[JENKINS-27398] Pipeline-as-Code CredentialsProvider for a job

Type: New Feature
Resolution: Unresolved
Priority: Minor
Component/s: credentials-binding-plugin
Labels:
- pipeline

Similar Issues:
Powered by SuggestiMate

Show
Epic Link:
Pipeline-as-Code

There should be an analogue of FolderCredentialsProvider limited to a single Job, allowing credentials to be set on the narrowest possible scope.

Not Workflow specific, but arguably more important for flows since they are likely to replace a whole set of freestyle projects that might otherwise have been segregated into a distinct folder.

is related to

JENKINS-27386 Access credentials value from workflow Groovy script

Resolved

relates to

JENKINS-36007 Way to mask arbitrary Secret (was: Password is clear on log with input parameter)

Open

JENKINS-43633 Scope credentials to branch being built

Open

links to

CloudBees Internal CD-242

Jesse Glick created issue - 2015-03-12 15:22

Stephen Connolly added a comment - 2016-05-20 21:26

Feel free to implement this in a plugin

Stephen Connolly added a comment - 2016-05-20 21:26 Feel free to implement this in a plugin

Stephen Connolly made changes - 2016-05-20 21:26

Assignee

Original: Stephen Connolly [ stephenconnolly ]

New: Jesse Glick [ jglick ]

Jesse Glick made changes - 2016-06-11 09:48

Link

New: This issue is related to ~~JENKINS-27386~~ [ ~~JENKINS-27386~~ ]

Jesse Glick added a comment - 2016-06-11 09:49

An idea inspired by a conversation with kohsuke:

A new Pipeline Step which is able to define certain kinds of IdCredentials, probably limited to UsernamePasswordCredentialsImpl and StringCredentialsImpl to start with (but could be an extension point to add other options). The configuration would be similar to the credentials configuration view, except that Secret-valued fields would be data-bound specially: the secret would be salted with the job name (or a folder prefix—so that you could use Snippetizer from a WorkflowMultiBranchProject or OrganizationFolder), encrypted against InstanceIdentity.public¹, and the result Base64-encoded. When run, the text would be Base64-decoded, decrypted against InstanceIdentity.private, the salt stripped off and verified (must be the job name or a folder prefix thereof), the resulting Secret used to create the desired IdCredentials, and this would be cached² in a special CredentialsProvider keeping a per-job list. So then usage would look like (pending ~~JENKINS-29922~~):

credentials [$class: 'UsernamePassword', id: 'hipchat-login', username: 'bob', password: 'abc/def+GHI0123=']
hipchat server: …, message: …, credentialsId: 'hipchat-login'

¹Or perhaps a subclass of RSAConfidentialKey is the more modern way to do this? RSADigitalSignatureConfidentialKey does not look appropriate.

²The credentials must be persisted to disk somehow, to support builds running across Jenkins restarts, though they could be deleted when the Run finishes. The CredentialsProvider API provides no way to limit the credentials to a single Run of the Job, which could lead to surprises if you change the secret and are running concurrent builds: an earlier build might wind up picking up a secret edited in a later build. I think this is an acceptable limitation. There should not be a security risk for pull request builds since (a) credentials are set per job and thus per branch/PR; (b) an origin Jenkinsfile could simply decline to run the step if running in a PR. Merely seeing the encrypted text in the Jenkinsfile does not let you recover the secret without knowing the instance’s private key, nor could you use it in another job because of the salt.

Jesse Glick added a comment - 2016-06-11 09:49 An idea inspired by a conversation with kohsuke : A new Pipeline Step which is able to define certain kinds of IdCredentials , probably limited to UsernamePasswordCredentialsImpl and StringCredentialsImpl to start with (but could be an extension point to add other options). The configuration would be similar to the credentials configuration view, except that Secret -valued fields would be data-bound specially: the secret would be salted with the job name (or a folder prefix—so that you could use Snippetizer from a WorkflowMultiBranchProject or OrganizationFolder ), encrypted against InstanceIdentity.public ¹, and the result Base64-encoded. When run, the text would be Base64-decoded, decrypted against InstanceIdentity.private , the salt stripped off and verified (must be the job name or a folder prefix thereof), the resulting Secret used to create the desired IdCredentials , and this would be cached² in a special CredentialsProvider keeping a per-job list. So then usage would look like (pending JENKINS-29922 ): credentials [$class: 'UsernamePassword' , id: 'hipchat-login' , username: 'bob' , password: 'abc/def+GHI0123=' ] hipchat server: …, message: …, credentialsId: 'hipchat-login' ¹Or perhaps a subclass of RSAConfidentialKey is the more modern way to do this? RSADigitalSignatureConfidentialKey does not look appropriate. ²The credentials must be persisted to disk somehow, to support builds running across Jenkins restarts, though they could be deleted when the Run finishes. The CredentialsProvider API provides no way to limit the credentials to a single Run of the Job , which could lead to surprises if you change the secret and are running concurrent builds: an earlier build might wind up picking up a secret edited in a later build. I think this is an acceptable limitation. There should not be a security risk for pull request builds since (a) credentials are set per job and thus per branch/PR; (b) an origin Jenkinsfile could simply decline to run the step if running in a PR. Merely seeing the encrypted text in the Jenkinsfile does not let you recover the secret without knowing the instance’s private key, nor could you use it in another job because of the salt.

Jesse Glick made changes - 2016-06-11 09:49

Epic Link

New: JENKINS-35386 [ 171179 ]

Stephen Connolly added a comment - 2016-06-11 10:09

Yes that is an interesting idea.

Stephen Connolly added a comment - 2016-06-11 10:09 Yes that is an interesting idea.

Jesse Glick made changes - 2016-06-29 14:50

Component/s		New: workflow-plugin [ 18820 ]
Component/s	Original: credentials-plugin [ 16523 ]
Labels	Original: workflow	New: credentials
Summary	Original: CredentialsProvider based on JobProperty	New: Pipeline-as-Code CredentialsProvider for a job

R. Tyler Croy made changes - 2016-07-25 23:51

Workflow

Original: JNJira [ 161603 ]

New: JNJira + In-Review [ 180761 ]

Andrew Bayer made changes - 2016-08-26 21:51

Component/s

New: pipeline-general [ 21692 ]

Assignee:: Jesse Glick

Reporter:: Jesse Glick

Votes:: 0 Vote for this issue

Watchers:: 9 Start watching this issue

Created:: 2015-03-12 15:22

Updated:: 2020-11-04 20:23

Jenkins

Details

Description

Attachments

Issue Links

Activity

Collapse comment: Stephen Connolly added a comment - 2016-05-20 21:26

Expand comment: Stephen Connolly added a comment - 2016-05-20 21:26

Collapse comment: Jesse Glick added a comment - 2016-06-11 09:49

Expand comment: Jesse Glick added a comment - 2016-06-11 09:49

Collapse comment: Stephen Connolly added a comment - 2016-06-11 10:09

Expand comment: Stephen Connolly added a comment - 2016-06-11 10:09

People

Dates