocked by the security fix
            • - adding permission check on unsafe parameter modification
            • adding warning message in case someone is modifying the unsafe parameters
            • - also put the right check on the readResolve
            • regroup the permission error message
            • - change name of the required permission
            • [SECURITY-643] Fix exception during start of cloud config
            • [maven-release-plugin] prepare release ec2-1.38
            • [maven-release-plugin] prepare for next development iteration
            scm_issue_link SCM/JIRA link daemon added a comment - Code changed in jenkins User: Francis Upton IV Path: pom.xml src/main/java/hudson/plugins/ec2/AmazonEC2Cloud.java src/main/java/hudson/plugins/ec2/SlaveTemplate.java src/main/java/hudson/plugins/ec2/UnixData.java src/main/java/hudson/plugins/ec2/ssh/EC2UnixLauncher.java src/main/resources/hudson/plugins/ec2/Messages.properties http://jenkins-ci.org/commit/ec2-plugin/180f7d0eae6031d67259a5d86d9d7d382f9eb05b Log: Jenkins 47593 avoid script block (#253) JENKINS-47593 [SECURITY-643] Allow command to be run without approval use the second constructor of CommandLauncher to avoid being blocked by the security fix - adding permission check on unsafe parameter modification adding warning message in case someone is modifying the unsafe parameters - also put the right check on the readResolve regroup the permission error message - change name of the required permission [SECURITY-643] Fix exception during start of cloud config [maven-release-plugin] prepare release ec2-1.38 [maven-release-plugin] prepare for next development iteration

            People

              wfollonier Wadeck Follonier
              pperzyna Piotr Perzyna
              Votes:
              5 Vote for this issue
              Watchers:
              10 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: