2016-06-20 80 views
3

我在本地受信任的環境中運行Jenkins,並試圖運行此管道。這個Jenkinsfile被檢入到git中。如何禁用Jenkins管道構建的安全檢查

#!groovy 
node('master') { 
    def ver = pomVersion() 
    echo "Building version $ver" 
} 

def pomVersion(){ 
    def pomtext = readFile('pom.xml') 
    def pomx = new XmlParser().parseText(pomtext) 
    pomx.version.text() 
} 

第一幾次我跑的構建,我需要手動批准改變(Jenkins->疥Jenkins->在處理腳本批准)。現在我得到這個例外,沒有什麼可以批准的。我想要做的就是解析一個XML文件。管道構建可以完全繞過這些安全檢查嗎?

org.jenkinsci.plugins.scriptsecurity.sandbox.RejectedAccessException: unclassified field groovy.util.Node version 
    at org.jenkinsci.plugins.scriptsecurity.sandbox.groovy.SandboxInterceptor.unclassifiedField(SandboxInterceptor.java:367) 
    at org.jenkinsci.plugins.scriptsecurity.sandbox.groovy.SandboxInterceptor.onGetProperty(SandboxInterceptor.java:363) 
    at org.kohsuke.groovy.sandbox.impl.Checker$4.call(Checker.java:241) 
    at org.kohsuke.groovy.sandbox.impl.Checker.checkedGetProperty(Checker.java:238) 
    at com.cloudbees.groovy.cps.sandbox.SandboxInvoker.getProperty(SandboxInvoker.java:23) 
    at com.cloudbees.groovy.cps.impl.PropertyAccessBlock.rawGet(PropertyAccessBlock.java:17) 
    at WorkflowScript.pomVersion(WorkflowScript:10) 
    at WorkflowScript.run(WorkflowScript:3) 
    at ___cps.transform___(Native Method) 
    at com.cloudbees.groovy.cps.impl.PropertyishBlock$ContinuationImpl.get(PropertyishBlock.java:62) 
    at com.cloudbees.groovy.cps.LValueBlock$GetAdapter.receive(LValueBlock.java:30) 
    at com.cloudbees.groovy.cps.impl.PropertyishBlock$ContinuationImpl.fixName(PropertyishBlock.java:54) 
    at sun.reflect.GeneratedMethodAccessor479.invoke(Unknown Source) 
    at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) 
    at java.lang.reflect.Method.invoke(Method.java:498) 
    at com.cloudbees.groovy.cps.impl.ContinuationPtr$ContinuationImpl.receive(ContinuationPtr.java:72) 
    at com.cloudbees.groovy.cps.impl.ConstantBlock.eval(ConstantBlock.java:21) 
    at com.cloudbees.groovy.cps.Next.step(Next.java:58) 
    at com.cloudbees.groovy.cps.Continuable.run0(Continuable.java:154) 
    at org.jenkinsci.plugins.workflow.cps.SandboxContinuable.access$001(SandboxContinuable.java:18) 
    at org.jenkinsci.plugins.workflow.cps.SandboxContinuable$1.call(SandboxContinuable.java:32) 
    at org.jenkinsci.plugins.workflow.cps.SandboxContinuable$1.call(SandboxContinuable.java:29) 
    at org.jenkinsci.plugins.scriptsecurity.sandbox.groovy.GroovySandbox.runInSandbox(GroovySandbox.java:108) 
    at org.jenkinsci.plugins.workflow.cps.SandboxContinuable.run0(SandboxContinuable.java:29) 
    at org.jenkinsci.plugins.workflow.cps.CpsThread.runNextChunk(CpsThread.java:164) 
    at org.jenkinsci.plugins.workflow.cps.CpsThreadGroup.run(CpsThreadGroup.java:276) 
    at org.jenkinsci.plugins.workflow.cps.CpsThreadGroup.access$000(CpsThreadGroup.java:78) 
    at org.jenkinsci.plugins.workflow.cps.CpsThreadGroup$2.call(CpsThreadGroup.java:185) 
    at org.jenkinsci.plugins.workflow.cps.CpsThreadGroup$2.call(CpsThreadGroup.java:183) 
    at org.jenkinsci.plugins.workflow.cps.CpsVmExecutorService$2.call(CpsVmExecutorService.java:47) 
    at java.util.concurrent.FutureTask.run(FutureTask.java:266) 
    at hudson.remoting.SingleLaneExecutorService$1.run(SingleLaneExecutorService.java:112) 
    at jenkins.util.ContextResettingExecutorService$1.run(ContextResettingExecutorService.java:28) 
    at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:511) 
    at java.util.concurrent.FutureTask.run(FutureTask.java:266) 
    at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142) 
    at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617) 
    at java.lang.Thread.run(Thread.java:745) 
Finished: FAILURE 

回答

0

如上所述:在較新的Jenkins版本中,腳本安全性已被收緊。在此StackOverflow question

pom = readMavenPom file: 'pom.xml' 
pom.version 

與其他一些解決方案,以及:但是對於閱讀從Maven的pom.xml一個版本的具體使用情況下可以使用readMavenPomPipeline Utility Steps Plugin

0

可以通過下面的步驟解決問題:

  1. 安裝Permissive Script Security插件(版本0.3或更高版本)
  2. permissive-script-security.enabled命令行參數添加到詹金斯主與值:

    • true如果您想禁用批准腳本的需要,但會記錄潛在的危險簽名:

      -Dpermissive-script-security.enabled=true 
      
    • no_security如果要禁用需要批准的腳本,並禁用日誌有潛在危險的簽名:

      -Dpermissive-script-security.enabled=no_security 
      
相關問題