Credentials for Each User
259 views
Skip to first unread message
ayesha s
Apr 11, 2016, 3:32:50 AM4/11/16
to Jenkins Users
Hi all,
Currently I have a global credential created(ssh keys) to build a project in GitLab.And any other(authenticated) user that logs into this Jenkins instance on windows server are able to use the same credential to build their projects in GitLab Repository.A Non-Admin user can see another user`s user Jenkins credentials' contents (private keys, etc!)
But for security reasons this should not happen.Each user should only be able to build his/her GitLab repo using his/her credential(ssh keys).So he should also not be able to view any other credentials apart from the one created by/for him.
I am using Roles Based Authorization plugin to give different users different roles for different projects.If I want to create a project based credential at the user level(and not global credential) then that credential does not appear in the drop down under Project configuration(Refer to 5.jpeg).And I believe that if we could see the credential here in drop down then it would have solved my purpose.Or is there any other way so that every user can only view/use his/her own credentials and not any other user credentials?
I have attached screen shots for better understanding of my current problem and the solution I am looking for.
1.jpeg-> Global credentials view from admin login (all users that log in are able see and use this)
2.jpeg->Global credentials view from normal user login
3.jpeg->Credential created under the current user(but its not visible in the 5.jpeg drop down for it to be used to build GitLab Repo)
4.jpeg->Global credential being used to build GitLab project(Every user using ayesha_...@in.ibm.com credentials- which is not correct)
5.jpeg->Drop down only shows Global credentials and not credentials created under a user Credentials(prpa...@in.ibm.com as created in 3.jpeg not visible here)
Roles & Permissions.jpeg ->Credentials permission given thru Role Based Authorization Plugin
Till now I have tried creating 'domains' and created credentials for that domain but that does not solve the purpose.I have also referred to following discussions:
https://groups.google.com/forum/?utm_medium=email&utm_source=footer#!searchin/jenkinsci-users/user$20credentials|sort:relevance/jenkinsci-users/MMvgsv8J3hE/Q4MpfhXjBAAJ
The following discussion is similar to the requirement I am looking for.But even after installing 'Authorization Plugin' its still not clear what other settings needs to be done.As this still is not letting one see per-user credentials in the drop down to select in project configuration.
https://groups.google.com/forum/?utm_medium=email&utm_source=footer#!searchin/jenkinsci-users/user$20credentials|sort:relevance/jenkinsci-users/t9z2uLuvf74/ZLJwxEHrCgAJ
Kindly let me know once I have installed Authorization plugin what next needs to be done to solve the problem I am facing?Or if there is other method to achieve my purpose?
Currently I have a global credential created(ssh keys) to build a project in GitLab.And any other(authenticated) user that logs into this Jenkins instance on windows server are able to use the same credential to build their projects in GitLab Repository.A Non-Admin user can see another user`s user Jenkins credentials' contents (private keys, etc!)
But for security reasons this should not happen.Each user should only be able to build his/her GitLab repo using his/her credential(ssh keys).So he should also not be able to view any other credentials apart from the one created by/for him.
I am using Roles Based Authorization plugin to give different users different roles for different projects.If I want to create a project based credential at the user level(and not global credential) then that credential does not appear in the drop down under Project configuration(Refer to 5.jpeg).And I believe that if we could see the credential here in drop down then it would have solved my purpose.Or is there any other way so that every user can only view/use his/her own credentials and not any other user credentials?
I have attached screen shots for better understanding of my current problem and the solution I am looking for.
1.jpeg-> Global credentials view from admin login (all users that log in are able see and use this)
2.jpeg->Global credentials view from normal user login
3.jpeg->Credential created under the current user(but its not visible in the 5.jpeg drop down for it to be used to build GitLab Repo)
4.jpeg->Global credential being used to build GitLab project(Every user using ayesha_...@in.ibm.com credentials- which is not correct)
5.jpeg->Drop down only shows Global credentials and not credentials created under a user Credentials(prpa...@in.ibm.com as created in 3.jpeg not visible here)
Roles & Permissions.jpeg ->Credentials permission given thru Role Based Authorization Plugin
Till now I have tried creating 'domains' and created credentials for that domain but that does not solve the purpose.I have also referred to following discussions:
https://groups.google.com/forum/?utm_medium=email&utm_source=footer#!searchin/jenkinsci-users/user$20credentials|sort:relevance/jenkinsci-users/MMvgsv8J3hE/Q4MpfhXjBAAJ
The following discussion is similar to the requirement I am looking for.But even after installing 'Authorization Plugin' its still not clear what other settings needs to be done.As this still is not letting one see per-user credentials in the drop down to select in project configuration.
https://groups.google.com/forum/?utm_medium=email&utm_source=footer#!searchin/jenkinsci-users/user$20credentials|sort:relevance/jenkinsci-users/t9z2uLuvf74/ZLJwxEHrCgAJ
Kindly let me know once I have installed Authorization plugin what next needs to be done to solve the problem I am facing?Or if there is other method to achieve my purpose?
Stephen Connolly
Apr 11, 2016, 10:07:35 AM4/11/16
to jenkins...@googlegroups.com
Step 1: Install the Authorize Project plugin
Step 2: configure the jobs to run as the user
Step 3: have the user put their credentials in their per-user credentials store
Step 4: don't put credentials in the Jenkins System credentials store
Step 5: Sit back, light your pipe and enjoy the satisfaction of a job well done
--
You received this message because you are subscribed to the Google Groups "Jenkins Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to jenkinsci-use...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-users/aa5ca215-753f-4c92-abc9-b26392f0ac5d%40googlegroups.com.
ayesha s
Apr 13, 2016, 4:21:35 AM4/13/16
to jenkins...@googlegroups.com
Hi Stephen,
Thanks for your response!Is it something related to this-Refer3rd attachment
Regards
Ayesha Siddiqui--
You received this message because you are subscribed to a topic in the Google Groups "Jenkins Users" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/jenkinsci-users/QSiP9UaS9sc/unsubscribe.
