-
Improvement
-
Resolution: Not A Defect
-
Major
-
- Jenkins, version 1.546 (latest LTS when this issue created).
- Jenkins Credentials Plugin (credentials), version 1.10 (latest when this issue created).
- Jenkins Subversion Plugin (subversion), version 2.2 (latest when this issue created).
- Jenkins Role Strategy Plugin (role-strategy), version 2.1.0 (latest when this issue created).
- JBoss Application Server 4.2.3.
- Subversion.- Jenkins, version 1.546 (latest LTS when this issue created). - Jenkins Credentials Plugin (credentials), version 1.10 (latest when this issue created). - Jenkins Subversion Plugin (subversion), version 2.2 (latest when this issue created). - Jenkins Role Strategy Plugin (role-strategy), version 2.1.0 (latest when this issue created). - JBoss Application Server 4.2.3. - Subversion.
Currently when using Jenkins with "Subversion Plugin" and "Role Strategy Plugin", the Administrator does not seem to have any control on how to manage "Subversion Credentials" privileges for multiple teams.
Prerequisites:
- Jenkins Credentials Plugin installed.
- Jenkins Subversion Plugin installed.
- Jenkins Role Strategy Plugin installed.
- Access Control - Security Realm: "Jenkins’ own user database".
- Access Control - Authorization: "Role-Based Strategy".
- Role "admin" (Global Privileges: all).
- Role "Team-A-Administrators" (Global Privileges: Overall-Read, Credentials-Create, Credentials-View Job-Create)(Project Privileges, Pattern TeamA.*: Credentials-Create, Credentials-View, Job-all, Run-all). (see screenshot: https://issues.jenkins-ci.org/secure/attachment/25586/JENKINS-22289_ManageAndAssignRoles.png )
- Role "Team-B-Administrators" (Global Privileges: Overall-Read, Credentials-Create, Credentials-View, Job-Create)(Project Privileges, Pattern "TeamB.*": Credentials-Create, Credentials-View, Job-all, Run-all).
- Jenkins Root Administrator User Account (e.g. "administrator") with Role "admin" (All Privileges).
- Team-A Administrator User Account (e.g. "adminteama") with Role "Team-A-Administrators".
- Team-B Administrator User Account (e.g. "adminteamb") with Role "Team-B-Administrators".
- Subversion repository used by Team-A, (e.g. "svn.mycompany.com/project-a"), with SVN User Account "svnusera".
- Subversion repository used by Team-B, (e.g. "svn.mycompany.com/project-b"), with SVN User Account "svnuserb".
Steps to reproduce issue:
- Login as Team-A Administrator ("adminteama").
- Create "New Job" with Job Name "TeamA-Project-1", type "Build a free-style software project".
- In the Project Configuration page, select "Subversion" as the Source Code Management.
- Input Repository URL "svn.mycompany.com/project-a".
- Add Credentials,
- Kind: Username with password
- Scope: Global
- Username: svnusera
- Password: ******** (assume correct password used)
- Description: TeamA-SVN-User
- Select the newly created Credentials "TeamA-SVN-User". (see screenshot: https://issues.jenkins-ci.org/secure/thumbnail/25587/_thumb_25587.png )
- Save Job.
- Logout.
- Login as Team-B Administrator ("adminteamb").
- Create "New Job" with Job Name "TeamB-Project-1", type "Build a free-style software project".
- In the Project Configuration page, select "Subversion" as the Source Code Management.
- Input Repository URL "svn.mycompany.com/project-b". Review existing Credentials list.
Actual Behavior:
Credentials "TeamA-SVN-User" (belong to Team A) can be viewed and used by Team B, causing the Source Repository of Team A can be accessed by Team B without providing SCM password.
(see screenshot: https://issues.jenkins-ci.org/secure/thumbnail/25588/_thumb_25588.png )
Expected (improved) Behavior:
The ability for Jenkins Root Administrator to provide private Credentials to specific Group/Team. e.g. Credentials created by Team A, should be accessible only to members of Team A.
