Jenkins Groovy Script Approval

Jenkins is trying to provide better security, but of course with better security means stuff won’t just work out of the box. That is what we found at https://dronze.com as we were building our CICD system.

Jenkins is a strange animal, it become an ecosystem and has a ton of stuff bundled out of the gate. One such plugin is the script-security plugin.

Its job is to provide a whitelist of methods that groovy dsl or pipeline scripts are allowed to run anonymously. If you don;t set it up you will see an error like this:

org.jenkinsci.plugins.scriptsecurity.sandbox.RejectedAccessException: Scripts not permitted to use method org.jenkinsci.plugins.workflow.support.actions.EnvironmentAction getEnvironment
at org.jenkinsci.plugins.scriptsecurity.sandbox.whitelists.StaticWhitelist.rejectMethod(StaticWhitelist.java:176)
at org.jenkinsci.plugins.scriptsecurity.sandbox.groovy.SandboxInterceptor.onMethodCall(SandboxInterceptor.java:119)
at org.kohsuke.groovy.sandbox.impl.Checker$1.call(Checker.java:149)
at org.kohsuke.groovy.sandbox.impl.Checker.checkedCall(Checker.java:146)
at org.kohsuke.groovy.sandbox.impl.Checker$checkedCall$1.callStatic(Unknown Source)
at org.codehaus.groovy.runtime.callsite.CallSiteArray.defaultCallStatic(CallSiteArray.java:56)
at org.codehaus.groovy.runtime.callsite.AbstractCallSite.callStatic(AbstractCallSite.java:194)
at WorkflowScript.printParams(WorkflowScript:45)
at WorkflowScript$printParams.call(Unknown Source)
at org.codehaus.groovy.runtime.callsite.CallSiteArray.defaultCall(CallSiteArray.java:48)
at org.codehaus.groovy.runtime.callsite.AbstractCallSite.call(AbstractCallSite.java:113)
at org.kohsuke.groovy.sandbox.impl.Checker$1.call(Checker.java:151)
at org.kohsuke.groovy.sandbox.GroovyInterceptor.onMethodCall(GroovyInterceptor.java:21)
at org.jenkinsci.plugins.scriptsecurity.sandbox.groovy.SandboxInterceptor.onMethodCall(SandboxInterceptor.java:115)
at org.kohsuke.groovy.sandbox.impl.Checker$1.call(Checker.java:149)
at org.kohsuke.groovy.sandbox.impl.Checker.checkedCall(Checker.java:146)
at org.kohsuke.groovy.sandbox.impl.Checker.checkedCall(Checker.java:118)
at com.cloudbees.groovy.cps.sandbox.SandboxInvoker.methodCall(SandboxInvoker.java:16)

This is a basic issue with cloudbees and the pipeline scripts being hamstrung by the security plugin. To fix it you will need to add the blocked method to the whitelist. To get there do the following:

Manage Jenkins->In Process Script Approval

It will then inform you that there is a script that is awaiting approval, you can just click the button

And then add the method you want whitelisted.

That’s it. I am going to try to write an article every time I find something like this in my DevOps sandbox.

Hope this helps.

One clap, two clap, three clap, forty?

By clapping more or less, you can signal to us which stories really stand out.