Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-45517

Support JobDSL without security check if called from a global pipeline lib

    Details

    • Similar Issues:

      Description

      When using JobDSL in pipeline scripts [1] that are configured globally (and hence are trusted) [2], the script security should be automatically disabled [3].

      At the moment the only workaround is to globally disable the script security for the JobDSL plugin [4] (but then it can also be used in regular Jenkinsfiles!) or to manually approve all incarnations (not feasible for us, we have way too many incarnations that may come in).

      It should be possible to check in the implementation of the jobDsl command, if the caller is in trusted context already. If yes, all security checks should be skipped.

      [1]
      https://github.com/jenkinsci/job-dsl-plugin/wiki/User-Power-Moves#use-job-dsl-in-pipeline-scripts

      [2]
      https://jenkins.io/doc/book/pipeline/shared-libraries/#global-shared-libraries
      https://github.com/jenkinsci/workflow-cps-global-lib-plugin

      [3]
      https://github.com/jenkinsci/job-dsl-plugin/wiki/Migration#migrating-to-160
      https://github.com/jenkinsci/job-dsl-plugin/wiki/Script-Security

      [4]
      https://github.com/jenkinsci/job-dsl-plugin/wiki/Script-Security#disabling-script-security

        Attachments

          Activity

          ghenzler Georg Henzler created issue -
          ghenzler Georg Henzler made changes -
          Field Original Value New Value
          Description When using JobDSL in pipeline scripts [1] that are configured globally (and hence are trusted) [2], the script security should be automatically disabled [3].

          At the moment the only workaround is to globally disable the pipeline [4] (but then it can also be used in regular Jenkinsfiles!) or to manually approve all incarnations (not feasible for us, we have way too many incarnations that may come in).

          It should be possible to check in the implementation of the jobDsl command, if the caller is in trusted context already. If yes, all security checks should be skipped.

          [1]
          https://github.com/jenkinsci/job-dsl-plugin/wiki/User-Power-Moves#use-job-dsl-in-pipeline-scripts

          [2]
          https://jenkins.io/doc/book/pipeline/shared-libraries/#global-shared-libraries
          https://github.com/jenkinsci/workflow-cps-global-lib-plugin

          [3]
          https://github.com/jenkinsci/job-dsl-plugin/wiki/Migration#migrating-to-160
          https://github.com/jenkinsci/job-dsl-plugin/wiki/Script-Security

          [4]
          https://github.com/jenkinsci/job-dsl-plugin/wiki/Script-Security#disabling-script-security
          When using JobDSL in pipeline scripts [1] that are configured globally (and hence are trusted) [2], the script security should be automatically disabled [3].

          At the moment the only workaround is to globally disable the script security for the JobDSL plugin [4] (but then it can also be used in regular Jenkinsfiles!) or to manually approve all incarnations (not feasible for us, we have way too many incarnations that may come in).

          It should be possible to check in the implementation of the jobDsl command, if the caller is in trusted context already. If yes, all security checks should be skipped.

          [1]
          https://github.com/jenkinsci/job-dsl-plugin/wiki/User-Power-Moves#use-job-dsl-in-pipeline-scripts

          [2]
          https://jenkins.io/doc/book/pipeline/shared-libraries/#global-shared-libraries
          https://github.com/jenkinsci/workflow-cps-global-lib-plugin

          [3]
          https://github.com/jenkinsci/job-dsl-plugin/wiki/Migration#migrating-to-160
          https://github.com/jenkinsci/job-dsl-plugin/wiki/Script-Security

          [4]
          https://github.com/jenkinsci/job-dsl-plugin/wiki/Script-Security#disabling-script-security

            People

            • Assignee:
              daspilker Daniel Spilker
              Reporter:
              ghenzler Georg Henzler
            • Votes:
              1 Vote for this issue
              Watchers:
              4 Start watching this issue

              Dates

              • Created:
                Updated: