Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-47072

Unable to upgrade Jenkins plugins due to Groovy security

    Details

    • Similar Issues:

      Description

      The three components referenced here appear to be participating in an upgrade-hell scenario from which there is no escape.  After upgrading to the latest recommended versions (groovy-2.0, ScriptSecuityPlugin-1.34 Role-Based-Auth-Strategy-2.6.0),  If you have System groovy scripts in your instance, and are using the role-based security plugin as a user with admin privileges, then running a job that calls a system groovy script fails over and over with errors on each groovy method call.  When it fails, going into the In-process Script approval, offers me only the choice of approving a groovy method call, which is NOT what I want to do!  Nothing in the UI permits me to do what I DO want to do, that is to approve the whole script.  If I approve the groovy method call and attempt to run my job again, then that method call is ok, but the next line of the script produces an error.  I suppose I could approve each method call, but that is only making things less secure! 

      Again, something in the UI should allow me to approve the script and nothing does.  Thus all the security fixes are useless to me because I can't install them and run my System groovy scripts.

       

      UPDATE:  I've amended this to remove mention of the Role Based Auth Strategy plugin.  That appears to have been an unrelated red herring.  The issue, as Oleg describes, is simply that when a script file is specified, one is not given the opportunity to approve the whole script but only to approve each method call line-by-line.

       

        Attachments

          Activity

          Hide
          sc1478 Steve Cohen added a comment -

          There is possibly a deeper issue here.  While waiting for the above replies, and thank you, Oleg and Daniel, for them, I once again tried installing the new ScriptApproval and Groovy plugins.  The same issue still occurs (I have not yet tried Daniel's suggestion of putting the script inline).  However, the wrinkle I find is that even after approving the method call:

           

          and then running Job again, the same error occurs even though I am running the job as an adminstrative user.  Is there something special about this method that resists being allowed?  After reading something somewhere, I also tried modifying my script to call Jenkins.getInstance() directly rather than the code shown in the above attachment that called Jenkins.instance.  None of these things helped.

           

          Show
          sc1478 Steve Cohen added a comment - There is possibly a deeper issue here.  While waiting for the above replies, and thank you, Oleg and Daniel, for them, I once again tried installing the new ScriptApproval and Groovy plugins.  The same issue still occurs (I have not yet tried Daniel's suggestion of putting the script inline).  However, the wrinkle I find is that even after approving the method call:   and then running Job again, the same error occurs even though I am running the job as an adminstrative user.  Is there something special about this method that resists being allowed?  After reading something somewhere, I also tried modifying my script to call Jenkins.getInstance() directly rather than the code shown in the above attachment that called Jenkins.instance.  None of these things helped.  
          Hide
          sc1478 Steve Cohen added a comment - - edited

          It does appear that putting the script online gets me over this hump, so Daniel's workaround appears good.  But I was not even asked to approve the script, it was simply accepted.  Was this because the system knew I was an administrative user?

          Show
          sc1478 Steve Cohen added a comment - - edited It does appear that putting the script online gets me over this hump, so Daniel's workaround appears good.  But I was not even asked to approve the script, it was simply accepted.  Was this because the system knew I was an administrative user?
          Hide
          danielbeck Daniel Beck added a comment -

          Was this because the system knew I was an administrative user?

          Yes.

          Show
          danielbeck Daniel Beck added a comment - Was this because the system knew I was an administrative user? Yes.
          Hide
          olivergondza Oliver Gondža added a comment -

          These are the unfortunate implications of adding Script Security support to Groovy plugin. I do not think there is much we can do about this - though I agree it sucks.

          Show
          olivergondza Oliver Gondža added a comment - These are the unfortunate implications of adding Script Security support to Groovy plugin. I do not think there is much we can do about this - though I agree it sucks.
          Hide
          sc1478 Steve Cohen added a comment -

          Here's another unfortunate implication: JENKINS-48522

          Show
          sc1478 Steve Cohen added a comment - Here's another unfortunate implication: JENKINS-48522

            People

            • Assignee:
              vjuranek vjuranek
              Reporter:
              sc1478 Steve Cohen
            • Votes:
              0 Vote for this issue
              Watchers:
              4 Start watching this issue

              Dates

              • Created:
                Updated: