詹金斯管道脚本中的sudo [英] sudo inside Jenkins pipeline script

问题描述

我们有以下设置:

1. 我们只有几个UNIX机器.
2. 有一些用户设置了这些框(例如: spande ).
3. 这些用户具有有限的特权，但可以执行sudo提升权限(sudo用户: admin ).
4. sudo在没有任何密码的情况下发生.

1. We have few UNIX boxes.
2. There are users provisioned to these boxes (ex: spande).
3. These users have limited privileges, but can do sudo to elevate the permissions (sudo user: admin).
4. The sudo happens without any password.

我们在Jenkins中有一个CICD工具，它使用这些Unix盒作为从设备.我们具有 spande 凭据，可以通过Jenkins登录到此UNIX服务器.

We have a CICD tool in Jenkins which uses these Unix boxes as slave. We have spande credentials to login into this unix servers via Jenkins.

我们正在使用Jenkins管道脚本(常规).一切都很好，但是我们希望Jenkins脚本以更高的特权运行，因此需要知道:

We are using Jenkins Pipeline Scripts (groovy). All is well, but we want the Jenkins script to run with a higher previlige and hence need to know:

1. 我们如何在Jenkins脚本中执行sudo? ( sudo su-admin )
2. 这是在脚本中进行sudo的最佳实践/好的方法吗?如果没有，我们还有什么其他选择? (由于组织政策的原因，我们的Unix服务器团队尚未准备好创建具有​​更高权限的启用密码的用户)

感谢您的帮助！

推荐答案

通常来说，只要您不授予超出所需权限的权限，就可以将sudo用作脚本的一部分.与其运行su - admin，通常不如找出Jenkins需要以admin命令运行 as 的命令，然后将其直接放入您的sudoers文件中.

Generally speaking using sudo as part of a script is fine, so long as you're not granting higher permissions than you need. Instead of running su - admin it's usually better to figure out which commands Jenkins needs to run as admin and put those into your sudoers file directly.

假设您需要以用户admin身份运行以下程序，这是Jenkins作业的一部分:

Say you need to run the following programs as user admin as part of your Jenkins job:

/usr/bin/execute
/home/admin/calculate
/opt/synergize

您的sudoers文件可能如下所示(假设您的Jenkins用户为jenkins):

Your sudoers file could look something like this (assuming your Jenkins user is jenkins):

jenkins ALL = (admin) NOPASSWD: /usr/bin/execute, /home/admin/calculate, /opt/synergize

这将允许jenkins用户无需密码即可运行以下命令:

This would allow the jenkins user to run the following commands without a password:

sudo -u admin /usr/bin/execute
sudo -u admin /home/admin/calculate
sudo -u admin /opt/synergize

从安全角度来看，这比提供su - admin访问更为可取，因为这样jenkins可以做admin可以做的任何事情而没有任何实际限制. sudoers文件是非常灵活，您应该能够限制詹金斯，同时仍然允许它做自己需要做的工作.

From a security standpoint this is preferred to providing su - admin access, since then jenkins could do anything admin could without any real restrictions. The sudoers file is very flexible and you should be able to restrict jenkins while still allowing it to do the job it needs to do.

这篇关于詹金斯管道脚本中的sudo的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！