Jenkins 2.60.1 and Script Security plugin

I’d like to avoid having to deploy this farm again, so just to make sure: my jenkins ‘got upgraded’ to 2.60.1, which runs fine after making sure a java 8 jre/jdk is present on the vm(s).

But just about every job I have now fails with a org.jenkinsci.plugins.scriptsecurity.sandbox.RejectedAccessException stating that such-and-so method is not approved yet, which then requires me to approve that specific method, re-run the job, repeat, ad infinitum (it seems).

Is this expected with Jenkins 2.60.x, and is this karma for trying to upgrade things,or is this ‘fixable’ and am I missing a setting somewhere?

Yeah, we’ve done the upgrade and had to click a lot of accepts too.

With the new security restrictions there’s two levels of approvals. One for approving methods and the other for approving script content. In our testing we are most of the way to having all the methods explicitly scripted.

Talking with @nuclearsandwich we have a theoretical understanding of how we could use the Jenkins API to automatically whitelist the scripts that are generated, when they are generated. Our useage pattern is not well supported by the tighter security model. So how to do this will take some experimentation.

So in the short term unfortunately there’s a lot of manual approvals. :frowning: The good news is that once you’ve gotten through the approvals not too many new ones jump up unless there’s a change in the generators. And in the long term we definitely want to automate it.

The security advisory and updated versions that introduced the whitelist changes were announced in April. The ROS 1 buildfarm hasn’t updated as it’s still based on Trusty which lacks Java 8. The buildfarm we’re currently using for the next beta of ROS 2 has not upgraded to 2.60 because we’re focused on getting the release shipped. From scanning the changelog, I don’t believe there’s anything new that’s security related in this LTS release from the changes in April.

There’s a seed scriptApproval.xml that the new Xenial based buildfarm masters will start with but as far as I recall manual intervention will still be required for a few jobs. I didn’t document which jobs specifically as thoroughly as I wish I had.

Since the list of scripts / API to approve only populates incrementally (and some code paths are not utilized often or when no problems are happening) it might be better to start with a full list (copied from the ROS 1 buildfarm): https://gist.github.com/dirk-thomas/808a344462f83bd269f906af0e151b9d

thanks for the replies.

argh, that must’ve been a lot of clicking. I was hoping to avoid that.

True. I deliberately installed an Oracle JDK as they seem to be more performant. That was already a version 8, so no problems with the new Jenkins. Or at least, until jobs started to fail …

O nice. I’m going to see if that resolves some of the endless clicking.

Is that the same list as @nuclearsandwich linked to?

I believe that Dirk’s is slightly more comprehensive as it is based on a recent version of the current ROS 1 buildfarm.