Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-45139

2.0 Security broke Node labeling script

    Details

    • Similar Issues:

      Description

      I have a system groovy script to update node labels after tools are installed.

      This has been working fine until I upgraded the plugin to 2.0

      Now I get:

       01:33:08 org.jenkinsci.plugins.scriptsecurity.sandbox.RejectedAccessException: Scripts not permitted to use method hudson.model.TaskListener getLogger*01:33:08* at org.jenkinsci.plugins.scriptsecurity.sandbox.whitelists.StaticWhitelist.rejectMethod(StaticWhitelist.java:178)*01:33:08* at org.jenkinsci.plugins.scriptsecurity.sandbox.groovy.SandboxInterceptor$6.reject(SandboxInterceptor.java:243)*01:33:08* at org.jenkinsci.plugins.scriptsecurity.sandbox.groovy.SandboxInterceptor.onGetProperty(SandboxInterceptor.java:363)*01:33:08* at org.kohsuke.groovy.sandbox.impl.Checker$4.call(Checker.java:241)*01:33:08* at org.kohsuke.groovy.sandbox.impl.Checker.checkedGetProperty(Checker.java:238)*01:33:08* at org.kohsuke.groovy.sandbox.impl.Checker$checkedGetProperty$0.callStatic(Unknown Source)*01:33:08* at org.codehaus.groovy.runtime.callsite.CallSiteArray.defaultCallStatic(CallSiteArray.java:56)*01:33:08* at org.codehaus.groovy.runtime.callsite.AbstractCallSite.callStatic(AbstractCallSite.java:194)*01:33:08* at org.codehaus.groovy.runtime.callsite.AbstractCallSite.callStatic(AbstractCallSite.java:230)*01:33:08* at Script1.run(Script1.groovy:5)*01:33:08* at org.jenkinsci.plugins.scriptsecurity.sandbox.groovy.GroovySandbox.run(GroovySandbox.java:141)*01:33:08* at org.jenkinsci.plugins.scriptsecurity.sandbox.groovy.SecureGroovyScript.evaluate(SecureGroovyScript.java:165)*01:33:08* at hudson.plugins.groovy.SystemGroovy.run(SystemGroovy.java:95)*01:33:08* at hudson.plugins.groovy.SystemGroovy.perform(SystemGroovy.java:59)*01:33:08* at hudson.tasks.BuildStepMonitor$1.perform(BuildStepMonitor.java:20)*01:33:08* at hudson.model.AbstractBuild$AbstractBuildExecution.perform(AbstractBuild.java:779)*01:33:08* at hudson.model.Build$BuildExecution.build(Build.java:206)*01:33:08* at hudson.model.Build$BuildExecution.doRun(Build.java:163)*01:33:08* at hudson.model.AbstractBuild$AbstractBuildExecution.run(AbstractBuild.java:534)*01:33:08* at hudson.model.Run.execute(Run.java:1728)*01:33:08* at hudson.matrix.MatrixRun.run(MatrixRun.java:146)*01:33:08* at hudson.model.ResourceController.execute(ResourceController.java:98)*01:33:08* at hudson.model.Executor.run(Executor.java:405)
      

      Can this sandbox security be turned off?

      How to make this work?

       

      This is my script:

      nodeName = NodeToUpdate
      labelName = LabelName
      set = DesiredState
      listener.logger.println("Running label updater...")
      // Plugin doesn't support build env variables for parameters. Need to handle here
      if (nodeName.equals('ENV')) \{
        nodeName = build.getEnvironment(listener).get('NODE_NAME')
      }
      if (labelName.equals('ENV')) \{
        labelName = build.getEnvironment(listener).get('LabelName')
      }
      listener.logger.println("DEBUG: Node: ''" + nodeName + "'' Label: ''" + labelName + "'' Set: ''" + set + "'")
      
      for (node in jenkins.model.Jenkins.instance.nodes) \{
      // Doesn't include master
      // Next two are same, but syntax error
      //for (node in jenkins.model.Nodes.getNodes()) \{
      //for (node in jenkins.model.Jenkins.getNodes()) \{
          listener.logger.println("DEBUG: Checking node '" + node.getNodeName() + "' for match")
          if (node.getNodeName().equals(nodeName)) \{
              listener.logger.println("Found node to update: " + nodeName)
              oldLabelString = node.getLabelString()
              if (set.equals('true')) \{
                  if (!oldLabelString.contains(labelName)) \{
                      listener.logger.println("Adding label '" + labelName     + "' to node " + nodeName);
                      newLabelString = oldLabelString + " " + labelName
                      node.setLabelString(newLabelString)
                      node.save()
                  } else \{
                      listener.logger.println("Label '" + labelName + "' already exists on node " + nodeName)
                  }
              }
              else \{
                  if (oldLabelString.contains(labelName)) \{
                      listener.logger.println("Removing label '" + labelName + "' from node " + nodeName)
                      newLabelString = oldLabelString.replaceAll(labelName, "")
                      node.setLabelString(newLabelString)
                      node.save()
                  } else \{
                      listener.logger.println("Label '" + labelName + "' doesn't exist on node " + nodeName)
                  }
              }
          }
      }
      

        Attachments

          Activity

          Hide
          snemetz Steven Nemetz added a comment -

          Never mind.

          Appears that script approvals didn't take the first time I set them.

          But it is working now

          Show
          snemetz Steven Nemetz added a comment - Never mind. Appears that script approvals didn't take the first time I set them. But it is working now

            People

            • Assignee:
              vjuranek vjuranek
              Reporter:
              snemetz Steven Nemetz
            • Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved: