I've gathered some information related to security that I faced creating automated Jenkins setup.
Script Approval
This simple Jenkins security system is designed to allow any kind of script to be run, but only with an administrator’s approval.
There is a global list of scripts and you have to approve each one to be able to run it. They are blocked to prevent any malicious actions.
When an administrator saves something (a job), any script it contains is automatically added to the approved list. When a non-administrator user saves something, a check is done whether it contain any scripts and if this was already present in the approved list.
To approve, administrator needs to go to Manage Jenkins » In-process Script Approval where a list of pending approvals is showed. Assuming nothing dangerous-looking is being requested, just click Approve and let the script be run!
If you try to run an unapproved script, it will simply fail, typically with a message like ERROR: script not yet approved for use
After you approve the script, job can be run without failing.
Approving methods
Problem starts if your scripts automatically sets up something in Jenkins, for example you want to create a ready-to-work machine that does not require further GUI operations or a seed job that uses groovy to create other jobs.
For this use case I have found some methods that are able to help.
- signature approval - groovy functions or methods that are called in the scripts. Usually you import different kind of functions into your groovy scripts like
JsonSlurperorTemplateEngine
Here is a method to approve:
def signature = 'new groovy.json.JsonSlurperClassic'
org.jenkinsci.plugins.scriptsecurity.scripts.ScriptApproval.get().approveSignature(signature)
- approve all - sometime you want to approve everything that was added to the approval queue. In my case was a bigger number of seed jobs that where intend to create another jobs.
import org.jenkinsci.plugins.scriptsecurity.scripts.*
toApprove = ScriptApproval.get().getPendingScripts().collect()
toApprove.each {pending -> ScriptApproval.get().approveScript(pending.getHash())}
To test both snippets just go to Manage Jenkins » Script Console and run them, should do the job!