Security - Pipeline parameterized credentials can be reused by other users

[Stuart Rowe]

Could you remove build permissions on that job for the users that don't know the credentials? They wouldn't be able to run the job anyways. That should also remove their ability to replay the job as far as I understand.

[Stuart Rowe]

I can't provide you with a step by step solution as it depends on how security and authorization is configured on your Jenkins instance. You should be able to find a lot of information on controlling Jenkins job/build permissions with a quick internet search.

On Thursday, 14 March 2019 22:55:46 UTC-7, Sarfroz Basha wrote:

On Thursday, March 14, 2019 at 10:10:50 PM UTC+5:30, Stuart Rowe wrote:

Could you remove build permissions on that job for the users that don't know the credentials? They wouldn't be able to run the job anyways. That should also remove their ability to replay the job as far as I understand.

Hi,

 

Thanks for your reply.

 

Can you elaborate clearly by steps.

 

[Ivan Fernandez Calvo]

By using https://wiki.jenkins.io/plugins/servlet/mobile?contentId=102662618#content/view/10266261 and removing permissions to configure jobs, maybe build also and allow only to trigger builds to some people or manage it with comments from GitHub (see https://wiki.jenkins.io/plugins/servlet/mobile?contentId=37749162#content/view/37749162) also on pipeline multibranch projects you ha be options to only trust on the jenkinsfile from the master branch

[Cyrille Le Clerc]

@ivan I am very interested in this topic and I get a 404 on your first link. Can you please verify the URL and maybe share a "non mobile" URL.

[Jenn Briden]

I am also interested in learning more. My understanding is that this is a permissions issue on the Item and not really pipeline. Please correct me if I misunderstood.

--
You received this message because you are subscribed to the Google Groups "Jenkins Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to jenkinsci-use...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-users/e5f5fe3b-35a1-44cd-a078-98c463ccc4df%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[kuisathaverat]

Multibranch pipeline with defaults https://plugins.jenkins.io/pipeline-multibranch-defaults and Pipeline Github plugin https://github.com/jenkinsci/pipeline-github-plugin  the first allow you to set a Jenkinsfile by default on Multibranch projects so you can have the Jenkinsfile outside of the project repo in another repo that you manage with other permissions, the second allows you to interact with GitHub, I use it to check permissions and other stuff in GitHub before to start the build, to trigger build with comments, and check reviews, I make all this stuff on a pipeline shared library that probably we make public at some point.

You received this message because you are subscribed to a topic in the Google Groups "Jenkins Users" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/jenkinsci-users/QS8VKelHR2E/unsubscribe.
To unsubscribe from this group and all its topics, send an email to jenkinsci-use...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-users/CAOC%3D136YKecmM8eQ2frJ9T5%3DD-tNfNCqgvaEzF_G%3Dvkf4Nb_8w%40mail.gmail.com.