On Monday 23 November 2015, Francois Marot <francois.ma...@gmail.com> wrote:
> Thanks Mark and Stephen for your detailed responses. > So in the end, I think that Jenkins has a problem because a user that can > create a job has access to ALL credentials. So by default, any user able to > create one job may steal any source code located on a git repo whose > Jenkins has the credential for. > > Unless you use folders and put the credentials in the folders and restrict user access per folder... Yes anyone who can create/configure a job can use any credentials "in scope" for use by that job. > > Stephen, it would be interesting to test your solution, but I think that > i'll advise our IT guys to deploy more than one number of jenkins > instances, each with it's own credentials. It may be more maintainable with > a small number of instances. > > > Folders with per-folder access control and per-folder credentials stores will achieve the same result, with less overhead. > > > Regards > > On Friday, November 20, 2015 at 3:18:06 PM UTC+1, Stephen Connolly wrote: >> >> Well the following assumes that the git plugin has implemented >> credentials support correctly. >> >> You will need the following: >> >> >> - https://wiki.jenkins-ci.org/display/JENKINS/Authorize+Project+plugin >> - A willingness to document some stuff >> - A bit of patience >> >> So the way this works is that credentials are supposed to be resolved >> from the *authentication* that the build is running as. >> >> If you have never seen the Authorize Project plugin then that means that >> credentials are resolved from ACL.SYSTEM's credential store... (unless you >> are using parameterized credentials and let the user select the credentials >> from a credentials parameter...) >> >> [image: Inline images 1] >> >> >> So you would be configuring the job to run as the user who triggered the >> build rather than ACL.SYSTEM... as soon as you do that *ASSUMING THAT >> THE GIT SCM IMPLEMENTED CREDENTIALS CORRECTLY* then the credentials used >> will be searched for from the user's own credentials store rather than >> ACL.SYSTEM's... at which point you look and see... oh no it didn't: >> >> [image: Inline images 2] >> >> Where is my expressionsAllowed="true" >> <https://github.com/jenkinsci/credentials-plugin/blob/master/src/main/resources/lib/credentials/select.jelly#L42> >> >> Which basically means that you have to provide the credential ID by >> selecting the correct one from the drop-down... so you run over to your own >> credentials store and create a credential with a sensible ID such as >> `secret-repo` then you select that and save the job configuration. >> >> Now from then on... you can trigger the build and - because you have the >> credentials with ID `secret-repo` the build will work for you. If anyone >> else wants to trigger the build, then they will need to add their own >> credentials with the ID `secret-repo` into their own credentials store. >> >> *Of course there is another path...* >> >> If you set up access control on a per-folder basis, you can store >> credentials that are appropriate for that folder only in the ACL.SYSTEM >> credential store *for that folder and all child items*. That way you can >> create a folder called `secret` add in it the credentials for the >> secret-repo (not caring about IDs) and only jobs in that folder will have >> access to the credentials... but any user that can access the folder will >> be able to access the credentials from any job they can configure. >> >> HTH >> >> (and probably after this Mark may go running off to see what fun there is >> with Authorize Project plugin and what bugs may / may-not exist in Git SCM >> and it's use of credentials with this plugin) >> >> -Stephen >> >> >> On 20 November 2015 at 13:22, Francois Marot <francoi...@gmail.com> >> wrote: >> >>> Hi all, >>> >>> I need your feedback to know if my Company's requirement is compatible >>> with Jenkins: >>> >>> we have many Git repositories. >>> >>> Some jenkins jobs need to access some git repositories. But some >>> repositories contain source code more sensible than others, hence the need >>> for different credentials regarding the git (ssh) credentials. >>> >>> On the jenkins side, for now, we have the git credentials globally >>> available. >>> >>> What we would like is to have only some users able to create jobs, and >>> each user to have only acces to some git ssh credential at job creation >>> time (so that the job can reference a git repository that the user is >>> allowed to access). >>> >>> Is it possible ? I did not saw anything like this but I may not have >>> found the correct plugins... >>> >>> >>> Francois >>> >>> -- >>> You received this message because you are subscribed to the Google >>> Groups "Jenkins Users" group. >>> To unsubscribe from this group and stop receiving emails from it, send >>> an email to jenkinsci-use...@googlegroups.com. >>> To view this discussion on the web visit >>> https://groups.google.com/d/msgid/jenkinsci-users/90bbd255-4c85-4bed-aca9-7bb6b10c4500%40googlegroups.com >>> <https://groups.google.com/d/msgid/jenkinsci-users/90bbd255-4c85-4bed-aca9-7bb6b10c4500%40googlegroups.com?utm_medium=email&utm_source=footer> >>> . >>> For more options, visit https://groups.google.com/d/optout. >>> >> >> > -- > You received this message because you are subscribed to the Google Groups > "Jenkins Users" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to jenkinsci-users+unsubscr...@googlegroups.com > <javascript:_e(%7B%7D,'cvml','jenkinsci-users%2bunsubscr...@googlegroups.com');> > . > To view this discussion on the web visit > https://groups.google.com/d/msgid/jenkinsci-users/16200f9f-f81f-47cd-9003-2a19943b352a%40googlegroups.com > <https://groups.google.com/d/msgid/jenkinsci-users/16200f9f-f81f-47cd-9003-2a19943b352a%40googlegroups.com?utm_medium=email&utm_source=footer> > . > For more options, visit https://groups.google.com/d/optout. > -- Sent from my phone -- You received this message because you are subscribed to the Google Groups "Jenkins Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to jenkinsci-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-users/CA%2BnPnMwTdw_njnUXk_zXvV1t%2Bt%2BHf%3D6zBgRkAg9mOuOxACN5jw%40mail.gmail.com. For more options, visit https://groups.google.com/d/optout.
