When writing Groovy workflow code that is loaded via SCM and uses third party classes and methods, is it possible to avoid the sandbox and have my methods executed by default, without being rejected with security exceptions?
Create the workflow item as an administrator (a user with Overall/RunScripts permission)
Related
Just to quote as an example one can submit a remote-run with some tool like TeamCity (similar to Jenkins) where it will apply delta/patch on what user is trying to commit & produces result whether changes is good from set-of configured checks for that project.
With Github & Jenkins, can such validation be achieved with any plugins out there?, which will avoid breaking a build?
I know with pull-request & status check one can achieve similar end-result. But without commit/push to remote repo of Git - is there a way Jenkins can handle this validation & produce initial result ??
It isn't possible to have GitHub perform checks on data it doesn't have, so if you don't push the data to the remote server, GitHub won't know anything about it and therefore will do nothing.
Jenkins does have a REST API that you could use to do this, provided you equipped each developer with appropriate credentials. However, this is not a common situation and wouldn't be a recommended configuration.
You'd be better off with a script in the repository that users could install as a hook or invoke from a hook that would perform the testing you want. If your CI jobs run a script in your repository, then sharing code between them should be easy.
Note that you shouldn't mandate pre-commit hooks, since they can interfere with advanced users (who may make intentionally incomplete temporary commits) and they can be disabled by users. Any sort of required checks should be done as part of CI, where policy can be enforced appropriately.
Currently in order to enable or disable a job, a user must have Job Configure permissions in the Matrix-based security configuration.We would like to be able to manage the enable / disable job permission independently from the job configure permission.
There are some nightly jobs that we want every user to be able to enable and disable the project without touching/breaking the configuration.
Thanks
Provide a script for the users that will do this using the credentials of 'root' user and set only the execute bit on the script so that no one can read/copy it.
At least 3 ways to make a script:
HTTP POST request:
1.
curl -X POST http(s)://<your_jenkins_url>/jenkins/job/<nightly-build_job_name>/disable
2.
Use python JenkinsAPI.
Documentation is very good, easy to understand much like the API.
3.
The third one can be a script which will use jenkins-cli: accepted answer describes this well .
The Job Configure permission is bounded to the disable/enable function in each job, that's true.
One alternative to disable/enable jobs without the corresponding permission is to create new jobs which do this internally. For example, a job that needs job names as parameters, and disables them.
You could use curl + credentials of a Jenkins user with the Job Configure permission.
You could use plugins. For example, this script using the Job DSL Plugin:
job("jobname"){
using("jobname")
disabled(true)
}
For other options, check out this question.
You may try to install this plugin to get the enable/disable button for the individual project-
I checked in my Jenkins and I could see this:
But when I checked under plugins section I don't see this extra column plugin installed. Probably this is the default behavior in latest versions of Jenkins.
I'm developing a grails plugin, which I would like to send an email after the application's Config.groovy has been processed. (For one reason, that the Config.groovy - or other external configuration file - will have all the config I need for emails.)
I attempted a MyPluginBootStrap.groovy, however this got executed before the applications configuration (and indeed, its BootStrap.groovy). And it seems all the normal plugin onXXX() hooks are executed before the application startup.
My next thought is simply to tell people that they need to manually call a method in the plugin to trigger the functionality. So, they'd potentially add a call to their BootStrap.groovy. But I want it more automatic.
Ideally I'd like things to work as follows:
A developer adds the plugin to their BuildConfig.groovy;
A developer specifies some configuration in their Config.groovy - or external config; and then
When you app starts, the email gets sent - without them having to do anything more than item 1 and 2 above.
Is this possible?
Is there a way to use the credential store with the CVS plugin to access a CVS repository? Looking for a way to store credential once and have one place to change it, despite many jobs making use of it.
The CVS plugin doesn't use the credentials store directly (although there are potential plans to move to this in a future overhaul of the plugin), but it does have a concept of global credentials which should provide what you need. The reason for having something separate from global credentials was that CVS introduced this prior to the credentials plugin being available and the steps have never been taken to try and perform a migration.
To use this credential feature, ensure you have version 2.4 or above of the CVS plugin, goto your 'Manage Configuration' screen, scroll down to the CVS section and click the 'Add' button next to the 'Authentication' option. Once you've added any credentials in here, go back to the jobs you're wanting to use the global credentials on, check the CVS root matches what you put in the authentication section and that it doesn't contain a username and then run your job. When running, the console should then show 'Using globally configured credentials for...' when trying to connect to CVS.
We use Jenkins and Active Directory plugin for authentication.
For some reason, I need to add a specific account in Jenkins but not in Active Directory.
Is it possible to use both Active Directory and internal user ?
If it's impossible, I think I can modify the plugin to add an account in it.
I know it's not a good idea, but we need this function.
I think it's in ActiveDirectoryAuthenticationProvider.java's retrieveUser() function.
If you have Jenkins deployed to an app server and the app server supports your use case, you can use the "Delegate to servlet container" option in the Security Realm.
You might be able to utilize the Script Security Realm Plugin