| Only user-scoped credentials are displayed in job configuration pages when the job is configured to authenticate as a specific user.
But non-user-scoped credentials also should be displayed when the user has the Credentials/View permission. This behavior is inconsistent with the behavior that users with Credentials/View permissions can see non-user-scoped credentials in the credentials page. This is confusing for many users. Steps to reproduce:
- Launch Jenkins
- Install following plugins:
- Credentials Plugin 2.2.1
- Authorize Project 1.3.0
- Matrix Authorization Strategy Plugin 2.4.2
- Git 3.11.0
- Create following users
- admin
- user1
- All permissions except Overall/Administer
- Configure Access Control for Builds:
- Go to Manage Jenkins > Configure Global Security
- Add "Per-project configurable Build Authorization" in Access Control for Builds
- check "Run as Specific User"
- Add following credentials:
- nonuserscoped1
- Credentials > Jenkins > Global credentials (unrestricted) > Add Credentials
- Configure as following:
- Kind: Username with password
- Scope: Global (Jenkins, nodes, items, all child items, etc)
- Username: nonuserscoped1
- Password: nonuserscoped1
- ID: nonuserscoped1
- userscoped1
- Login as users1
- user1 (by clicking the username in the right up)> Credentials > User: user1 >
- Configure as following:
- Kind: Username with password
- Username: userscoped1
- Password: userscoped1
- ID: userscoped1
- Login as user1 and open user1 > Credentials page.
- nonuserscoped1 and userscoped1 are displayed. This means users can expect both nonuserscoped1 and userscoped1 are available for user1.
- Login as user1 and create a free style project "test1" and select "Git" for "Source Code Management"
- "nonuserscoped1" is listed in "Credentials".
- "userscoped1" is not listed in "Credentials".
- Open "Authorization" of test1, check "Configure Build Authorization" and configure as followings:
- Authorize Strategy: Run as Specific User
- User ID: user1
- Don't restrict job configuration: leave unchecked
- Open "Configure" of test1 and see "Credentials" in "Git"
- "nonuserscoped1" is not listed in "Credentials".
- Even though it is listed in user1 > Credentials page. This must be unexpected for many users.
- "userscoped1" is listed in "Credentials".
This is caused for SystemCredentialsProvider provides credentials only to SYSTEM user.
https://github.com/jenkinsci/credentials-plugin/blob/credentials-2.2.1/src/main/java/com/cloudbees/plugins/credentials/SystemCredentialsProvider.java#L446 Git plugin looks request credentials for authentication of the job correctly, and this looks an issue of credentials plugin:
https://github.com/jenkinsci/git-plugin/blob/git-3.11.0/src/main/java/hudson/plugins/git/UserRemoteConfig.java#L103 |
