Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-54262

Groovy Postbuild requires Overall/Administer permission

    Details

    • Similar Issues:
    • Released As:
      groovy-postbuild-2.5

      Description

      Although it uses script security and administrators can whitelist methods and approve scripts, Groovy Postbuild still requires that the user running it must have Overall/Administer permission: https://github.com/jenkinsci/groovy-postbuild-plugin/blob/master/src/main/java/org/jvnet/hudson/plugins/groovypostbuild/GroovyPostbuildRecorder.java#L364

       

      This creates failed builds when using the Authorize Project plugin to run builds as the user that triggered them and most of the users that run builds are regular users.

        Attachments

          Issue Links

            Activity

            Hide
            jglick Jesse Glick added a comment -
            Show
            jglick Jesse Glick added a comment - CC Wadeck Follonier + Daniel Beck
            Hide
            xavierxyz Xavier Xemaire added a comment -

            We have the same problem.
            We use the following Groovy postbuild script:

            manager.addShortText(manager.build.getEnvironment(manager.listener)['dockerTag'])
            

            We get the following exception:

            hudson.security.AccessDeniedException2: ******(<userid>) is missing the Overall/Administer permission
            	at hudson.security.ACL.checkPermission(ACL.java:68)
            	at hudson.security.AccessControlled.checkPermission(AccessControlled.java:46)
            	at org.jvnet.hudson.plugins.groovypostbuild.GroovyPostbuildRecorder.perform(GroovyPostbuildRecorder.java:347)
            	at hudson.tasks.BuildStepMonitor$1.perform(BuildStepMonitor.java:20)
            	at hudson.model.AbstractBuild$AbstractBuildExecution.perform(AbstractBuild.java:744)
            	at hudson.model.AbstractBuild$AbstractBuildExecution.performAllBuildSteps(AbstractBuild.java:690)
            	at hudson.model.Build$BuildExecution.post2(Build.java:186)
            	at hudson.model.AbstractBuild$AbstractBuildExecution.post(AbstractBuild.java:635)
            	at hudson.model.Run.execute(Run.java:1749)
            	at hudson.model.FreeStyleBuild.run(FreeStyleBuild.java:43)
            	at hudson.model.ResourceController.execute(ResourceController.java:97)
            	at hudson.model.Executor.run(Executor.java:429)
            Build step 'Groovy Postbuild' marked build as failure
            

            As we use also promotions in the job, we cannot use the badge plugin, as it works only in Jenkins pipelines.

            Show
            xavierxyz Xavier Xemaire added a comment - We have the same problem. We use the following Groovy postbuild script: manager.addShortText(manager.build.getEnvironment(manager.listener)['dockerTag']) We get the following exception: hudson.security.AccessDeniedException2: ******(<userid>) is missing the Overall/Administer permission at hudson.security.ACL.checkPermission(ACL.java:68) at hudson.security.AccessControlled.checkPermission(AccessControlled.java:46) at org.jvnet.hudson.plugins.groovypostbuild.GroovyPostbuildRecorder.perform(GroovyPostbuildRecorder.java:347) at hudson.tasks.BuildStepMonitor$1.perform(BuildStepMonitor.java:20) at hudson.model.AbstractBuild$AbstractBuildExecution.perform(AbstractBuild.java:744) at hudson.model.AbstractBuild$AbstractBuildExecution.performAllBuildSteps(AbstractBuild.java:690) at hudson.model.Build$BuildExecution.post2(Build.java:186) at hudson.model.AbstractBuild$AbstractBuildExecution.post(AbstractBuild.java:635) at hudson.model.Run.execute(Run.java:1749) at hudson.model.FreeStyleBuild.run(FreeStyleBuild.java:43) at hudson.model.ResourceController.execute(ResourceController.java:97) at hudson.model.Executor.run(Executor.java:429) Build step 'Groovy Postbuild' marked build as failure As we use also promotions in the job, we cannot use the badge plugin, as it works only in Jenkins pipelines.
            Hide
            ace Adrian Vlad added a comment -

            A workaround is using Flexible publish with an Execute system Groovy script.

            In the script you can do

            import com.jenkinsci.plugins.badge.action.BadgeAction;
            
            def _envVars = build.getEnvironment(listener);
            
            /* Run time */
            build.addAction(BadgeAction.createShortText(hudson.Util.getTimeSpanString(System.currentTimeMillis() - build.getStartTimeInMillis()), "grey", "white", "0px", "white"));
            
            Show
            ace Adrian Vlad added a comment - A workaround is using Flexible publish with an Execute system Groovy script. In the script you can do import com.jenkinsci.plugins.badge.action.BadgeAction; def _envVars = build.getEnvironment(listener); /* Run time */ build.addAction(BadgeAction.createShortText(hudson.Util.getTimeSpanString( System .currentTimeMillis() - build.getStartTimeInMillis()), "grey" , "white" , "0px" , "white" ));
            Hide
            ikedam ikedam added a comment -

            Fixed in groovy-postbuild-2.5.
            It will be available in the update center in a day.
            Please try that.

            Show
            ikedam ikedam added a comment - Fixed in groovy-postbuild-2.5. It will be available in the update center in a day. Please try that.

              People

              • Assignee:
                ace Adrian Vlad
                Reporter:
                ace Adrian Vlad
              • Votes:
                2 Vote for this issue
                Watchers:
                5 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved: