Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-22289

Subversion Credentials with Role-Based-Security

    XMLWordPrintable

    Details

    • Type: Improvement
    • Status: Resolved (View Workflow)
    • Priority: Major
    • Resolution: Not A Defect
    • Environment:
    • Similar Issues:

      Description

      Currently when using Jenkins with "Subversion Plugin" and "Role Strategy Plugin", the Administrator does not seem to have any control on how to manage "Subversion Credentials" privileges for multiple teams.

      Prerequisites:

      • Jenkins Credentials Plugin installed.
      • Jenkins Subversion Plugin installed.
      • Jenkins Role Strategy Plugin installed.
      • Access Control - Security Realm: "Jenkins’ own user database".
      • Access Control - Authorization: "Role-Based Strategy".
      • Role "admin" (Global Privileges: all).
      • Role "Team-A-Administrators" (Global Privileges: Overall-Read, Credentials-Create, Credentials-View Job-Create)(Project Privileges, Pattern TeamA.*: Credentials-Create, Credentials-View, Job-all, Run-all). (see screenshot: https://issues.jenkins-ci.org/secure/attachment/25586/JENKINS-22289_ManageAndAssignRoles.png )
      • Role "Team-B-Administrators" (Global Privileges: Overall-Read, Credentials-Create, Credentials-View, Job-Create)(Project Privileges, Pattern "TeamB.*": Credentials-Create, Credentials-View, Job-all, Run-all).
      • Jenkins Root Administrator User Account (e.g. "administrator") with Role "admin" (All Privileges).
      • Team-A Administrator User Account (e.g. "adminteama") with Role "Team-A-Administrators".
      • Team-B Administrator User Account (e.g. "adminteamb") with Role "Team-B-Administrators".
      • Subversion repository used by Team-A, (e.g. "svn.mycompany.com/project-a"), with SVN User Account "svnusera".
      • Subversion repository used by Team-B, (e.g. "svn.mycompany.com/project-b"), with SVN User Account "svnuserb".

      Steps to reproduce issue:

      1. Login as Team-A Administrator ("adminteama").
      2. Create "New Job" with Job Name "TeamA-Project-1", type "Build a free-style software project".
      3. In the Project Configuration page, select "Subversion" as the Source Code Management.
      4. Input Repository URL "svn.mycompany.com/project-a".
      5. Add Credentials,
      • Kind: Username with password
      • Scope: Global
      • Username: svnusera
      • Password: ******** (assume correct password used)
      • Description: TeamA-SVN-User
      1. Select the newly created Credentials "TeamA-SVN-User". (see screenshot: https://issues.jenkins-ci.org/secure/thumbnail/25587/_thumb_25587.png )
      2. Save Job.
      3. Logout.
      4. Login as Team-B Administrator ("adminteamb").
      5. Create "New Job" with Job Name "TeamB-Project-1", type "Build a free-style software project".
      6. In the Project Configuration page, select "Subversion" as the Source Code Management.
      7. Input Repository URL "svn.mycompany.com/project-b". Review existing Credentials list.

      Actual Behavior:
      Credentials "TeamA-SVN-User" (belong to Team A) can be viewed and used by Team B, causing the Source Repository of Team A can be accessed by Team B without providing SCM password.
      (see screenshot: https://issues.jenkins-ci.org/secure/thumbnail/25588/_thumb_25588.png )

      Expected (improved) Behavior:
      The ability for Jenkins Root Administrator to provide private Credentials to specific Group/Team. e.g. Credentials created by Team A, should be accessible only to members of Team A.

        Attachments

          Activity

          Hide
          oleg_nenashev Oleg Nenashev added a comment - - edited

          I'd say that the issue is mostly related to the "Credentials" plugin.
          AFAIK, there is no "Group Credentials" plugin and no User Groups inside the Jenkins core.
          Hence it is not possible to share credentials within groups w/o special plugins.

          As a workaround, you can try Folders plugin. It allows to set internal credentials for projects inside the folder.

          Show
          oleg_nenashev Oleg Nenashev added a comment - - edited I'd say that the issue is mostly related to the "Credentials" plugin. AFAIK, there is no "Group Credentials" plugin and no User Groups inside the Jenkins core. Hence it is not possible to share credentials within groups w/o special plugins. As a workaround, you can try Folders plugin. It allows to set internal credentials for projects inside the folder.
          Hide
          stephen_dharma Stephen Dharma added a comment -

          OK, I have added the "Credentials" component to this issue.

          I will try the "Folders" plugin first, and will let you know about the result.

          Thank you.

          Show
          stephen_dharma Stephen Dharma added a comment - OK, I have added the "Credentials" component to this issue. I will try the "Folders" plugin first, and will let you know about the result. Thank you.
          Hide
          jglick Jesse Glick added a comment -

          Grouping jobs into folders is the expected way to limit credentials to members of a team, not a workaround.

          Show
          jglick Jesse Glick added a comment - Grouping jobs into folders is the expected way to limit credentials to members of a team, not a workaround.

            People

            Assignee:
            Unassigned Unassigned
            Reporter:
            stephen_dharma Stephen Dharma
            Votes:
            1 Vote for this issue
            Watchers:
            5 Start watching this issue

              Dates

              Created:
              Updated:
              Resolved: