我正在本地可信赖的环境中运行Jenkins,我正在尝试运行此管道。这个Jenkins文件被检入git。
#!groovy
node('master') {
def ver = pomVersion()
echo "Building version $ver"
}
def pomVersion(){
def pomtext = readFile('pom.xml')
def pomx = new XmlParser().parseText(pomtext)
pomx.version.text()
}
我运行构建的前几次,我需要手动批准更改(Jenkins-> Mange Jenkins->进程内脚本批准)。现在我得到了这个例外,没有什么可以批准的。我想要做的就是解析一个XML文件。对于管道构建,是否可以完全绕过这些安全检查?
org.jenkinsci.plugins.scriptsecurity.sandbox.RejectedAccessException: unclassified field groovy.util.Node version
at org.jenkinsci.plugins.scriptsecurity.sandbox.groovy.SandboxInterceptor.unclassifiedField(SandboxInterceptor.java:367)
at org.jenkinsci.plugins.scriptsecurity.sandbox.groovy.SandboxInterceptor.onGetProperty(SandboxInterceptor.java:363)
at org.kohsuke.groovy.sandbox.impl.Checker$4.call(Checker.java:241)
at org.kohsuke.groovy.sandbox.impl.Checker.checkedGetProperty(Checker.java:238)
at com.cloudbees.groovy.cps.sandbox.SandboxInvoker.getProperty(SandboxInvoker.java:23)
at com.cloudbees.groovy.cps.impl.PropertyAccessBlock.rawGet(PropertyAccessBlock.java:17)
at WorkflowScript.pomVersion(WorkflowScript:10)
at WorkflowScript.run(WorkflowScript:3)
at ___cps.transform___(Native Method)
at com.cloudbees.groovy.cps.impl.PropertyishBlock$ContinuationImpl.get(PropertyishBlock.java:62)
at com.cloudbees.groovy.cps.LValueBlock$GetAdapter.receive(LValueBlock.java:30)
at com.cloudbees.groovy.cps.impl.PropertyishBlock$ContinuationImpl.fixName(PropertyishBlock.java:54)
at sun.reflect.GeneratedMethodAccessor479.invoke(Unknown Source)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:498)
at com.cloudbees.groovy.cps.impl.ContinuationPtr$ContinuationImpl.receive(ContinuationPtr.java:72)
at com.cloudbees.groovy.cps.impl.ConstantBlock.eval(ConstantBlock.java:21)
at com.cloudbees.groovy.cps.Next.step(Next.java:58)
at com.cloudbees.groovy.cps.Continuable.run0(Continuable.java:154)
at org.jenkinsci.plugins.workflow.cps.SandboxContinuable.access$001(SandboxContinuable.java:18)
at org.jenkinsci.plugins.workflow.cps.SandboxContinuable$1.call(SandboxContinuable.java:32)
at org.jenkinsci.plugins.workflow.cps.SandboxContinuable$1.call(SandboxContinuable.java:29)
at org.jenkinsci.plugins.scriptsecurity.sandbox.groovy.GroovySandbox.runInSandbox(GroovySandbox.java:108)
at org.jenkinsci.plugins.workflow.cps.SandboxContinuable.run0(SandboxContinuable.java:29)
at org.jenkinsci.plugins.workflow.cps.CpsThread.runNextChunk(CpsThread.java:164)
at org.jenkinsci.plugins.workflow.cps.CpsThreadGroup.run(CpsThreadGroup.java:276)
at org.jenkinsci.plugins.workflow.cps.CpsThreadGroup.access$000(CpsThreadGroup.java:78)
at org.jenkinsci.plugins.workflow.cps.CpsThreadGroup$2.call(CpsThreadGroup.java:185)
at org.jenkinsci.plugins.workflow.cps.CpsThreadGroup$2.call(CpsThreadGroup.java:183)
at org.jenkinsci.plugins.workflow.cps.CpsVmExecutorService$2.call(CpsVmExecutorService.java:47)
at java.util.concurrent.FutureTask.run(FutureTask.java:266)
at hudson.remoting.SingleLaneExecutorService$1.run(SingleLaneExecutorService.java:112)
at jenkins.util.ContextResettingExecutorService$1.run(ContextResettingExecutorService.java:28)
at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:511)
at java.util.concurrent.FutureTask.run(FutureTask.java:266)
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
at java.lang.Thread.run(Thread.java:745)
Finished: FAILURE
答案 0 :(得分:8)
目前不可能。这个问题有一个公开的票证https://issues.jenkins-ci.org/browse/JENKINS-28178
答案 1 :(得分:5)
尝试以下jenkins插件:https://wiki.jenkins-ci.org/display/JENKINS/Permissive+Script+Security+Plugin 它会禁用沙箱。适合我。
答案 2 :(得分:4)
您可以按照以下步骤解决问题:
将default命令行参数添加到Jenkins master,其值为:
permissive-script-security.enabled如果您要禁用批准脚本的需要,但会记录可能存在危险的签名:
true -Dpermissive-script-security.enabled=true
如果您想要禁用批准脚本并禁用日志记录潜在危险签名:
no_security答案 3 :(得分:1)
如上所述:在较新的Jenkins版本中,Script Security已经收紧。但是,对于从Maven的pom.xml中读取版本的特定用例,可以使用Pipeline Utility Steps Plugin中的readMavenPom:
pom = readMavenPom file: 'pom.xml'
pom.version
此StackOverflow question中还有其他一些解决方案。
答案 4 :(得分:0)
我想提供一个最终发现的解决方案,该解决方案是在搜寻互连网以寻求解决方案并尝试此处提出的一些解决方案之后完成的。
关于我的设置的一些背景:
我的情况: 每当有人修改现有的Jenkins管道(通过groovy)并引入使用某些自定义groovy的新功能时,Jenkins都会使工作失败并标记代码段以供批准。批准是人工的,而且乏味。
我已经尝试了上面发布的解决方案,但它们对我不起作用。因此,我的技巧是创建一个Jenkins作业,该作业运行一个Shell作业,该作业会获取需要批准的签名列表,然后将其添加到/var/jenkins_home/scriptApproval.xml文件中。
一些陷阱:
我的詹金斯(Jenkins)工作的shell命令示例:
#!/bin/bash
echo ""
#default location of the Jenkins approval file
APPROVE_FILE=/var/jenkins_home/scriptApproval.xml
#creating an array of the signatures that need approved
SIGS=(
'method hudson.model.ItemGroup getItem java.lang.String'
'staticMethod jenkins.model.Jenkins getInstance'
)
#stepping through the array
for i in "${SIGS[@]}"; do
echo "Adding :"
echo "$i"
echo "to $APPROVE_FILE"
echo ""
#checking the xml file to see if it has already been added, then deleting. this is a trick to keep xmlstarlet from creatine duplicates
xmlstarlet -q ed --inplace -d "/scriptApproval/approvedSignatures/string[text()=\"$i\"]" $APPROVE_FILE
#adding the entry
xmlstarlet -q ed --inplace -s /scriptApproval/approvedSignatures -t elem -n string -v "$i" $APPROVE_FILE
echo ""
done
echo "##### Completed updating "$APPROVE_FILE", displaying file: #####"
cat "$APPROVE_FILE"