Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-54262

Groovy Postbuild requires Overall/Administer permission

    XMLWordPrintable

Details

    • groovy-postbuild-2.5

    Description

      Although it uses script security and administrators can whitelist methods and approve scripts, Groovy Postbuild still requires that the user running it must have Overall/Administer permission: https://github.com/jenkinsci/groovy-postbuild-plugin/blob/master/src/main/java/org/jvnet/hudson/plugins/groovypostbuild/GroovyPostbuildRecorder.java#L364

       

      This creates failed builds when using the Authorize Project plugin to run builds as the user that triggered them and most of the users that run builds are regular users.

      Attachments

        Issue Links

          relates to

          Improvement - An improvement or enhancement to an existing feature or task. JENKINS-15212 More flexible and effective security for Groovy Postbuild

          • Critical - Crashes, loss of data, severe memory leak.
          • Resolved

          Activity

            Ascending order - Click to sort in descending order
            jglick Jesse Glick added a comment -

            CC wfollonier + danielbeck

            jglick Jesse Glick added a comment - CC wfollonier + danielbeck
            xavierxyz Xavier Xemaire added a comment -

            We have the same problem.
            We use the following Groovy postbuild script:

            manager.addShortText(manager.build.getEnvironment(manager.listener)['dockerTag'])

            We get the following exception:

            hudson.security.AccessDeniedException2: ******(<userid>) is missing the Overall/Administer permission
	at hudson.security.ACL.checkPermission(ACL.java:68)
	at hudson.security.AccessControlled.checkPermission(AccessControlled.java:46)
	at org.jvnet.hudson.plugins.groovypostbuild.GroovyPostbuildRecorder.perform(GroovyPostbuildRecorder.java:347)
	at hudson.tasks.BuildStepMonitor$1.perform(BuildStepMonitor.java:20)
	at hudson.model.AbstractBuild$AbstractBuildExecution.perform(AbstractBuild.java:744)
	at hudson.model.AbstractBuild$AbstractBuildExecution.performAllBuildSteps(AbstractBuild.java:690)
	at hudson.model.Build$BuildExecution.post2(Build.java:186)
	at hudson.model.AbstractBuild$AbstractBuildExecution.post(AbstractBuild.java:635)
	at hudson.model.Run.execute(Run.java:1749)
	at hudson.model.FreeStyleBuild.run(FreeStyleBuild.java:43)
	at hudson.model.ResourceController.execute(ResourceController.java:97)
	at hudson.model.Executor.run(Executor.java:429)
Build step 'Groovy Postbuild' marked build as failure

            As we use also promotions in the job, we cannot use the badge plugin, as it works only in Jenkins pipelines.

            xavierxyz Xavier Xemaire added a comment - We have the same problem. We use the following Groovy postbuild script: manager.addShortText(manager.build.getEnvironment(manager.listener)['dockerTag']) We get the following exception: hudson.security.AccessDeniedException2: ******(<userid>) is missing the Overall/Administer permission at hudson.security.ACL.checkPermission(ACL.java:68) at hudson.security.AccessControlled.checkPermission(AccessControlled.java:46) at org.jvnet.hudson.plugins.groovypostbuild.GroovyPostbuildRecorder.perform(GroovyPostbuildRecorder.java:347) at hudson.tasks.BuildStepMonitor$1.perform(BuildStepMonitor.java:20) at hudson.model.AbstractBuild$AbstractBuildExecution.perform(AbstractBuild.java:744) at hudson.model.AbstractBuild$AbstractBuildExecution.performAllBuildSteps(AbstractBuild.java:690) at hudson.model.Build$BuildExecution.post2(Build.java:186) at hudson.model.AbstractBuild$AbstractBuildExecution.post(AbstractBuild.java:635) at hudson.model.Run.execute(Run.java:1749) at hudson.model.FreeStyleBuild.run(FreeStyleBuild.java:43) at hudson.model.ResourceController.execute(ResourceController.java:97) at hudson.model.Executor.run(Executor.java:429) Build step 'Groovy Postbuild' marked build as failure As we use also promotions in the job, we cannot use the badge plugin, as it works only in Jenkins pipelines.
            ace Adrian Vlad added a comment -

            A workaround is using Flexible publish with an Execute system Groovy script.

            In the script you can do

            import com.jenkinsci.plugins.badge.action.BadgeAction;

def _envVars = build.getEnvironment(listener);

/* Run time */
build.addAction(BadgeAction.createShortText(hudson.Util.getTimeSpanString(System.currentTimeMillis() - build.getStartTimeInMillis()), "grey", "white", "0px", "white"));
            ace Adrian Vlad added a comment - A workaround is using Flexible publish with an Execute system Groovy script. In the script you can do import com.jenkinsci.plugins.badge.action.BadgeAction; def _envVars = build.getEnvironment(listener); /* Run time */ build.addAction(BadgeAction.createShortText(hudson.Util.getTimeSpanString( System .currentTimeMillis() - build.getStartTimeInMillis()), "grey" , "white" , "0px" , "white" ));
            ikedam ikedam added a comment -

            Fixed in groovy-postbuild-2.5.
            It will be available in the update center in a day.
            Please try that.

            ikedam ikedam added a comment - Fixed in groovy-postbuild-2.5. It will be available in the update center in a day. Please try that.

            People

              ace Adrian Vlad
              ace Adrian Vlad
              Votes:
              2 Vote for this issue
              Watchers:
              5 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: