On Thursday, 8 August 2013, Les Mikesell wrote: > On Thu, Aug 8, 2013 at 10:11 AM, Stephen Connolly > <stephen.alan.conno...@gmail.com <javascript:;>> wrote: > > >>> > The way I want to deliver is that you have a drop down underneath > any of > >> > the > >> > module remote url fields which lists the relevant credentials for that > >> > URL > >> > (including none) and you would always make a selection (even if that > >> > selection is leaving the default of "none" selected) > >> > >> Will these leak across jobs created by different users? > > > > > > No. Each job will have to explicitly select the credentials to use. > > > > You can, e.g. using the Folders plugin, create credentials that are > scoped > > to a specific folder. In which case only the jobs within that folder will > > have access to those credentials. > > > > I view this as a good thing - as credential leaking is prevented... but > > others may view as a bad thing. > > Scoping by the user creating the job would make more sense to me, > although I'm not sure how strictly jenkins could enforce that.
What happens if a different user edits the job? I can certainly allow selecting from users own credentials... But that will restrict when the job can build. I can think of a semi-fixed job property that defines the "default" owner for SCM backed changes... Then when the job is triggered by a user we pick their credentials if they don't have access to the corresponding credentials... But given that these are credentials with a UUID based ID, we'd probably need to turn the credentials required into parameters, essentially making the job parameterized. That all gets really complex... Hence my preference for scoping credentials to folders On the other hand Kohsuke and Jesse have been pursuing running builds in the context of the user that triggered them, so they may have some other suggestions (plus I have dared them to integrate credentials with GIT and HG respectively, so this is a problem they face too) > > >> Also, how > >> will it extend to svn externals if they pull in components that need > >> different credentials? > > > > > > I am currently looking at how to achieve this. My current thinking is > that > > you would have an advanced option that allowed you to provide additional > > credentials for specific realms at the job level.... so that you get to > > control how the externals' credentials are selected and supplied... the > down > > side is that would be more complex for those cases... and you would have > to > > replicate for each job that checks out that repo > > What is a 'realm' in this context? We have fairly arbitrary > path-based authorization inside of our subversion repositories but > have made read access to components referenced by externals more open > than the probably should be to accommodate access from jenkins. > Matching the credentials for the most-specific path specified by the > user seems right to me. > > -- > Les Mikesell > lesmikes...@gmail.com <javascript:;> > > -- > You received this message because you are subscribed to the Google Groups > "Jenkins Users" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to jenkinsci-users+unsubscr...@googlegroups.com <javascript:;>. > For more options, visit https://groups.google.com/groups/opt_out. > > > -- Sent from my phone -- You received this message because you are subscribed to the Google Groups "Jenkins Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to jenkinsci-users+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/groups/opt_out.
