I don't understand the security threat against which you are trying to defend yourself. I'll propose some alternatives as my feeble attempt to understand the threat you're describing.
If your concern is "how do I create jobs which only a certain user can run", you could consider https://wiki.jenkins-ci.org/display/JENKINS/Role+Strategy+Plugin If your concern is "how do I store secret information on the Jenkins server", you could consider https://wiki.jenkins-ci.org/display/JENKINS/Build+Secret+Plugin If neither of those is your concern, here is another guess. Jenkins executes processes as the user running the Jenkins process (as you said). If Jenkins need to perform an operation as a different user, the credentials for that other user are required. Those credentials must be provided from somewhere. You described that "I want only dev or even hudson admin also should not be able to execute the promote build unless credential supplied. (We have windows 2008 r2 OS)". Jenkins jobs are run and managed within the java process which started jenkins.war. There is no concept within that context (as far as I know) of "becoming another user". I think you're asking for a way to "become another user" inside the java process which is running jenkins.war. I'm not even sure it can reasonably be done with Java. I think you could consider changing your strategy from "become another user from within the Jenkins process" to "become another user in a subprocess which the Jenkins user starts". In that case, you don't care who executes the "promote build" job, but if they do not provide the correct credentials, the job will not execute. Mark Waite >________________________________ > From: Vijendra Patil <vijendra.1...@gmail.com> >To: markwa...@yahoo.com >Sent: Saturday, October 20, 2012 6:55 AM >Subject: Re: Need help on automating QA, Stage, Prod delpoy > > >Hi Mark, > >thans for the suggestion. But is there not anything in-built security feature? >because this way, the Operation team members or the Admin Users will never >agree, because then some developer can write script to take password as >parameter and save that password in a file. > >Simple solution would have, the hudson job should execute anything based on >logged on users credential based on a check box settings say (run using logged >on users credential). So Obviosuly if you want to execute anything within >hudson, settings the checkbox will allow to execute it using ur crerdential >rather than using the service account credential the tomcat server is >configured. > >Plugin such as Promote Build\Deploy Build\Build Pipeline lacks this security >feature. > >So even though a developer is a admin of hudson server, of course he will not >be having access to Prod servers, so even if he try to executes anything using >his own credential, it will not work. Only admin user even if he is not a >hudson server admin, can execute that script because he is having access to >prod servers(copy, delete file on prod server) > > >On Sat, Oct 20, 2012 at 5:59 PM, Mark Waite <markwa...@yahoo.com> wrote: > >Have you considered making the job which deploys to Stage or to Prod a >parameterized job, with the credentials as the parameter? I think your batch >file could then reference the credentials which were passed as job parameters. >> >> >>https://wiki.jenkins-ci.org/display/JENKINS/Parameterized+Build >> >> >> >>Possibly also may want >> >> >>https://wiki.jenkins-ci.org/display/JENKINS/Parameterized+Trigger+Plugin >> >> >> >>Mark Waite >> >> >> >> >>>________________________________ >>> From: JenkinsUser <vijendra.1...@gmail.com> >>>To: jenkinsci-users@googlegroups.com >>>Sent: Saturday, October 20, 2012 5:39 AM >>>Subject: Need help on automating QA, Stage, Prod delpoy >>> >>> >>> >>>Hi, >>>We are using Hudson as a CI tool. At present we are needed to use Jenkins, >>>to deploy the build to Stage, Prod environment. What is the best aproach we >>>should follow. >>>I know about promote buld plugin, but the issue is authentication. I want >>>whevener we need to promote a build to deploy to Stage or Prod, it should >>>ask for netqwork credential first. And then the promote job should execute >>>the Batch command using the creadential supplied. At present, the promote >>>plugin, runs using the credentials which the Tomcat server is configured to >>>run. >>>Same issue with Build Pipeline plugin. >>>I want only dev or even hudson admin also should not be able to execute the >>>promote build unless credential supplied. (We have windows 2008 r2 OS) >>>Can you please help me in resolving the issue. so that basically whenever a >>>user click on Promote build to QA\Stage\Prod the plugin should ask for >>>credential or should use the logged on users credential and execute the >>>batch script using the logged users credential only and not by using the >>>credentials of the account with which the tomcat server is configured. >>>Can you please help me? >>>Please suggests us the best aproach for making automated build on prod\stage. >>> >>> > > >
