AccessControlException in DslGeneratorProcess - how to troubleshoot
Hi Teamcity Team
im trying to integrate library to DSL reolution process and get AccessControlException:
````
````
Current Status:
[17:10:19]: Failed to apply changes from VCS to project settings (revision 4e2..f8): java.lang.reflect.InvocationTargetException. Please fix the errors in VCS and commit again.
MyProject: MyProject.buildTypes.MyProject_Build$1$3 [55]: java.security.AccessControlException: access denied ("java.lang.RuntimePermission" "accessDeclaredMembers")
java.security.AccessControlContext.checkPermission(AccessControlContext.java:472)
java.security.AccessController.checkPermission(AccessController.java:884)
java.lang.SecurityManager.checkPermission(SecurityManager.java:549)
java.lang.Class.checkMemberAccess(Class.java:2348)
java.lang.Class.getDeclaredField(Class.java:2067)
khttp.requests.GenericRequest.toIDN(GenericRequest.kt:193)
khttp.requests.GenericRequest.makeRoute(GenericRequest.kt:198)
khttp.requests.GenericRequest.<init>(GenericRequest.kt:128)
khttp.KHttp.request(KHttp.kt:58)
khttp.KHttp.get(KHttp.kt:28)
khttp.KHttp.get$default(KHttp.kt:27)
MyProject.buildTypes.MyProject_Build$1$3.invoke(MyProject_Build.kt:55)
MyProject.buildTypes.MyProject_Build$1$4$1.invoke(MyProject_Build.kt:66)
MyProject.buildTypes.MyProject_Build$1$4$1.invoke(MyProject_Build.kt:12)
jetbrains.buildServer.configs.kotlin.v2017_2.buildSteps.ScriptBuildStep.<init>(ScriptBuildStep.kt:18)
jetbrains.buildServer.configs.kotlin.v2017_2.buildSteps.ScriptBuildStepKt.script(ScriptBuildStep.kt:66)
MyProject.buildTypes.MyProject_Build$1$4.invoke(MyProject_Build.kt:65)
MyProject.buildTypes.MyProject_Build$1$4.invoke(MyProject_Build.kt:12)
jetbrains.buildServer.configs.kotlin.v2017_2.BuildTypeSettings.steps(BuildTypeSettings.kt:172)
MyProject.buildTypes.MyProject_Build$1.invoke(MyProject_Build.kt:63)
MyProject.buildTypes.MyProject_Build$1.invoke(MyProject_Build.kt:12)
jetbrains.buildServer.configs.kotlin.v2017_2.BuildType.<init>(BuildType.kt:65)
MyProject.buildTypes.MyProject_Build.<init>(MyProject_Build.kt:12)
MyProject.buildTypes.MyProject_Build.<clinit>(MyProject_Build.kt:12)
MyProject.Project$1.invoke(Project.kt:21)
MyProject.Project$1.invoke(Project.kt:11)
jetbrains.buildServer.configs.kotlin.v2017_2.Project.<init>(Project.kt:170)
MyProject.Project.<init>(Project.kt:11)
MyProject.Project.<clinit>(Project.kt:11)
MyProject.Settings.<init>(Unknown Source)
sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method)
sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:62)
sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45)
java.lang.reflect.Constructor.newInstance(Constructor.java:423)
jetbrains.buildServer.configs.dsl.kotlin.KotlinRunner.lambda$runScript$2(KotlinRunner.java:243)
jetbrains.buildServer.configs.dsl.SecurityPolicyBasedContext.runSecure(SecurityPolicyBasedContext.java:59)
jetbrains.buildServer.configs.dsl.kotlin.KotlinRunner.runScript(KotlinRunner.java:243)
jetbrains.buildServer.configs.dsl.kotlin.KotlinRunner.run(KotlinRunner.java:123)
jetbrains.buildServer.configs.dsl.kotlin.KotlinRunner.run(KotlinRunner.java:93)
jetbrains.buildServer.configs.dsl.DslGeneratorProcess.generateProjects(DslGeneratorProcess.java:104)
jetbrains.buildServer.configs.dsl.DslGeneratorProcess.run(DslGeneratorProcess.java:51)
jetbrains.buildServer.configs.dsl.DslGeneratorProcess.main(DslGeneratorProcess.java:29)
````
I amended both jre and Catalina policies to allow accessDeclaredMembers, but that doesn't give any effect. Please clarify how to troubleshoot - in which realm DslGeneratorProcess runs to grant proper permissions. Unfortunately i cannot find anything related to DslGeneratorProcess in all teamcity logs. Looks like it is bootstrapped in some special way and has no logger - that makes it difficult to address the issue
Thank you
Please sign in to leave a comment.
Hi, it looks like you are trying to establish a connection within DSL.
DSL generation process is run in a sandbox and is not allowed to establish external connections or read any data outside of the special temp folder
Sergey, thanks a lot for clarification. I'm trying to do very basic thing - submit build status to repository manager. What is the proper way to do so in DSL world?
Thanks in advance
Alex, DSL is the way to generate TeamCity configuration. It doesn't run any builds. If you'd like to submit build status to repository manager, that must be done as a build step.
For example:
object Conf1 : BuildType({name = "Conf1"
steps{
script {
scriptContent = "./submitToRepo.sh"
}
}
})
It's a poor approach.First of all - why do i need to write some script if i already have kotlin project (which could run on both win/lin nodes btw))
2 - what if i want to get response back in DSL? To parse script output looks awkward but at least it works. But how do i get script output in DSL? Very simple case - i want to get list of reviewers and email them of the build result.
Would be good to relax this sandbox restrictions. I agree they should be strict by default, but i'd like to elevate permissions as necessary
Thank you
I think I don't completely understand what would you want to achieve with this.
You mentioned that you need to send something to the repository manager during the build. But with DSL doesn't run any builds. It just defines the configuration(s).
Intentions are:
1) to configure some steps dynamically in DSL (like providing extended mail list to notification step)
2) Send events to external systems basing on step results (like post comment to a review system with code style violations). That could be done as a separate steps, just need to have a way to communicate between steps - get result and provide to the next step
It looks so logical and doable in DSL - i expected to have it out of the box.
I think there is a misunderstanding about DSL's capabilities. DSL is NOT executed during the build - it is executed once after commit to generate configuration and then TeamCity will use the resulting configuration until next commit is performed into DSL's VCS Root.
Sergey, thanks a lot for clarifications.
So, the right approach is to use steps which will be translated to configuration and run later.
Is there any way to communicate between steps in DSL? i can try to emulate this by writing magic stdout messages but this again looks so awkward when you can write code Kotlin. Should be that a feature request?
thank you
Alex, I'm not sure what you mean by "communicate between steps". Again, DSL just creates xml configuration files. You can actually see the result on DSL execution by running maven target teamcity-configs:generate. The result will be in the target/generated-configs folder
Sergey, thanks for clarification. It is clear now!