-
Improvement
-
Resolution: Won't Do
-
Major
If a user has logged in to Jenkins with active directory username and password, with a domain configured or discovered via the active directory plugin, then publish-over-cifs ought to be able to use these values to authenticate when connecting to the remote cifs server to publish files.
[JENKINS-22561] publish-over-cifs should be able to use Jenkins session credentials - including domain when Jenkins Active Directory authentication is used
Sam Liddicott
added a comment - 69 days left of sponsorship offer, I've increased the amount to
$50 as exchange rates are favourable right now
Sam Liddicott
added a comment - 69 days left of sponsorship offer, I've increased the amount to
$50 as exchange rates are favourable right now Sam Liddicott
added a comment - Nudge,bump. 30 days to go. If $50 is too low, does anyone want to negotiate?
Sam Liddicott
added a comment - Nudge,bump. 30 days to go. If $50 is too low, does anyone want to negotiate? There is no way to retrieve the credentials for the user in a form that can be used to re-authenticate for CIFS.
Sam Liddicott
added a comment - It is somewhat gratifying so see some response after all this time.
I respectfully suggest that the credentials don't need retrieving as such. If an Active Directory ticket-granting kerberos ticket is obtained at the original authentication, then a ticket can be obtained for kerberos gssapi auth with the cifs server later on.
Or, a cifs connection might be used as the authenticator, (or established at authentication time) and kept active ready for use at publish time.
On the other hand, plugins might register as interested parties with interested actions, so at auth time the credentials are duplicated and encrypted against each registered plugin and action, to be used later during that plugin's action. I mean so that the publish action might receive opaque credentials which it can pass to a cifs connector which can then beg jenkins to emit them.
I merely put these on record so that motivated parties may consider them
Sam Liddicott
added a comment - It is somewhat gratifying so see some response after all this time.
I respectfully suggest that the credentials don't need retrieving as such. If an Active Directory ticket-granting kerberos ticket is obtained at the original authentication, then a ticket can be obtained for kerberos gssapi auth with the cifs server later on.
Or, a cifs connection might be used as the authenticator, (or established at authentication time) and kept active ready for use at publish time.
On the other hand, plugins might register as interested parties with interested actions, so at auth time the credentials are duplicated and encrypted against each registered plugin and action, to be used later during that plugin's action. I mean so that the publish action might receive opaque credentials which it can pass to a cifs connector which can then beg jenkins to emit them.
I merely put these on record so that motivated parties may consider them Sam Liddicott
added a comment - Or maybe the a new "interactive" credentials type; which, when included in a job, prompt the user for credentials when the job starts.
These can then be supplied to the various plugins as configured.
Sam Liddicott
added a comment - Or maybe the a new "interactive" credentials type; which, when included in a job, prompt the user for credentials when the job starts.
These can then be supplied to the various plugins as configured. I want to add support for the Credentials plugin and not manage credentials internally, I am not sure what the capability is for prompting, but I think that should be possible once that is implemented.
Sam Liddicott
added a comment - I guess then we need a credentials parameter type which can
- optionally default to a some stored credentials
- optionally inject into the environment
- be used as "job" scope credentials by other publish plugins
Should I open a new issue for that?
Sam Liddicott
added a comment - I guess then we need a credentials parameter type which can
optionally default to a some stored credentials
optionally inject into the environment
be used as "job" scope credentials by other publish plugins
Should I open a new issue for that? The credentials would be managed at the job level, look at the wiki page for the credentials plugin. No new issue is needed.
For your information, all publish-over-cifs component type JENKINS issues related to the Publish Over CIFS plugin have been transferred to Github: https://github.com/jenkinsci/publish-over-cifs-plugin/issues
Here is the direct link to this issue in Github: https://github.com/jenkinsci/publish-over-cifs-plugin/issues/64
And here is the link to a search for related issues: https://github.com/jenkinsci/publish-over-cifs-plugin/issues?q=%22JENKINS-22561%22
(Note: this is an automated bulk comment)
$25 currently offered for a fix at https://freedomsponsors.org/core/issue/483/publish-over-cifs-should-be-able-to-use-jenkins-session-credentials-including-domain-when-jenkins-active-directory-authentication-is-used?alert=SPONSOR#