Does Jenkins provide a way to namespace credentials?
6 views
Skip to first unread message
Chris Kilding
Oct 13, 2020, 10:04:57 AM10/13/20
to jenkin...@googlegroups.com
Hello,
I've had some users express interest in being able to namespace their credentials, so that they can reuse credential IDs in different namespaces. The motivation is to make it simpler to reference the same credential (e.g. an Artifactory deploy key) across environments (e.g. staging, production) where that credential's value is different per environment.
This can obviously be done today by prefixing the credential with the environment name, but they would like a more elegant solution.
Example:
- The backing store secret with ID "staging/foo" becomes a credential with ID "foo" in the namespace "staging"
- The backing store secret with ID "production/foo" becomes a credential with ID "foo" in the namespace "production"
- The backing store secret with ID "foo" becomes a credential with ID "foo" in the default namespace
Does Jenkins provide a way to namespace credentials, so that a credential ID need only be unique within its namespace, rather than within the whole provider or globally?
Regards,
Chris
PS We have looked at credential domains, which do some of what the users want. But unfortunately they don't seem to support full namespacing: if a credential is within a domain, it's still visible in the provider's overall list, so its ID must still be unique within the whole provider. This means the example above can't work, and prefixes would still be necessary.
PS We have also looked at the folders credential provider, but namespaces are not necessarily aligned 1:1 with folders or access control: we may want credentials in a certain namespace to be used by jobs in more than 1 folder (or no folder).
I've had some users express interest in being able to namespace their credentials, so that they can reuse credential IDs in different namespaces. The motivation is to make it simpler to reference the same credential (e.g. an Artifactory deploy key) across environments (e.g. staging, production) where that credential's value is different per environment.
This can obviously be done today by prefixing the credential with the environment name, but they would like a more elegant solution.
Example:
- The backing store secret with ID "staging/foo" becomes a credential with ID "foo" in the namespace "staging"
- The backing store secret with ID "production/foo" becomes a credential with ID "foo" in the namespace "production"
- The backing store secret with ID "foo" becomes a credential with ID "foo" in the default namespace
Does Jenkins provide a way to namespace credentials, so that a credential ID need only be unique within its namespace, rather than within the whole provider or globally?
Regards,
Chris
PS We have looked at credential domains, which do some of what the users want. But unfortunately they don't seem to support full namespacing: if a credential is within a domain, it's still visible in the provider's overall list, so its ID must still be unique within the whole provider. This means the example above can't work, and prefixes would still be necessary.
PS We have also looked at the folders credential provider, but namespaces are not necessarily aligned 1:1 with folders or access control: we may want credentials in a certain namespace to be used by jobs in more than 1 folder (or no folder).
Jesse Glick
Oct 13, 2020, 12:47:43 PM10/13/20
to Jenkins Dev
On Tue, Oct 13, 2020 at 10:04 AM Chris Kilding
<chris+...@chriskilding.com> wrote:
> We have also looked at the folders credential provider, but namespaces are not necessarily aligned 1:1 with folders or access control
Folder-based hierarchy is the recommended technique for managing both
<chris+...@chriskilding.com> wrote:
> We have also looked at the folders credential provider, but namespaces are not necessarily aligned 1:1 with folders or access control
credentials and access control over a large number of items. I suppose
you could define a novel credential provider implementation using some
ad-hoc regular expressions or something.
Reply all
Reply to author
Forward
0 new messages