Jenkins Groovy Script Approval
Jenkins is trying to provide better security, but of course with better security means stuff won’t just work out of the box. That is what we found at https://dronze.com as we were building our CICD system.
Jenkins is a strange animal, it become an ecosystem and has a ton of stuff bundled out of the gate. One such plugin is the script-security plugin.
Its job is to provide a whitelist of methods that groovy dsl or pipeline scripts are allowed to run anonymously. If you don;t set it up you will see an error like this:
org.jenkinsci.plugins.scriptsecurity.sandbox.RejectedAccessException: Scripts not permitted to use method org.jenkinsci.plugins.workflow.support.actions.EnvironmentAction getEnvironment
at org.jenkinsci.plugins.scriptsecurity.sandbox.whitelists.StaticWhitelist.rejectMethod(StaticWhitelist.java:176)
at org.jenkinsci.plugins.scriptsecurity.sandbox.groovy.SandboxInterceptor.onMethodCall(SandboxInterceptor.java:119)
at org.kohsuke.groovy.sandbox.impl.Checker$1.call(Checker.java:149)
at org.kohsuke.groovy.sandbox.impl.Checker.checkedCall(Checker.java:146)
at org.kohsuke.groovy.sandbox.impl.Checker$checkedCall$1.callStatic(Unknown Source)
at org.codehaus.groovy.runtime.callsite.CallSiteArray.defaultCallStatic(CallSiteArray.java:56)
at org.codehaus.groovy.runtime.callsite.AbstractCallSite.callStatic(AbstractCallSite.java:194)
at WorkflowScript.printParams(WorkflowScript:45)
at WorkflowScript$printParams.call(Unknown Source)
at org.codehaus.groovy.runtime.callsite.CallSiteArray.defaultCall(CallSiteArray.java:48)
at org.codehaus.groovy.runtime.callsite.AbstractCallSite.call(AbstractCallSite.java:113)
at org.kohsuke.groovy.sandbox.impl.Checker$1.call(Checker.java:151)
at org.kohsuke.groovy.sandbox.GroovyInterceptor.onMethodCall(GroovyInterceptor.java:21)
at org.jenkinsci.plugins.scriptsecurity.sandbox.groovy.SandboxInterceptor.onMethodCall(SandboxInterceptor.java:115)
at org.kohsuke.groovy.sandbox.impl.Checker$1.call(Checker.java:149)
at org.kohsuke.groovy.sandbox.impl.Checker.checkedCall(Checker.java:146)
at org.kohsuke.groovy.sandbox.impl.Checker.checkedCall(Checker.java:118)
at com.cloudbees.groovy.cps.sandbox.SandboxInvoker.methodCall(SandboxInvoker.java:16)This is a basic issue with cloudbees and the pipeline scripts being hamstrung by the security plugin. To fix it you will need to add the blocked method to the whitelist. To get there do the following:
Manage Jenkins->In Process Script Approval
It will then inform you that there is a script that is awaiting approval, you can just click the button
And then add the method you want whitelisted.
That’s it. I am going to try to write an article every time I find something like this in my DevOps sandbox.
Hope this helps.
