Re: jenkins security & password encryption

[Kohsuke Kawaguchi]

If I understand correctly, you are trying to programmatically generate config.xml that includes password fields, and you want to learn how to generate encrypted values from plain text?

You are looking at the right class that is CryptoConfidentialKey. If you haven't looked at Secret, that's really where the real work is. But if you are doing this work elsewhere outside Jenkins, it'd be tricky to get this right, as it depends on various other files Jenkins owns.

I also encourage you to try consider routes that do not require passwords, such as connecting to slaves via SSH public key authentication. 

Finally, you can just put plain text values in those fields and they'll be read by Jenkins just fine. You can have Jenkins then re-encrypt these values by calling save().

2013/1/22 Christophe Demarey <christoph...@inria.fr>

Hello,

First, I would like to thank you for the great job you are doing on Jenkins. You probably know how useful this tool is, especially for open-source and research projects!
I work at Inria, a french computer science research institute. We develop a solution to offer Jenkins instances to our researchers very easily.
The job is in a good way but we are stuck on a problem related to jenkins security & password encryption.

We tune jenkins configuration (via the config.xml file) to declare slaves automatically but we don't know how to encode password.
Could you give us the way to encode passwords.

I had a look into Secret, CryptoConfidentialKey, and related class but I was not able to get algorithm.


Thank you.

Best regards,
Christophe Demarey.

-------------------
Christophe Demarey
R&D engineer, Inria
http://chercheurs.lille.inria.fr/~demarey/

--
Kohsuke Kawaguchi

[krishnakanth_bn]

Hello Mr.Kohsuke,

Hats off for giving us Jenkins. I am thrilled by its capabilities.

My problem is that I am creating a job programmatically using create-job CLI
command. The job configuration will have password fields (for RTC, TFS,
Tomcat, etc). After the job gets created, the passwords were still not
encrypted. I followed this post and tried invoking save() function on both
AbstractProject<?,?> and Item objects by creating a small CLI plugin called
save-job.

After I execute my save-job command, only RTC password gets encrypted
successfully. TFS, Tomcat and other passwords are not encrypted. Please help
me in fixing this issue. Below is the CLI plugin code for saving the job.

@Extension
public class SaveJobCommand extends CLICommand {


@Argument(metaVar = "JOB", usage = "Name of the job to be saved")
public AbstractProject<?, ?> job;

public String getShortDescription()
{
return "Saves the given job to re-encrypt the passwords";
}

protected int run() throws Exception {
this.job.save();
return 0;
}
}

Many thanks in advance.



--
View this message in context: http://jenkins-ci.361315.n4.nabble.com/Re-jenkins-security-password-encryption-tp4652458p4673347.html
Sent from the Jenkins dev mailing list archive at Nabble.com.

[KrishnaKanth BN]

Hello Mr.Kohsuke,

Hats off for giving us Jenkins. I am thrilled by its capabilities.

My problem is that I am creating a job programmatically using create-job CLI command. The job configuration will have password fields (for RTC, TFS, Tomcat, etc). After the job gets created, the passwords were still not encrypted. I followed this post and tried invoking save() function on both AbstractProject<?,?> and Item objects by creating a small CLI plugin called save-job.

After I execute my save-job command, only RTC password gets encrypted successfully. TFS, Tomcat and other passwords are not encrypted. Please help me in fixing this issue. Below is the CLI plugin code for saving the job.

@Extension
public class SaveJobCommand extends CLICommand {
       

        @Argument(metaVar = "JOB", usage = "Name of the job to be saved")
        public AbstractProject<?, ?> job;

          public String getShortDescription()
          {
            return "Saves the given job to re-encrypt the passwords";
          }

          protected int run() throws Exception {
            this.job.save();
            return 0;
  }
}

Many thanks in advance.

[krishnakanth_bn]

Hi,

Seems like I am able to resolve this issue. Instead of reading the CLI
command argument as AbstractProject or Item, I am reading it as a simple
String job name and then I am using getItemByFullName() method to get the
job and then invoking save() operation. Below is the working CLI plugin
code.

public class SaveJobCommand extends CLICommand {

@Argument(metaVar = "JOB", usage = "Name of the job to be saved")

public String job;

public String getShortDescription() {
return "Saves the given job to re-encrypt the passwords";
}

protected int run() throws Exception {

Jenkins j = Jenkins.getInstance();
Item item = j.getItemByFullName(this.job);
if (item != null) {
item.save();
}
return 0;
}

}

Thanks for all the support.



--
View this message in context: http://jenkins-ci.361315.n4.nabble.com/Re-jenkins-security-password-encryption-tp4652458p4673494.html

[KrishnaKanth BN]

Hi,

 

I am sorry. I am still not able to achieve what I want. If I create Job from Jenkins and then run my save-job command, the password gets encrypted.

 

If I create a job using create-job command and run save-job, it does not do anything. Kindly help.

 

I am suspecting that, when we create or save job from Jenkins UI, some other files get updated with the job information. Please clarify.

 

Thanks and Regards,

KrishnaKanth B N

[KrishnaKanth BN]

Hi,

 

Any help on this will be really useful. Thanks in advance.

 

Thanks and Regards,

KrishnaKanth B N