Restricting credentials the correct way
20 views
Skip to first unread message
Daniel P.
Nov 25, 2016, 10:54:03 AM11/25/16
to Jenkins Users
Hi everyone,
I want to restrict a Jenkins (global, for testing purposes) credential. The URL I want to use this credential for is something like this:
https://somewhere.someDomain.top/RepositoryName/repository.git
How do I restrict usage of the credential? I created a domain and have tried various things to restrict it, but only the URI scheme seems to work somehow.
I've said "https" in the URI scheme, and when I type http, the credential is removed from the list.
But when I instead use hostname or URI path, it doesn't seem to work as the credentials are never removed.
Examples for what I've used
Hostname
----------------
Include: somewhere.someDomain.top
Exclude: **
Include: somewhere.someDomain.top
Exclude: *
Include: somewhere.someDomain.top
Exclude: **/**
URI Path
-----------------
Include: somewhere.someDomain.top/RepositoryName/repository.git
Exclude: **/**
Include: **/RepositoryName/repository.git
Exclude: **/**
What is the correct syntax and order in which I should enter the restrictions?
Regards,
Daniel Poggenpohl
I want to restrict a Jenkins (global, for testing purposes) credential. The URL I want to use this credential for is something like this:
https://somewhere.someDomain.top/RepositoryName/repository.git
How do I restrict usage of the credential? I created a domain and have tried various things to restrict it, but only the URI scheme seems to work somehow.
I've said "https" in the URI scheme, and when I type http, the credential is removed from the list.
But when I instead use hostname or URI path, it doesn't seem to work as the credentials are never removed.
Examples for what I've used
Hostname
----------------
Include: somewhere.someDomain.top
Exclude: **
Include: somewhere.someDomain.top
Exclude: *
Include: somewhere.someDomain.top
Exclude: **/**
URI Path
-----------------
Include: somewhere.someDomain.top/RepositoryName/repository.git
Exclude: **/**
Include: **/RepositoryName/repository.git
Exclude: **/**
What is the correct syntax and order in which I should enter the restrictions?
Regards,
Daniel Poggenpohl
Stephen Connolly
Nov 25, 2016, 1:14:45 PM11/25/16
to jenkins...@googlegroups.com
First off, I suspect the git plugin is not building the domain requirements correctly.
Second, domains are not a security measure, rather they are a usability feature. The idea being to remove from the drop down credentials we know are not relevant... this is why when there is nothing to scope Credentials on, all credentials are available in the drop down... as you type in the server URL, the drop down will repopulate and remove irrelevant entries.
If you want to restrict access to credentials either scope their storage to a folder (which limits access to only the jobs in the folder) or use authorise project to run as a user and store the credentials in the per user store
Second, domains are not a security measure, rather they are a usability feature. The idea being to remove from the drop down credentials we know are not relevant... this is why when there is nothing to scope Credentials on, all credentials are available in the drop down... as you type in the server URL, the drop down will repopulate and remove irrelevant entries.
If you want to restrict access to credentials either scope their storage to a folder (which limits access to only the jobs in the folder) or use authorise project to run as a user and store the credentials in the per user store
--
You received this message because you are subscribed to the Google Groups "Jenkins Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to jenkinsci-use...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-users/316a908a-570b-439c-afa7-aa36a39aa7ba%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
--
Sent from my phone
Reply all
Reply to author
Forward
0 new messages