-
New Feature
-
Resolution: Duplicate
-
Major
The mask-passwords-plugin does not enable global or even locally defined variables within the block when used in a pipeline/workflow job. I have configured a global password variable "MARATHON_PASSWORD". You'll see that I've tried referencing variables in two ways (echo and sh)
Example job config:
node {
stage 'Test Mask Passwords in Pipeline'
wrap([$class: 'MaskPasswordsBuildWrapper', varPasswordPairs: [[password: 'thePassword', var: 'MY_PASSWORD']]]) {
echo "retrive MY_PASSWORD by var = ${env.MY_PASSWORD}"
sh 'echo retrieve MY_PASSWORD by var = $MY_PASSWORD'
echo "retrieve MARATHON_PASSWORD by var = ${env.MARATHON_PASSWORD}"
sh 'echo retrieve MARATHON_PASSWORD by var = $MARATHON_PASSWORD'
echo "masking MY_PASSWORD value works = thePassword"
sh 'echo masking MY_PASSWORD value works = thePassword'
}
}
Output from running job:
[Pipeline] Allocate node : Start
Running on jenlxs7 in /apps/jenkins/slave1/workspace/CWL/AAA-TestPipeline
[Pipeline] node {
[Pipeline] stage (Test Mask Passwords in Pipeline)
Entering stage Test Mask Passwords in Pipeline
Proceeding
[Pipeline] General Build Wrapper : Start
[Pipeline] wrap {
retrive MY_PASSWORD by var = null
[Pipeline] echo
[Pipeline] sh
[AAA-TestPipeline] Running shell script
+ echo retrieve MY_PASSWORD by var =
retrieve MY_PASSWORD by var =
[Pipeline] echo
retrieve MARATHON_PASSWORD by var = null
[Pipeline] sh
[AAA-TestPipeline] Running shell script
+ echo retrieve MARATHON_PASSWORD by var =
retrieve MARATHON_PASSWORD by var =
[Pipeline] echo
masking MY_PASSWORD value works = ********
[Pipeline] sh
[AAA-TestPipeline] Running shell script
+ echo masking MY_PASSWORD value works = ********
masking MY_PASSWORD value works = ********
[Pipeline] } //wrap
[Pipeline] General Build Wrapper : End
[Pipeline] } //node
[Pipeline] Allocate node : End
[Pipeline] End of Pipeline
Finished: SUCCESS
As you can see, the plugin does effectively mask the value of given passwords when you use the value directly within the block. However, you should be able to use the password via it's variable name.
- duplicates
-
-
- Open
-
[JENKINS-34264] Support Global passwords from Mask Passwords in Pipeline
Then what is the point of the `var` variable? Performing this assignment seems like a no-brainer to me. What I expected was a `withEnv` step called under the covers that assigned the masked string to environment variables. While it is true that we could do this ourselves, it looks dirty, the true usage of it is opaque (see my first question), and it puts the burden on the person writing the pipeline script.
While it is true that the credentials binding plugin helps link environment variables to secrets, it requires that there be a stored credential per secret. An example use-case in which this is insufficient is repository-based secrets, whereby a single credential is kept in a domain that is then used for decrypting secrets stored in a git repository and storing them as "masked passwords". As I mentioned before, withCredentials demands a credential per secret.
Furthermore, in freestyle jobs, the mask passwords plugin also enables global passwords for use. This is the main feature that I see is missing in the workflow/pipeline support.
The 'withCredentials' support helps a little, but how do I access global passwords in a pipeline/workflow job?
Jeffrey Nelson
added a comment - - edited Furthermore, in freestyle jobs, the mask passwords plugin also enables global passwords for use. This is the main feature that I see is missing in the workflow/pipeline support.
The 'withCredentials' support helps a little, but how do I access global passwords in a pipeline/workflow job? The “global passwords” feature in the Mask Passwords plugin should not be used. This predates the Credentials plugin. Define global credentials instead.
Mask Passwords plugin is in the stale state. I agree with Jesse that it's Global Password functionality is not what recommended for new Jenkins instances.
I'll convert this bug to the medium-priority enhancement, but I do not plan to work on it in the short-term.
sébastien glon
added a comment - this not work on
def userInput = input(
[$class: 'PasswordParameterDefinition', description: 'Password', name: 'pwd']
])
with sh '"${userInput['login']}"
passwork is on masked on log
sébastien glon
added a comment - this not work on
def userInput = input(
[$class: 'PasswordParameterDefinition', description: 'Password', name: 'pwd']
])
with sh '"${userInput ['login'] }"
passwork is on masked on log No middle-term plan to implement this feature.
If somebody takes initiative and implements it, I'll do my best with change reviews and integration
Florian Straub
added a comment - nels4784: Managed to use global passwords defined in credentials with the approach described at https://mtijhof.wordpress.com/2019/06/03/jenkins-working-with-credentials-in-your-pipeline/
Florian Straub
added a comment - nels4784 : Managed to use global passwords defined in credentials with the approach described at https://mtijhof.wordpress.com/2019/06/03/jenkins-working-with-credentials-in-your-pipeline/ 
The plugin merely masks passwords, it does not set them.
What you are looking for is the Credentials Binding plugin, which has a Pipeline step and both binds passwords (and other secrets) to environment variables, and masks their values where they appear inside the block.