Certified Jenkins Engineer
Jenkins Administration and Monitoring Part 2
Demo Groovy Sandbox and In process Script Approval Part 2
Welcome to the second lesson on the Groovy Sandbox and script approval. In this guide, you'll learn how to:
- Enable sandbox enforcement globally in Jenkins.
- Hide the Use Groovy Sandbox checkbox for non-admin users.
- Verify the behavior as both admin and non-admin users.
- Understand the limitations of hiding the checkbox.
Sample Pipeline
We’ll demonstrate with this simple declarative pipeline:
pipeline {
agent any
stages {
stage('Topic') {
steps {
echo 'Exploring Groovy Sandbox!'
}
}
}
}
1. Force Groovy Sandbox Globally
- Navigate to Manage Jenkins → Configure Global Security.
- Scroll to the Sandbox section (use the browser’s find feature for “sandbox”).
- Check Force Use of Groovy Sandbox.
- Check Hide the sandbox checkbox in Pipeline jobs.
- Click Apply and Save.
Note
Jenkins may require a restart for these permission changes to take effect.
2. Verify Behavior by User Role
Use the following table to confirm what each user sees in the pipeline configuration UI:
User Role | Pipeline Configuration UI |
---|---|
Administrator | Sees and can toggle the Use Groovy Sandbox checkbox. |
Non-Admin User | Checkbox is hidden; they cannot modify sandbox setting. |
3. Verify as an Administrator
- Log in as an administrator.
- Open any Pipeline job and click Configure.
- Confirm that the Use Groovy Sandbox checkbox is still visible and editable.
4. Verify as a Non-Admin User
- Via Manage Jenkins → Manage and Assign Roles, assign the Configure Jobs permission to a non-admin user (e.g.,
Ali
). - Log in as
Ali
(you can use an incognito or private browsing window). - Open any Pipeline job (for example, “Groovy Sandbox Test”) and click Configure.
- Confirm that the Use Groovy Sandbox checkbox is no longer displayed.
Warning
Hiding the checkbox only affects the Jenkins UI. Users with sufficient permissions can still enable or disable the sandbox by:
- Jenkins CLI
- Jenkins HTTP Remote Access API
5. UI Screenshot
6. Next Steps
In the next lesson, we'll dive into the Groovy Sandbox’s blacklist of disallowed signatures and methods.
References
Watch Video
Watch video content