Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-22561

publish-over-cifs should be able to use Jenkins session credentials - including domain when Jenkins Active Directory authentication is used

    XMLWordPrintable

Details

    Description

      If a user has logged in to Jenkins with active directory username and password, with a domain configured or discovered via the active directory plugin, then publish-over-cifs ought to be able to use these values to authenticate when connecting to the remote cifs server to publish files.

      Attachments

        Activity

          samliddicott Sam Liddicott created issue -
          samliddicott Sam Liddicott added a comment - $25 currently offered for a fix at https://freedomsponsors.org/core/issue/483/publish-over-cifs-should-be-able-to-use-jenkins-session-credentials-including-domain-when-jenkins-active-directory-authentication-is-used?alert=SPONSOR#
          samliddicott Sam Liddicott added a comment -

          69 days left of sponsorship offer, I've increased the amount to
          $50 as exchange rates are favourable right now

          samliddicott Sam Liddicott added a comment - 69 days left of sponsorship offer, I've increased the amount to $50 as exchange rates are favourable right now
          samliddicott Sam Liddicott added a comment -

          Nudge,bump. 30 days to go. If $50 is too low, does anyone want to negotiate?

          samliddicott Sam Liddicott added a comment - Nudge,bump. 30 days to go. If $50 is too low, does anyone want to negotiate?
          jglick Jesse Glick made changes -
          Field Original Value New Value
          Labels active_directory, cifs credentials cifs credentials
          rtyler R. Tyler Croy made changes -
          Workflow JNJira [ 154663 ] JNJira + In-Review [ 178879 ]
          slide_o_mix Alex Earl made changes -
          Assignee Alex Earl [ slide_o_mix ]
          slide_o_mix Alex Earl added a comment -

          There is no way to retrieve the credentials for the user in a form that can be used to re-authenticate for CIFS.

          slide_o_mix Alex Earl added a comment - There is no way to retrieve the credentials for the user in a form that can be used to re-authenticate for CIFS.
          slide_o_mix Alex Earl made changes -
          Resolution Won't Do [ 10001 ]
          Status Open [ 1 ] Closed [ 6 ]
          samliddicott Sam Liddicott made changes -
          Assignee Alex Earl [ slide_o_mix ] Sam Liddicott [ samliddicott ]
          samliddicott Sam Liddicott added a comment -

          It is somewhat gratifying so see some response after all this time.

          I respectfully suggest that the credentials don't need retrieving as such. If an Active Directory ticket-granting kerberos ticket is obtained at the original authentication, then a ticket can be obtained for kerberos gssapi auth with the cifs server later on.

          Or, a cifs connection might be used as the authenticator, (or established at authentication time) and kept active ready for use at publish time.

          On the other hand, plugins might register as interested parties with interested actions, so at auth time the credentials are duplicated and encrypted against each registered plugin and action, to be used later during that plugin's action. I mean so that the publish action might receive opaque credentials which it can pass to a cifs connector which can then beg jenkins to emit them.

          I merely put these on record so that motivated parties may consider them

          samliddicott Sam Liddicott added a comment - It is somewhat gratifying so see some response after all this time. I respectfully suggest that the credentials don't need retrieving as such. If an Active Directory ticket-granting kerberos ticket is obtained at the original authentication, then a ticket can be obtained for kerberos gssapi auth with the cifs server later on. Or, a cifs connection might be used as the authenticator, (or established at authentication time) and kept active ready for use at publish time. On the other hand, plugins might register as interested parties with interested actions, so at auth time the credentials are duplicated and encrypted against each registered plugin and action, to be used later during that plugin's action. I mean so that the publish action might receive opaque credentials which it can pass to a cifs connector which can then beg jenkins to emit them. I merely put these on record so that motivated parties may consider them
          samliddicott Sam Liddicott added a comment -

          Or maybe the a new "interactive" credentials type; which, when included in a job, prompt the user for credentials when the job starts.

          These can then be supplied to the various plugins as configured.

          samliddicott Sam Liddicott added a comment - Or maybe the a new "interactive" credentials type; which, when included in a job, prompt the user for credentials when the job starts. These can then be supplied to the various plugins as configured.
          slide_o_mix Alex Earl added a comment -

          I want to add support for the Credentials plugin and not manage credentials internally, I am not sure what the capability is for prompting, but I think that should be possible once that is implemented.

          slide_o_mix Alex Earl added a comment - I want to add support for the Credentials plugin and not manage credentials internally, I am not sure what the capability is for prompting, but I think that should be possible once that is implemented.
          samliddicott Sam Liddicott added a comment -

          I guess then we need a credentials parameter type which can

          • optionally default to a some stored credentials
          • optionally inject into the environment
          • be used as "job" scope credentials by other publish plugins

          Should I open a new issue for that?

          samliddicott Sam Liddicott added a comment - I guess then we need a credentials parameter type which can optionally default to a some stored credentials optionally inject into the environment be used as "job" scope credentials by other publish plugins Should I open a new issue for that?
          slide_o_mix Alex Earl added a comment -

          The credentials would be managed at the job level, look at the wiki page for the credentials plugin. No new issue is needed.

          slide_o_mix Alex Earl added a comment - The credentials would be managed at the job level, look at the wiki page for the credentials plugin. No new issue is needed.

          For your information, all publish-over-cifs component type JENKINS issues related to the Publish Over CIFS plugin have been transferred to Github: https://github.com/jenkinsci/publish-over-cifs-plugin/issues

          Here is the direct link to this issue in Github: https://github.com/jenkinsci/publish-over-cifs-plugin/issues/64
          And here is the link to a search for related issues: https://github.com/jenkinsci/publish-over-cifs-plugin/issues?q=%22JENKINS-22561%22

          (Note: this is an automated bulk comment)

          gmcdonald Gavin McDonald added a comment - For your information, all publish-over-cifs component type JENKINS issues related to the Publish Over CIFS plugin have been transferred to Github: https://github.com/jenkinsci/publish-over-cifs-plugin/issues Here is the direct link to this issue in Github: https://github.com/jenkinsci/publish-over-cifs-plugin/issues/64 And here is the link to a search for related issues: https://github.com/jenkinsci/publish-over-cifs-plugin/issues?q=%22JENKINS-22561%22 (Note: this is an automated bulk comment)

          People

            samliddicott Sam Liddicott
            samliddicott Sam Liddicott
            Votes:
            0 Vote for this issue
            Watchers:
            3 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved: