I was trying to execute a seed job(having github url with groovy scripts) in jenkins and got following error.
First time build. Skipping changelog.
Processing DSL script APIServerDeployer.groovy
ERROR: script not yet approved for use
Finished: FAILURE
In order to get past this Jenkins security feature, you will need to approve your script. Go to Manage Jenkins -> In-process Script Approval. In that screen, you will see the script that you are trying to execute. There should be an approve button that you'll need to click to approve that script.
Job DSL version 1.60 introduced Script Security; to restore old behavior, uncheck Enable script security for Job DSL scripts in the CSRF Protection section of the "Configure Global Security" page. This should only be done if you have another way of approving scripts, such as through git pull request approval if your seed job builds jobs living in git.
Here's a groovy script that we use to pre-populate script approvals:
import java.lang.reflect.*;
import jenkins.model.Jenkins;
import jenkins.model.*;
import org.jenkinsci.plugins.scriptsecurity.scripts.*;
import org.jenkinsci.plugins.scriptsecurity.sandbox.whitelists.*;
scriptApproval = ScriptApproval.get()
alreadyApproved = new HashSet<>(Arrays.asList(scriptApproval.getApprovedSignatures()))
// add all manual whitelist methods here.
approveSignature('method groovy.json.JsonBuilder call java.util.List')
approveSignature('method groovy.json.JsonSlurper parseText java.lang.String')
approveSignature('method groovy.json.JsonSlurperClassic parseText')
approveSignature('method groovy.lang.Binding getVariables')
approveSignature('method groovy.lang.Binding getVariable java.lang.String')
approveSignature('method groovy.lang.Binding hasVariable java.lang.String')
approveSignature('method groovy.lang.Closure getMaximumNumberOfParameters')
approveSignature('method groovy.lang.GString plus java.lang.String')
approveSignature('method groovy.lang.GroovyObject invokeMethod java.lang.String java.lang.Object')
approveSignature('method hudson.model.Actionable getAction java.lang.Class')
approveSignature('method hudson.model.Actionable getActions')
approveSignature('method hudson.model.Cause$UpstreamCause getUpstreamProject')
approveSignature('method hudson.model.Cause$UserIdCause getUserId')
approveSignature('method hudson.model.ItemGroup getItem java.lang.String')
approveSignature('method hudson.model.Item getUrl')
approveSignature('method hudson.model.Job getBuildByNumber int')
approveSignature('method hudson.model.Job getLastBuild')
approveSignature('method hudson.model.Job getLastSuccessfulBuild')
approveSignature('method hudson.model.Job isBuilding')
approveSignature('method hudson.model.Run getCauses')
approveSignature('method hudson.model.Run getEnvironment hudson.model.TaskListener')
approveSignature('method hudson.model.Run getParent')
approveSignature('method hudson.model.Run getNumber')
approveSignature('method hudson.model.Run getResult')
approveSignature('method hudson.model.Run getUrl')
approveSignature('method hudson.model.Run getLogFile')
approveSignature('method java.util.Map containsKey java.lang.Object')
approveSignature('method java.util.Map entrySet')
approveSignature('method java.util.Map get java.lang.Object')
approveSignature('method java.util.Map keySet')
approveSignature('method java.util.Map putAll java.util.Map')
approveSignature('method java.util.Map remove java.lang.Object')
approveSignature('method java.util.Map size')
approveSignature('method java.util.Map values')
// ... your list here ...
scriptApproval.save()
void approveSignature(String signature) {
if (!alreadyApproved.contains(signature)) {
scriptApproval.approveSignature(signature)
}
}
// Utility methods
String printArgumentTypes(Object[] args) {
StringBuilder b = new StringBuilder();
for (Object arg : args) {
b.append(' ');
b.append(EnumeratingWhitelist.getName(arg));
}
return b.toString();
}
If you're using the Jenkins Groovy DSL, here's a snippet you can use to approve every script that's pending:
import org.jenkinsci.plugins.scriptsecurity.scripts.ScriptApproval
ScriptApproval scriptApproval = ScriptApproval.get()
scriptApproval.pendingScripts.each {
scriptApproval.approveScript(it.hash)
}
Job DSL version 1.60 introduced Script Security, which requires you to whitelist scripts.
Read also the hints about migrating to 1.60.
If you want to disable it programatically, drop the following script into $JENKINS_HOME/init.groovy.d/disable-script-security.groovy:
import javaposse.jobdsl.plugin.GlobalJobDslSecurityConfiguration
import jenkins.model.GlobalConfiguration
// disable Job DSL script approval
GlobalConfiguration.all().get(GlobalJobDslSecurityConfiguration.class).useScriptSecurity=false
GlobalConfiguration.all().get(GlobalJobDslSecurityConfiguration.class).save()
Give a try with disabling script security for Job DSL scripts under Configure Global Security settings. Disable script security for Job DSL scripts
make sure you have enabled groovy sand box below the pipeline
Manage Jenkins -> Security -> disable Enable script security for Job DSL scripts
