Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-22289

Subversion Credentials with Role-Based-Security

XMLWordPrintable

    • Icon: Improvement Improvement
    • Resolution: Not A Defect
    • Icon: Major Major
    • credentials-plugin, role-strategy-plugin, subversion-plugin

      Currently when using Jenkins with "Subversion Plugin" and "Role Strategy Plugin", the Administrator does not seem to have any control on how to manage "Subversion Credentials" privileges for multiple teams.

      Prerequisites:

      • Jenkins Credentials Plugin installed.
      • Jenkins Subversion Plugin installed.
      • Jenkins Role Strategy Plugin installed.
      • Access Control - Security Realm: "Jenkins’ own user database".
      • Access Control - Authorization: "Role-Based Strategy".
      • Role "admin" (Global Privileges: all).
      • Role "Team-A-Administrators" (Global Privileges: Overall-Read, Credentials-Create, Credentials-View Job-Create)(Project Privileges, Pattern TeamA.*: Credentials-Create, Credentials-View, Job-all, Run-all). (see screenshot: https://issues.jenkins-ci.org/secure/attachment/25586/JENKINS-22289_ManageAndAssignRoles.png )
      • Role "Team-B-Administrators" (Global Privileges: Overall-Read, Credentials-Create, Credentials-View, Job-Create)(Project Privileges, Pattern "TeamB.*": Credentials-Create, Credentials-View, Job-all, Run-all).
      • Jenkins Root Administrator User Account (e.g. "administrator") with Role "admin" (All Privileges).
      • Team-A Administrator User Account (e.g. "adminteama") with Role "Team-A-Administrators".
      • Team-B Administrator User Account (e.g. "adminteamb") with Role "Team-B-Administrators".
      • Subversion repository used by Team-A, (e.g. "svn.mycompany.com/project-a"), with SVN User Account "svnusera".
      • Subversion repository used by Team-B, (e.g. "svn.mycompany.com/project-b"), with SVN User Account "svnuserb".

      Steps to reproduce issue:

      1. Login as Team-A Administrator ("adminteama").
      2. Create "New Job" with Job Name "TeamA-Project-1", type "Build a free-style software project".
      3. In the Project Configuration page, select "Subversion" as the Source Code Management.
      4. Input Repository URL "svn.mycompany.com/project-a".
      5. Add Credentials,
      • Kind: Username with password
      • Scope: Global
      • Username: svnusera
      • Password: ******** (assume correct password used)
      • Description: TeamA-SVN-User
      1. Select the newly created Credentials "TeamA-SVN-User". (see screenshot: https://issues.jenkins-ci.org/secure/thumbnail/25587/_thumb_25587.png )
      2. Save Job.
      3. Logout.
      4. Login as Team-B Administrator ("adminteamb").
      5. Create "New Job" with Job Name "TeamB-Project-1", type "Build a free-style software project".
      6. In the Project Configuration page, select "Subversion" as the Source Code Management.
      7. Input Repository URL "svn.mycompany.com/project-b". Review existing Credentials list.

      Actual Behavior:
      Credentials "TeamA-SVN-User" (belong to Team A) can be viewed and used by Team B, causing the Source Repository of Team A can be accessed by Team B without providing SCM password.
      (see screenshot: https://issues.jenkins-ci.org/secure/thumbnail/25588/_thumb_25588.png )

      Expected (improved) Behavior:
      The ability for Jenkins Root Administrator to provide private Credentials to specific Group/Team. e.g. Credentials created by Team A, should be accessible only to members of Team A.

        1. JENKINS-22289_ManageAndAssignRoles.png
          JENKINS-22289_ManageAndAssignRoles.png
          91 kB
        2. JENKINS-22289_TeamAProject1.png
          JENKINS-22289_TeamAProject1.png
          87 kB
        3. JENKINS-22289_TeamBProject1.png
          JENKINS-22289_TeamBProject1.png
          75 kB

          [JENKINS-22289] Subversion Credentials with Role-Based-Security

          Oleg Nenashev added a comment - - edited

          I'd say that the issue is mostly related to the "Credentials" plugin.
          AFAIK, there is no "Group Credentials" plugin and no User Groups inside the Jenkins core.
          Hence it is not possible to share credentials within groups w/o special plugins.

          As a workaround, you can try Folders plugin. It allows to set internal credentials for projects inside the folder.

          Oleg Nenashev added a comment - - edited I'd say that the issue is mostly related to the "Credentials" plugin. AFAIK, there is no "Group Credentials" plugin and no User Groups inside the Jenkins core. Hence it is not possible to share credentials within groups w/o special plugins. As a workaround, you can try Folders plugin. It allows to set internal credentials for projects inside the folder.

          Stephen Dharma added a comment -

          OK, I have added the "Credentials" component to this issue.

          I will try the "Folders" plugin first, and will let you know about the result.

          Thank you.

          Stephen Dharma added a comment - OK, I have added the "Credentials" component to this issue. I will try the "Folders" plugin first, and will let you know about the result. Thank you.

          Jesse Glick added a comment -

          Grouping jobs into folders is the expected way to limit credentials to members of a team, not a workaround.

          Jesse Glick added a comment - Grouping jobs into folders is the expected way to limit credentials to members of a team, not a workaround.

            Unassigned Unassigned
            stephen_dharma Stephen Dharma
            Votes:
            1 Vote for this issue
            Watchers:
            5 Start watching this issue

              Created:
              Updated:
              Resolved: