Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-18453

Need Impersonation support to Build\Execute Jenkins Jobs(all Build Steps commands basically) with different user credential

    XMLWordPrintable

    Details

    • Similar Issues:

      Description

      Hi,

      I need to execute few of the Jenkins jobs such as "Release to Production" through Jenkins UI using logged on user or using another user credential. The reason is, we have one instance of Jenkins CI on which all the Jenkins Jobs such as "Build MyApp", "Release MyAp To QA" etc. are configured. Both the Developers as well as Support team members are admin on this Jenkins application Instance as well as on the Jenkins server. Right now, these Jobs gets executed using the credential of service account which the Tomcat Service is running with, on which Jenkins is hosted. Now, the problem is, we cant use the same instance to release deployable items to Production as the service account doesn't have permission to access Production Web Severs to copy code on it. And moreover, its the Support Team Members who have access to the production boxes. So in order to deploy any code base to production, all the Windows Deploy Commands (ex, create, update files, folder etc.) needs to be run with specific user credential who has access to the Production Box. The only option we are left with now is to have another server which the Support Team own, and have all the "Release To Production" Jobs setup on this separate instance of Jenkins, which only Support team member are ADMIN on it.

      I tried using parameterized plugin but couldn't able to pass the Password successfully to the batch file which contains MSDeploy instructions.

      I checked Role based security plugin, project matrix , active directory etc, but that doesn't help me much. I just need a plugin which should ask for user to provide their credential before start building the Job and should use the user credential to get the job executed, so that my MSDeploy command will be able to deploy the code on Production boxes, when the Support team member build that Job using their credential. I wish there was support for impersonation.

      I am looking forward to the following.

      =============================================================

      The Flow:

      A checkbox should be present on the Create Job page of Jenkins saying "Execute\Build as another User" OR "Execute\Build Job using logged on user credential". Then if we create a Job with this checkbox checked, and when we build the Job by clicking on the Build button, it should do either of the two,

      1. If we implement "Execute\Build as another User" option, then it should simply prompt for a popup\dialog asking to provide user credential. Then the job should execute all the Build Steps, using the credential passed. (i.e., If I pass my credential vipatil@mycompany.com, password123, then it should use this credential to execute all the MSBuild command that we specified in the Build step of the Jenkin Job.).

      2. If we implement "Execute\Build Job using logged on user credential" option, then its little tricky and it should execute the Job (Build Steps commands) using the credential of the logged on user, without asking for any dialog to provide user credential, as it should use logged on user credential.

      Option 1 seems very easy and very simple to implement. While option 2 seems little tricky and require integration with Credential Plugin.

      If possible then can we get option 1 implemented. In .Net I know how to implement impersonation (http://platinumdogs.me/2008/10/30/net-c-impersonation-with-network-credentials/) but not sure about how can we do this in Java (found this article but not sure https://svn.apache.org/repos/asf/jackrabbit/branches/2.0/jackrabbit-core/src/test/java/org/apache/jackrabbit/api/security/user/ImpersonationTest.java ).

      ==================================================================

      Any help would be appreciated.

      This is going to be a very useful feature to everyone indeed.

        Attachments

          Issue Links

            Activity

            Hide
            jglick Jesse Glick added a comment -

            First of all, in a secure environment you should configure the master computer to have no executors, so all builds are run on slaves, which may have their own user ID. Then you can configure which jobs can use certain slaves, e.g. http://jenkins-enterprise.cloudbees.com/docs/user-guide-bundle/foldersplus-sect-controlledslaves.html in Jenkins Enterprise (not sure if there is an open-source plugin with comparable functionality).

            That said, it would indeed be useful to have a plugin using LauncherDecorator to run builds of certain jobs using sudo or the Windows equivalent. The tricky part would be integrating smoothly with the Credentials plugin.

            Show
            jglick Jesse Glick added a comment - First of all, in a secure environment you should configure the master computer to have no executors, so all builds are run on slaves, which may have their own user ID. Then you can configure which jobs can use certain slaves, e.g. http://jenkins-enterprise.cloudbees.com/docs/user-guide-bundle/foldersplus-sect-controlledslaves.html in Jenkins Enterprise (not sure if there is an open-source plugin with comparable functionality). That said, it would indeed be useful to have a plugin using LauncherDecorator to run builds of certain jobs using sudo or the Windows equivalent. The tricky part would be integrating smoothly with the Credentials plugin.
            Hide
            vijendra_cs Vijendra Patil added a comment - - edited

            Jesse, Thanks for sharing your thoughts on this. Well, we can do this in a much simpler way. This is how we can do this.