To unsubscribe from this group and all its topics, send an email to jenkinsci-use...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-users/CA%2BnPnMwZMp5kSErVGzfEWu2WBiUp6x9QS%3DmF8ph7hVFOnSJQHg%40mail.gmail.com.
Stephen Connolly
Apr 13, 2016, 2:49:36 PM4/13/16
to jenkins...@googlegroups.com
It depends on how the plugin has been written. If it is written correctly, then it should allow the user to select their own credentials if they have the appropriate permissions (I cannot recall, but you may have to enable a permission by system property... Or it could be a bug in the gitlab plugin)
--
Sent from my phone
To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-users/CAGSPvJHW5QuFdBrwpuhANwfiK4GREQTEVU31mJM8xC9jXwJAqA%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.
--
Sent from my phone
jwil...@gmail.com
Sep 27, 2016, 5:25:59 PM9/27/16
to Jenkins Users
I ran across this thread while trying to solve a similar problem writing Pipelines with Jenkins 2. I installed the Authorize Project plugin, set my Pipeline job to run as user that triggered, and tried to use a Credential Parameter to get the ID and pass it to my Pipeline from SCM. The parameter gets the ID of my SSH key stored in my user-specific area and I can echo the UUID out to the console log, but nothing else seems to be able to use it to load my key: I've tried the git step, the checkout step, and the sshagent wrapper step and nothing seems to be able to retrieve the credentials. I am using the role authorization strategy plugin, but I'm currently an administrator so I wouldn't expect any of those privileges to get in the way and the Credentials Parameter seems to have no problem.
I've banged my head against this for days and don't know what I'm doing wrong. Is this just broken with Pipelines?
I've banged my head against this for days and don't know what I'm doing wrong. Is this just broken with Pipelines?
On Wednesday, April 13, 2016 at 2:49:36 PM UTC-4, Stephen Connolly wrote:
It depends on how the plugin has been written. If it is written correctly, then it should allow the user to select their own credentials if they have the appropriate permissions (I cannot recall, but you may have to enable a permission by system property... Or it could be a bug in the gitlab plugin)
On Wednesday 13 April 2016, ayesha s <sddq....@gmail.com> wrote:
Also could you please elaborate more on Step 2 you mentioned - configure the jobs to run as the userThe main problem is that the per-user credential is not getting populated in the drop down under the project configuration window(see attchment). Hence the user is unable to use that credential to connect to GitLab repo.🙁Hi Stephen,Thanks for your response!Is it something related to this-Refer3rd attachmentDo you think that instead of SSH credential, using https credential in jenkins will solve this issue?Though no information is available online on how to connect to GitLab using https credentials method. 🤔
RegardsAyesha Siddiqui
To unsubscribe from this group and stop receiving emails from it, send an email to jenkinsci-users+unsubscribe@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-users/aa5ca215-753f-4c92-abc9-b26392f0ac5d%40googlegroups.com.
--
You received this message because you are subscribed to a topic in the Google Groups "Jenkins Users" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/jenkinsci-users/QSiP9UaS9sc/unsubscribe.
To unsubscribe from this group and all its topics, send an email to jenkinsci-users+unsubscribe@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-users/CA%2BnPnMwZMp5kSErVGzfEWu2WBiUp6x9QS%3DmF8ph7hVFOnSJQHg%40mail.gmail.com.
--
You received this message because you are subscribed to the Google Groups "Jenkins Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to jenkinsci-users+unsubscribe@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-users/CAGSPvJHW5QuFdBrwpuhANwfiK4GREQTEVU31mJM8xC9jXwJAqA%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.
Stephen Connolly
Sep 27, 2016, 6:41:55 PM9/27/16
to jenkins...@googlegroups.com
On Tuesday 27 September 2016, <jwil...@gmail.com> wrote:
I ran across this thread while trying to solve a similar problem writing Pipelines with Jenkins 2. I installed the Authorize Project plugin, set my Pipeline job to run as user that triggered, and tried to use a Credential Parameter to get the ID and pass it to my Pipeline from SCM. The parameter gets the ID of my SSH key stored in my user-specific area and I can echo the UUID out to the console log, but nothing else seems to be able to use it to load my key: I've tried the git step, the checkout step, and the sshagent wrapper step and nothing seems to be able to retrieve the credentials. I am using the role authorization strategy plugin, but I'm currently an administrator so I wouldn't expect any of those privileges to get in the way and the Credentials Parameter seems to have no problem.
I've banged my head against this for days and don't know what I'm doing wrong. Is this just broken with Pipelines?
Actually the fault is in a lot of plugins
Most plugins use a pattern of looking for credentials using ACL.SYSTEM as the authentication. That is a bug.
I created lots of JIRA issues against all the anti-patterns but very few have been resolved.
The git plugin is getting there but has some other issues with credentials usage (esp on remote agents)
Work in progress is the TL;DR... it's not specific to pipeline, you get the same issues in freestyle... just a tad harder to hit
To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-users/aa9c2fda-ae2b-4b8b-9bd8-5c505319d52f%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
Reply all
Reply to author
Forward
0 new messages