Jenkins declarative pipeline throws org.jenkinsci.plugins.scriptsecurity.sandbox.RejectedAccessException: unclassified getAt method

问题

I have defined a shared library in Jenkins:

import com.codependent.jenkins.pipelines.Utils

def call(List<String> mavenGoals){
  def processedMavenGoals = mavenGoals.join ' '
  pipeline {
    agent any
  ...
}

If i call this from my project's Jenkinsfile like this it works ok:

#!groovy
@Library('jenkins-pipeline-shared-library-example') _
buildPipeline(['clean', 'install'])

However if I omit the parethesis as Groovy syntax allows:

#!groovy
@Library('jenkins-pipeline-shared-library-example') _
buildPipeline ['clean', 'install']

The execution shows the folloing exception. Why?

org.jenkinsci.plugins.scriptsecurity.sandbox.RejectedAccessException: unclassified getAt method buildPipeline[java.util.ArrayList]
    at org.jenkinsci.plugins.scriptsecurity.sandbox.groovy.SandboxInterceptor.onGetArray(SandboxInterceptor.java:451)
    at org.kohsuke.groovy.sandbox.impl.Checker$10.call(Checker.java:413)
    at org.kohsuke.groovy.sandbox.impl.Checker.checkedGetArray(Checker.java:418)
    at com.cloudbees.groovy.cps.sandbox.SandboxInvoker.getArray(SandboxInvoker.java:45)
    at com.cloudbees.groovy.cps.impl.ArrayAccessBlock.rawGet(ArrayAccessBlock.java:21)
    at WorkflowScript.run(WorkflowScript:3)
    at ___cps.transform___(Native Method)

回答1:

I have had a similar issue after updated jenkins.

In my case the stacktrace also showed a org.jenkinsci.plugins.scriptsecurity.sandbox.RejectedAccessException[...]

Reason

Jenkins has a security plugin that blocks certain method calls in Jenkinsfile s.

Solution

To allow these calls that sometimes are harmless:

1. Go to: http://JENKINS_HOST/scriptApproval/ ( Official Documentation )
2. Approve the action that has been denied in the Jenkinsfile
3. Rerun the failed build to see Jenkinsfile work

回答2:

In most cases <JENKINS_SERVER_URL>/scriptApproval should be enough. However there are cases when the forbidden method does not appear in /scriptApproval due to some reasons. Some of them are explained here: Why-am-I-unable-to-see-a-method-in-In-process-Script-Approval.

In such case you can try either programmatically force the method approval (see the answer here: https://stackoverflow.com/a/48234868/4807875) or manually update the $JENKINS_ROOT/scriptApproval.xml file on the Jenkins server. The latter will require root permissions and Jenkins server restart to take effect (the option "Reload Configuration from Disk" will not work).

P. S.: I did not test how it works with the BlackList methods.

来源：https://stackoverflow.com/questions/46429657/jenkins-declarative-pipeline-throws-org-jenkinsci-plugins-scriptsecurity-sandbox