Password-like file parameter type?
25 views
Skip to first unread message
kuba.bo...@gmail.com
Aug 17, 2020, 10:10:17 AM8/17/20
to Jenkins Developers
Jenkins has file and password parameter types, but I'm looking for a combination of the two.
My problem with file parameter is that the file is stored in the build and can be retrieved later.
Is there some parameter implementation that would handle files without making them available later?
Jakub Bocheński
Aug 17, 2020, 10:44:23 AM8/17/20
to jenkin...@googlegroups.com
For now I just use this script to delete the file after build
// do not store the secret files on master's disk
systemGroovyCommand('''
import java.io.File;
new File(build.getRootDir(), "fileParameters").deleteDir();
''')
// do not store the secret files on master's disk
systemGroovyCommand('''
import java.io.File;
new File(build.getRootDir(), "fileParameters").deleteDir();
''')
--
You received this message because you are subscribed to a topic in the Google Groups "Jenkins Developers" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/jenkinsci-dev/pr04Pf-p89U/unsubscribe.
To unsubscribe from this group and all its topics, send an email to jenkinsci-de...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-dev/265098f7-1269-4b9b-9dfe-4bb4094cf210n%40googlegroups.com.
Jesse Glick
Aug 19, 2020, 4:03:15 PM8/19/20
to Jenkins Dev
On Mon, Aug 17, 2020 at 10:10 AM kuba.bo...@gmail.com
<kuba.bo...@gmail.com> wrote:
> My problem with file parameter is that the file is stored in the build and can be retrieved later.
> Is there some parameter implementation that would handle files without making them available later?
I do not think so. Would be especially thorny for Pipeline because
<kuba.bo...@gmail.com> wrote:
> My problem with file parameter is that the file is stored in the build and can be retrieved later.
> Is there some parameter implementation that would handle files without making them available later?
what is “later”? If you restart Jenkins in the middle of a build and
it needs the parameter after the restart, what then? What if you
*Replay* the build?
You could _predefine_ secret file credentials and then use a
credentials parameter.
Jakub Bocheński
Aug 20, 2020, 10:17:36 AM8/20/20
to jenkin...@googlegroups.com
Well, file parameter is not supported for Pipelie at the moment anyhow :)
But in principle I don't see why it couldn't be kept until the build is finished.
I don't mind storing it for some time. The main problems are:
- after the build is done anybody with view permission can see the parameter
- the file will be stored on disk as long as the build is, I'd like to get rid of it earlier
I guess having an aggressive log rotator policy could limit the impact of it, but it would be removing too much.
> You could _predefine_ secret file credentials and then use a
credentials parameter.
credentials parameter.
The whole point is to allow users to upload a certificate, so that won't help.
Jakub Bocheński
--
You received this message because you are subscribed to a topic in the Google Groups "Jenkins Developers" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/jenkinsci-dev/pr04Pf-p89U/unsubscribe.
To unsubscribe from this group and all its topics, send an email to jenkinsci-de...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-dev/CANfRfr27F-wz1%2B5bkR%2Bi2uVy58dHpuwoMw_v-4uZVc1MsUkU%2Bw%40mail.gmail.com.
Gavin Mogan
Aug 20, 2020, 12:51:28 PM8/20/20
to Jenkins Developers
if its not using the credentials system, then what is the difference between a password and a text parameter?
I havn't checked in a while, but at one point credentials could be attached to a user. Why not do that and let them use that credential id, the the only thing stored is the id, and its safe and secure and encrypted?
Gavin
You received this message because you are subscribed to the Google Groups "Jenkins Developers" group.
To unsubscribe from this group and stop receiving emails from it, send an email to jenkinsci-de...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-dev/CAGiELgpeX4PEWaKm06Q4g2v-B%3DJJgnu21XGqahUaN_mMdE_Kxg%40mail.gmail.com.
Jakub Bocheński
Aug 21, 2020, 7:51:38 AM8/21/20
to jenkin...@googlegroups.com
Interesting idea, I can indeed add credentials to a user in JENKINS_URL/user/USERNAME/credentials/store/user/domain/_/
I assume those credentials are only available to the user who uploaded them?
Jakub Bocheński
To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-dev/CAG%3D_DusngUGEtkN9GodgV3dDQJUR0BEjAfp1AuzFTxAaEg28Ag%40mail.gmail.com.
Matt Sicker
Aug 21, 2020, 11:40:42 AM8/21/20
to jenkin...@googlegroups.com
User scoped credentials are only available to that user, yes. If you
use the authorize project plugin, you can also allow a build to use a
user's credentials provided that's the user you configured the build
to run as. Otherwise, they're only available through selecting them in
a parameterized build of some sort.
On Fri, Aug 21, 2020 at 6:51 AM Jakub Bocheński
> To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-dev/CAGiELgqNSHKZHUg_BFRo19r6Pf-GMyfpay433jCcwCeZOQhHNQ%40mail.gmail.com.
--
Matt Sicker
Senior Software Engineer, CloudBees
use the authorize project plugin, you can also allow a build to use a
user's credentials provided that's the user you configured the build
to run as. Otherwise, they're only available through selecting them in
a parameterized build of some sort.
On Fri, Aug 21, 2020 at 6:51 AM Jakub Bocheński
--
Matt Sicker
Senior Software Engineer, CloudBees
Reply all
Reply to author
Forward
0 new messages