Properly restricting Credentials access

21 views
Skip to first unread message

Andrew Finley

unread,
Mar 1, 2019, 2:16:57 PM3/1/19
to Jenkins Developers

Hi guys,

I have a Credentials plugin question.  My plugin uses an API Token to access our API.  We have users store their token as a ‘Secret Text’ Credential in the Credentials plugin.  They can then choose it from a dropdown in the plugin’s Config UI.


I have the plugin working and accessing the Credentials, but what I’m confused about is correctly restricting which Credentials the plugin can see.  This plugin can be used in both Freestyle and Pipeline jobs, and can be run on Slave Nodes as well the master Jenkins server.


So, here are my questions:

  • What Credentials Scopes is it appropriate for plugin to access?  I’m able to store the Credential ID, and retrieve the Secret for both 'Global' and 'System' types of Credentials, but it sounds like only ‘Global’ Credentials are intended to be used by Jobs.  Is this correct?
  • The functions ‘StandardListBoxModel.includeMatchingAs()’ and ‘CredentialsProvider.listCredentials()’ take an ‘Item’ context as a one of the fields.  I’m confused as to how this is used to restrict the search results.  For example, when using this to populate the dropdown list of API Token Credentials in the Job Config UI, if I pass in the ‘@AncestorInPath Item’ context, and I am restricted to ‘Global’ Scope Credentials.  However, if I switch from passing the ‘Item’ and use ‘Jenkins.getInstance()’, I can see both ‘System’ and ‘Global’ Scope Credentials.  
    • Why are these 2 contexts giving me different results, and which one is correct to use?
    • These functions also take an 'Authentication' field, and I am using ‘ACL.SYSTEM’ here, is this correct, and why/why not?


Thanks,

Andrew

Jesse Glick

unread,
Mar 1, 2019, 3:21:41 PM3/1/19
to Jenkins Dev
On Fri, Mar 1, 2019 at 2:16 PM Andrew Finley <afi...@arxan.com> wrote:
> it sounds like only ‘Global’ Credentials are intended to be used by Jobs. Is this correct?

Yes.

> when using this to populate the dropdown list of API Token Credentials in the Job Config UI, if I pass in the ‘@AncestorInPath Item’ context, and I am restricted to ‘Global’ Scope Credentials.

That is correct. And if the job is inside a folder, you would see
credentials defined on that folder (or its parents).

> These functions also take an 'Authentication' field, and I am using ‘ACL.SYSTEM’ here, is this correct, and why/why not?

Most callers pass `ACL.SYSTEM`. I think only Stephen Connolly really
understands what this parameter is for.

Daniel Beck

unread,
Mar 1, 2019, 3:30:54 PM3/1/19
to Jenkins Developers


> On 1. Mar 2019, at 21:21, Jesse Glick <jgl...@cloudbees.com> wrote:
>
>>
>> These functions also take an 'Authentication' field, and I am using ‘ACL.SYSTEM’ here, is this correct, and why/why not?
>
> Most callers pass `ACL.SYSTEM`

https://github.com/jenkinsci/credentials-plugin/blob/master/docs/consumer.adoc#listing-available-credentials-matching-some-specific-set-of-criteria has examples and some explanation.

Reply all
Reply to author
Forward
0 new messages