Thanks Mark for the detailed explanation on this.
Actually it’s my bad, I didn’t explained things properly. Let me explain one more time. We have one server (dvappbuildwb04) . All the dev team members have ADMIN privileges to both the server and the Jenkin application. So that all the developers can remote login to the server and they have the privilege to create, delete, manage Jenkin. We are using LDAP as a Security Realm in Manage Hudson. We are need to perform deployment of applications to Stage and Prod server using Jenkins. Now since all the dev team members have ADMIN privilege to manage Jenkins, they **can** add themselves to any role and get the power to promote build to Stage and Prod (however they will not succeed even if they click on promote to Stage\Prod, because neither the dev teams credential nor the service account which Tomcat is configured can access Stage\Prod web servers, well this is different story, let’s get back to the main business J). Now consider, the Operation team member who has access to Stage\Prod servers, but they also cant deploy build to Stage\Prod servers, because Jenkins executes jobs using the service account Tomcat is configured, that service account don’t have access to Stage\Prod server. So even the Operation team member who has remote RDP\Admin access to Stage\prod, they too cant deploy the builds to Stage\Prod from Jenkins. As I mentioned, the problem is, Jenkins uses service account of Tomcat for executing Jobs\promoting builds etc. I want Jenkins to use credential of Logged on user to execute job\promote build etc. Is there any way to tell Jenkin that please use logged on users credential to execute this job? A simple checkbox on the Job should have done the trick. Or is there anything like Windows authenticate just like we have in IIS, available for Tomcat, so that Jenkins can then execute any information using the credential of the logged on user? Based on your previous message, I think, this is not possible. On Sat, Oct 20, 2012 at 8:42 PM, Mark Waite <markwa...@yahoo.com> wrote: > I don't understand the security threat against which you are trying to > defend yourself. I'll propose some alternatives as my feeble attempt to > understand the threat you're describing. > > If your concern is "how do I create jobs which only a certain user can > run", you could consider > https://wiki.jenkins-ci.org/display/JENKINS/Role+Strategy+Plugin > > If your concern is "how do I store secret information on the Jenkins > server", you could consider > https://wiki.jenkins-ci.org/display/JENKINS/Build+Secret+Plugin > > If neither of those is your concern, here is another guess. > > Jenkins executes processes as the user running the Jenkins process (as you > said). If Jenkins need to perform an operation as a different user, the > credentials for that other user are required. Those credentials must be > provided from somewhere. > > You described that "I want only dev or even hudson admin also should not > be able to execute the promote build unless credential supplied. (We have > windows 2008 r2 OS)". Jenkins jobs are run and managed within the java > process which started jenkins.war. There is no concept within that context > (as far as I know) of "becoming another user". I think you're asking for a > way to "become another user" inside the java process which is running > jenkins.war. I'm not even sure it can reasonably be done with Java. > > I think you could consider changing your strategy from "become another > user from within the Jenkins process" to "become another user in a > subprocess which the Jenkins user starts". In that case, you don't care > who executes the "promote build" job, but if they do not provide the > correct credentials, the job will not execute. > > Mark Waite > > > > ------------------------------ > *From:* Vijendra Patil <vijendra.1...@gmail.com> > *To:* markwa...@yahoo.com > *Sent:* Saturday, October 20, 2012 6:55 AM > *Subject:* Re: Need help on automating QA, Stage, Prod delpoy > > Hi Mark, > > thans for the suggestion. But is there not anything in-built security > feature? because this way, the Operation team members or the Admin > Users will never agree, because then some developer can write script to > take password as parameter and save that password in a file. > > Simple solution would have, the hudson job should execute anything based > on logged on users credential based on a check box settings say (run using > logged on users credential). So Obviosuly if you want to execute anything > within hudson, settings the checkbox will allow to execute it using ur > crerdential rather than using the service account credential the tomcat > server is configured. > > Plugin such as Promote Build\Deploy Build\Build Pipeline lacks this > security feature. > > So even though a developer is a admin of hudson server, of course he will > not be having access to Prod servers, so even if he try to executes > anything using his own credential, it will not work. Only admin user even > if he is not a hudson server admin, can execute that script because he is > having access to prod servers(copy, delete file on prod server) > > On Sat, Oct 20, 2012 at 5:59 PM, Mark Waite <markwa...@yahoo.com> wrote: > > Have you considered making the job which deploys to Stage or to Prod a > parameterized job, with the credentials as the parameter? I think your > batch file could then reference the credentials which were passed as job > parameters. > > https://wiki.jenkins-ci.org/display/JENKINS/Parameterized+Build > > Possibly also may want > > https://wiki.jenkins-ci.org/display/JENKINS/Parameterized+Trigger+Plugin > > Mark Waite > > ------------------------------ > *From:* JenkinsUser <vijendra.1...@gmail.com> > *To:* jenkinsci-users@googlegroups.com > *Sent:* Saturday, October 20, 2012 5:39 AM > *Subject:* Need help on automating QA, Stage, Prod delpoy > > Hi, > We are using Hudson as a CI tool. At present we are needed to use Jenkins, > to deploy the build to Stage, Prod environment. What is the best aproach we > should follow. > I know about promote buld plugin, but the issue is authentication. I want > whevener we need to promote a build to deploy to Stage or Prod, it should > ask for netqwork credential first. And then the promote job should execute > the Batch command using the creadential supplied. At present, the promote > plugin, runs using the credentials which the Tomcat server is configured to > run. > Same issue with Build Pipeline plugin. > I want only dev or even hudson admin also should not be able to execute > the promote build unless credential supplied. (We have windows 2008 r2 OS) > Can you please help me in resolving the issue. so that basically whenever > a user click on Promote build to QA\Stage\Prod the plugin should ask for > credential or should use the logged on users credential and execute the > batch script using the logged users credential only and not by using the > credentials of the account with which the tomcat server is configured. > Can you please help me? > Please suggests us the best aproach for making automated build on > prod\stage. > > > > > >
