Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-18453

Need Impersonation support to Build\Execute Jenkins Jobs(all Build Steps commands basically) with different user credential



      I need to execute few of the Jenkins jobs such as "Release to Production" through Jenkins UI using logged on user or using another user credential. The reason is, we have one instance of Jenkins CI on which all the Jenkins Jobs such as "Build MyApp", "Release MyAp To QA" etc. are configured. Both the Developers as well as Support team members are admin on this Jenkins application Instance as well as on the Jenkins server. Right now, these Jobs gets executed using the credential of service account which the Tomcat Service is running with, on which Jenkins is hosted. Now, the problem is, we cant use the same instance to release deployable items to Production as the service account doesn't have permission to access Production Web Severs to copy code on it. And moreover, its the Support Team Members who have access to the production boxes. So in order to deploy any code base to production, all the Windows Deploy Commands (ex, create, update files, folder etc.) needs to be run with specific user credential who has access to the Production Box. The only option we are left with now is to have another server which the Support Team own, and have all the "Release To Production" Jobs setup on this separate instance of Jenkins, which only Support team member are ADMIN on it.

      I tried using parameterized plugin but couldn't able to pass the Password successfully to the batch file which contains MSDeploy instructions.

      I checked Role based security plugin, project matrix , active directory etc, but that doesn't help me much. I just need a plugin which should ask for user to provide their credential before start building the Job and should use the user credential to get the job executed, so that my MSDeploy command will be able to deploy the code on Production boxes, when the Support team member build that Job using their credential. I wish there was support for impersonation.

      I am looking forward to the following.


      The Flow:

      A checkbox should be present on the Create Job page of Jenkins saying "Execute\Build as another User" OR "Execute\Build Job using logged on user credential". Then if we create a Job with this checkbox checked, and when we build the Job by clicking on the Build button, it should do either of the two,

      1. If we implement "Execute\Build as another User" option, then it should simply prompt for a popup\dialog asking to provide user credential. Then the job should execute all the Build Steps, using the credential passed. (i.e., If I pass my credential vipatil@mycompany.com, password123, then it should use this credential to execute all the MSBuild command that we specified in the Build step of the Jenkin Job.).

      2. If we implement "Execute\Build Job using logged on user credential" option, then its little tricky and it should execute the Job (Build Steps commands) using the credential of the logged on user, without asking for any dialog to provide user credential, as it should use logged on user credential.

      Option 1 seems very easy and very simple to implement. While option 2 seems little tricky and require integration with Credential Plugin.

      If possible then can we get option 1 implemented. In .Net I know how to implement impersonation (http://platinumdogs.me/2008/10/30/net-c-impersonation-with-network-credentials/) but not sure about how can we do this in Java (found this article but not sure https://svn.apache.org/repos/asf/jackrabbit/branches/2.0/jackrabbit-core/src/test/java/org/apache/jackrabbit/api/security/user/ImpersonationTest.java ).


      Any help would be appreciated.

      This is going to be a very useful feature to everyone indeed.

            Unassigned Unassigned
            vijendra_cs Vijendra Patil
            9 Vote for this issue
            13 Start watching this issue