            A checkbox should be present on the Create Job page of Jenkins saying "Execute\Build as another User" OR "Execute\Build Job using logged on user credential". Then if we create a Job with this checkbox checked, and when we build the Job by clicking on the Build button, it should do either of the two,

            1. If we implement "Execute\Build as another User" option, then it should simply prompt for a popup\dialog asking to provide user credential. Then the job should execute all the Build Steps, using the credential passed. (i.e., If I pass my credential vipatil@mycompany.com, password123, then it should use this credential to execute all the MSBuild command that we specified in the Build step of the Jenkin Job.).

            2. If we implement "Execute\Build Job using logged on user credential" option, then its little tricky and it should execute the Job (Build Steps commands) using the credential of the logged on user, without asking for any dialog to provide user credential, as it should use logged on user credential.

            Option 1 seems very easy and very simple to implement. While option 2 seems little tricky and require integration with Credential Plugin.

            I am glad that you liked the idea and thought its useful. If possible then can we get option 1 implemented. In .Net I know how to implement impersonation (http://platinumdogs.me/2008/10/30/net-c-impersonation-with-network-credentials/) but not sure about how can we do this in Java (found this article but not sure https://svn.apache.org/repos/asf/jackrabbit/branches/2.0/jackrabbit-core/src/test/java/org/apache/jackrabbit/api/security/user/ImpersonationTest.java ).

            Show
            vijendra_cs Vijendra Patil added a comment - - edited Jesse, Thanks for sharing your thoughts on this. Well, we can do this in a much simpler way. This is how we can do this. A checkbox should be present on the Create Job page of Jenkins saying "Execute\Build as another User" OR "Execute\Build Job using logged on user credential". Then if we create a Job with this checkbox checked, and when we build the Job by clicking on the Build button, it should do either of the two, 1. If we implement "Execute\Build as another User" option, then it should simply prompt for a popup\dialog asking to provide user credential. Then the job should execute all the Build Steps, using the credential passed. (i.e., If I pass my credential vipatil@mycompany.com, password123, then it should use this credential to execute all the MSBuild command that we specified in the Build step of the Jenkin Job.). 2. If we implement "Execute\Build Job using logged on user credential" option, then its little tricky and it should execute the Job (Build Steps commands) using the credential of the logged on user, without asking for any dialog to provide user credential, as it should use logged on user credential. Option 1 seems very easy and very simple to implement. While option 2 seems little tricky and require integration with Credential Plugin. I am glad that you liked the idea and thought its useful. If possible then can we get option 1 implemented. In .Net I know how to implement impersonation ( http://platinumdogs.me/2008/10/30/net-c-impersonation-with-network-credentials/ ) but not sure about how can we do this in Java (found this article but not sure https://svn.apache.org/repos/asf/jackrabbit/branches/2.0/jackrabbit-core/src/test/java/org/apache/jackrabbit/api/security/user/ImpersonationTest.java ).
            Hide
            hardik_nit2003 hardik khandhedia added a comment -

            this is indeed a very useful feature

            it would be a great value addition to jenkins.

            Show
            hardik_nit2003 hardik khandhedia added a comment - this is indeed a very useful feature it would be a great value addition to jenkins.
            Hide
            jglick Jesse Glick added a comment -

            Option #1 is useless for jobs with automatic triggers.

            Please note that the existence of an issue in JIRA, or comments agreeing that the described feature would be useful, do not imply that anyone has any plans to work on such a feature, unless you write it yourself or pay someone to do it for you (such as using the freedomsponsors.org link on this page).

            Show
            jglick Jesse Glick added a comment - Option #1 is useless for jobs with automatic triggers. Please note that the existence of an issue in JIRA, or comments agreeing that the described feature would be useful, do not imply that anyone has any plans to work on such a feature, unless you write it yourself or pay someone to do it for you (such as using the freedomsponsors.org link on this page).
            Hide
            oleg_nenashev Oleg Nenashev added a comment -

            The QueueItemAuthenticator extension point is available since 1.520. BTW, the most of plugins has not been updated yet
            See http://javadoc.jenkins-ci.org/jenkins/security/QueueItemAuthenticator.html

            Show
            oleg_nenashev Oleg Nenashev added a comment - The QueueItemAuthenticator extension point is available since 1.520. BTW, the most of plugins has not been updated yet See http://javadoc.jenkins-ci.org/jenkins/security/QueueItemAuthenticator.html
            Hide
            jglick Jesse Glick added a comment -

            I think QueueItemAuthenticator is only tangentially related. It could be used to select an authentication for a build, but the main work is implementing that impersonation.

            Show
            jglick Jesse Glick added a comment - I think QueueItemAuthenticator is only tangentially related. It could be used to select an authentication for a build, but the main work is implementing that impersonation.

              People

              Assignee:
              Unassigned Unassigned
              Reporter:
              vijendra_cs Vijendra Patil
              Votes:
              9 Vote for this issue
              Watchers:
              13 Start watching this issue

                Dates

                Created:
                Updated: