Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-54262

Groovy Postbuild requires Overall/Administer permission

    XMLWordPrintable

Details

    • groovy-postbuild-2.5

    Description

      Although it uses script security and administrators can whitelist methods and approve scripts, Groovy Postbuild still requires that the user running it must have Overall/Administer permission: https://github.com/jenkinsci/groovy-postbuild-plugin/blob/master/src/main/java/org/jvnet/hudson/plugins/groovypostbuild/GroovyPostbuildRecorder.java#L364

       

      This creates failed builds when using the Authorize Project plugin to run builds as the user that triggered them and most of the users that run builds are regular users.

      Attachments

        Issue Links

          Activity

            ace Adrian Vlad created issue -
            jglick Jesse Glick made changes -
            Field Original Value New Value
            Labels permissions
            jglick Jesse Glick added a comment - CC wfollonier + danielbeck
            jglick Jesse Glick made changes -
            Link This issue relates to JENKINS-15212 [ JENKINS-15212 ]

            We have the same problem.
            We use the following Groovy postbuild script:

            manager.addShortText(manager.build.getEnvironment(manager.listener)['dockerTag'])
            

            We get the following exception:

            hudson.security.AccessDeniedException2: ******(<userid>) is missing the Overall/Administer permission
            	at hudson.security.ACL.checkPermission(ACL.java:68)
            	at hudson.security.AccessControlled.checkPermission(AccessControlled.java:46)
            	at org.jvnet.hudson.plugins.groovypostbuild.GroovyPostbuildRecorder.perform(GroovyPostbuildRecorder.java:347)
            	at hudson.tasks.BuildStepMonitor$1.perform(BuildStepMonitor.java:20)
            	at hudson.model.AbstractBuild$AbstractBuildExecution.perform(AbstractBuild.java:744)
            	at hudson.model.AbstractBuild$AbstractBuildExecution.performAllBuildSteps(AbstractBuild.java:690)
            	at hudson.model.Build$BuildExecution.post2(Build.java:186)
            	at hudson.model.AbstractBuild$AbstractBuildExecution.post(AbstractBuild.java:635)
            	at hudson.model.Run.execute(Run.java:1749)
            	at hudson.model.FreeStyleBuild.run(FreeStyleBuild.java:43)
            	at hudson.model.ResourceController.execute(ResourceController.java:97)
            	at hudson.model.Executor.run(Executor.java:429)
            Build step 'Groovy Postbuild' marked build as failure
            

            As we use also promotions in the job, we cannot use the badge plugin, as it works only in Jenkins pipelines.

            xavierxyz Xavier Xemaire added a comment - We have the same problem. We use the following Groovy postbuild script: manager.addShortText(manager.build.getEnvironment(manager.listener)['dockerTag']) We get the following exception: hudson.security.AccessDeniedException2: ******(<userid>) is missing the Overall/Administer permission at hudson.security.ACL.checkPermission(ACL.java:68) at hudson.security.AccessControlled.checkPermission(AccessControlled.java:46) at org.jvnet.hudson.plugins.groovypostbuild.GroovyPostbuildRecorder.perform(GroovyPostbuildRecorder.java:347) at hudson.tasks.BuildStepMonitor$1.perform(BuildStepMonitor.java:20) at hudson.model.AbstractBuild$AbstractBuildExecution.perform(AbstractBuild.java:744) at hudson.model.AbstractBuild$AbstractBuildExecution.performAllBuildSteps(AbstractBuild.java:690) at hudson.model.Build$BuildExecution.post2(Build.java:186) at hudson.model.AbstractBuild$AbstractBuildExecution.post(AbstractBuild.java:635) at hudson.model.Run.execute(Run.java:1749) at hudson.model.FreeStyleBuild.run(FreeStyleBuild.java:43) at hudson.model.ResourceController.execute(ResourceController.java:97) at hudson.model.Executor.run(Executor.java:429) Build step 'Groovy Postbuild' marked build as failure As we use also promotions in the job, we cannot use the badge plugin, as it works only in Jenkins pipelines.
            ace Adrian Vlad added a comment -

            A workaround is using Flexible publish with an Execute system Groovy script.

            In the script you can do

            import com.jenkinsci.plugins.badge.action.BadgeAction;
            
            def _envVars = build.getEnvironment(listener);
            
            /* Run time */
            build.addAction(BadgeAction.createShortText(hudson.Util.getTimeSpanString(System.currentTimeMillis() - build.getStartTimeInMillis()), "grey", "white", "0px", "white"));
            
            ace Adrian Vlad added a comment - A workaround is using Flexible publish with an Execute system Groovy script. In the script you can do import com.jenkinsci.plugins.badge.action.BadgeAction; def _envVars = build.getEnvironment(listener); /* Run time */ build.addAction(BadgeAction.createShortText(hudson.Util.getTimeSpanString( System .currentTimeMillis() - build.getStartTimeInMillis()), "grey" , "white" , "0px" , "white" ));
            ikedam ikedam made changes -
            Assignee Stefan Wolf [ wolfs ] ikedam [ ikedam ]
            ikedam ikedam made changes -
            Status Open [ 1 ] In Progress [ 3 ]
            ikedam ikedam added a comment -

            Fixed in groovy-postbuild-2.5.
            It will be available in the update center in a day.
            Please try that.

            ikedam ikedam added a comment - Fixed in groovy-postbuild-2.5. It will be available in the update center in a day. Please try that.
            ikedam ikedam made changes -
            Released As groovy-postbuild-2.5
            Resolution Fixed [ 1 ]
            Status In Progress [ 3 ] Resolved [ 5 ]
            ikedam ikedam made changes -
            Assignee ikedam [ ikedam ] Adrian Vlad [ ace ]

            People

              ace Adrian Vlad
              ace Adrian Vlad
              Votes:
              2 Vote for this issue
              Watchers:
              5 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: