• Icon: Improvement Improvement
    • Resolution: Unresolved
    • Icon: Major Major
    • script-security-plugin
    • - Jenkins 2.401.3
      - Configuration as Code Plugin 1670.v564dc8b_982d0
      - Script Security Plugin 1264.vecf66020eb_7d

      Currently it is possible to add approved signatures with JCasC as follows:

      security:
        scriptApproval:
          approvedSignatures:            
          - "field hudson.model.UpdateSite$Entry version"
          - "method hudson.model.Run getCause java.lang.Class" 
      

      I could not find a way to add signatures approved assuming permission check (using an ACL: access control list). I have tried the following but it did not work:

      security:
        scriptApproval:
          aclApprovedSignatures:
          - "staticMethod jenkins.model.Jenkins getInstance"
          approvedSignatures:            
          - "field hudson.model.UpdateSite$Entry version"
          - "method hudson.model.Run getCause java.lang.Class"  

      It would be great to have such improvement.

          [JENKINS-71783] Configure aclApprovedSignatures with JCasC

          Craig added a comment -

          This is particularly important because blanket approving is not secure.
          And right now standing up a new Jenkins server means either having to go through tons of errors / failed jobs approving one at a time with ACL's or blanket approving them. Being able to provision ACL signatures with JCasC would help make that process drastically easier and more secure.

          Craig added a comment - This is particularly important because blanket approving is not secure. And right now standing up a new Jenkins server means either having to go through tons of errors / failed jobs approving one at a time with ACL's or blanket approving them. Being able to provision ACL signatures with JCasC would help make that process drastically easier and more secure.

            Unassigned Unassigned
            vittorio_c82 Vittorio
            Votes:
            1 Vote for this issue
            Watchers:
            2 Start watching this issue

              Created:
              Updated: