Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-22561

publish-over-cifs should be able to use Jenkins session credentials - including domain when Jenkins Active Directory authentication is used

    XMLWordPrintable

    Details

    • Similar Issues:

      Description

      If a user has logged in to Jenkins with active directory username and password, with a domain configured or discovered via the active directory plugin, then publish-over-cifs ought to be able to use these values to authenticate when connecting to the remote cifs server to publish files.

        Attachments

          Activity

          Hide
          samliddicott Sam Liddicott added a comment -

          It is somewhat gratifying so see some response after all this time.

          I respectfully suggest that the credentials don't need retrieving as such. If an Active Directory ticket-granting kerberos ticket is obtained at the original authentication, then a ticket can be obtained for kerberos gssapi auth with the cifs server later on.

          Or, a cifs connection might be used as the authenticator, (or established at authentication time) and kept active ready for use at publish time.

          On the other hand, plugins might register as interested parties with interested actions, so at auth time the credentials are duplicated and encrypted against each registered plugin and action, to be used later during that plugin's action. I mean so that the publish action might receive opaque credentials which it can pass to a cifs connector which can then beg jenkins to emit them.

          I merely put these on record so that motivated parties may consider them

          Show
          samliddicott Sam Liddicott added a comment - It is somewhat gratifying so see some response after all this time. I respectfully suggest that the credentials don't need retrieving as such. If an Active Directory ticket-granting kerberos ticket is obtained at the original authentication, then a ticket can be obtained for kerberos gssapi auth with the cifs server later on. Or, a cifs connection might be used as the authenticator, (or established at authentication time) and kept active ready for use at publish time. On the other hand, plugins might register as interested parties with interested actions, so at auth time the credentials are duplicated and encrypted against each registered plugin and action, to be used later during that plugin's action. I mean so that the publish action might receive opaque credentials which it can pass to a cifs connector which can then beg jenkins to emit them. I merely put these on record so that motivated parties may consider them
          Hide
          samliddicott Sam Liddicott added a comment -

          Or maybe the a new "interactive" credentials type; which, when included in a job, prompt the user for credentials when the job starts.

          These can then be supplied to the various plugins as configured.

          Show
          samliddicott Sam Liddicott added a comment - Or maybe the a new "interactive" credentials type; which, when included in a job, prompt the user for credentials when the job starts. These can then be supplied to the various plugins as configured.
          Hide
          slide_o_mix Alex Earl added a comment -

          I want to add support for the Credentials plugin and not manage credentials internally, I am not sure what the capability is for prompting, but I think that should be possible once that is implemented.

          Show
          slide_o_mix Alex Earl added a comment - I want to add support for the Credentials plugin and not manage credentials internally, I am not sure what the capability is for prompting, but I think that should be possible once that is implemented.
          Hide
          samliddicott Sam Liddicott added a comment -

          I guess then we need a credentials parameter type which can

          • optionally default to a some stored credentials
          • optionally inject into the environment
          • be used as "job" scope credentials by other publish plugins

          Should I open a new issue for that?

          Show
          samliddicott Sam Liddicott added a comment - I guess then we need a credentials parameter type which can optionally default to a some stored credentials optionally inject into the environment be used as "job" scope credentials by other publish plugins Should I open a new issue for that?
          Hide
          slide_o_mix Alex Earl added a comment -

          The credentials would be managed at the job level, look at the wiki page for the credentials plugin. No new issue is needed.

          Show
          slide_o_mix Alex Earl added a comment - The credentials would be managed at the job level, look at the wiki page for the credentials plugin. No new issue is needed.

            People

            Assignee:
            samliddicott Sam Liddicott
            Reporter:
            samliddicott Sam Liddicott
            Votes:
            0 Vote for this issue
            Watchers:
            2 Start watching this issue

              Dates

              Created:
              Updated:
              Resolved: