Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-34264

Support Global passwords from Mask Passwords in Pipeline

    XMLWordPrintable

    Details

    • Similar Issues:

      Description

      The mask-passwords-plugin does not enable global or even locally defined variables within the block when used in a pipeline/workflow job. I have configured a global password variable "MARATHON_PASSWORD". You'll see that I've tried referencing variables in two ways (echo and sh)

      Example job config:

      node {
          stage 'Test Mask Passwords in Pipeline'
          
          wrap([$class: 'MaskPasswordsBuildWrapper', varPasswordPairs: [[password: 'thePassword', var: 'MY_PASSWORD']]]) {
              echo "retrive MY_PASSWORD by var = ${env.MY_PASSWORD}"
              sh 'echo retrieve MY_PASSWORD by var = $MY_PASSWORD'
              echo "retrieve MARATHON_PASSWORD by var = ${env.MARATHON_PASSWORD}"
              sh 'echo retrieve MARATHON_PASSWORD by var = $MARATHON_PASSWORD'
              
              echo "masking MY_PASSWORD value works = thePassword"
              sh 'echo masking MY_PASSWORD value works = thePassword'
          }
      }

      Output from running job:

      [Pipeline] Allocate node : Start
      Running on jenlxs7 in /apps/jenkins/slave1/workspace/CWL/AAA-TestPipeline
      [Pipeline] node {
      [Pipeline] stage (Test Mask Passwords in Pipeline)
      Entering stage Test Mask Passwords in Pipeline
      Proceeding
      [Pipeline] General Build Wrapper : Start
      [Pipeline] wrap {
      retrive MY_PASSWORD by var = null
      [Pipeline] echo
      [Pipeline] sh
      [AAA-TestPipeline] Running shell script
      + echo retrieve MY_PASSWORD by var =
      retrieve MY_PASSWORD by var =
      [Pipeline] echo
      retrieve MARATHON_PASSWORD by var = null
      [Pipeline] sh
      [AAA-TestPipeline] Running shell script
      + echo retrieve MARATHON_PASSWORD by var =
      retrieve MARATHON_PASSWORD by var =
      [Pipeline] echo
      masking MY_PASSWORD value works = ********
      [Pipeline] sh
      [AAA-TestPipeline] Running shell script
      + echo masking MY_PASSWORD value works = ********
      masking MY_PASSWORD value works = ********
      [Pipeline] } //wrap
      [Pipeline] General Build Wrapper : End
      [Pipeline] } //node
      [Pipeline] Allocate node : End
      [Pipeline] End of Pipeline
      Finished: SUCCESS

      As you can see, the plugin does effectively mask the value of given passwords when you use the value directly within the block. However, you should be able to use the password via it's variable name.

        Attachments

          Issue Links

            Activity

            Hide
            jglick Jesse Glick added a comment -

            The plugin merely masks passwords, it does not set them.

            What you are looking for is the Credentials Binding plugin, which has a Pipeline step and both binds passwords (and other secrets) to environment variables, and masks their values where they appear inside the block.

            Show
            jglick Jesse Glick added a comment - The plugin merely masks passwords, it does not set them. What you are looking for is the Credentials Binding plugin, which has a Pipeline step and both binds passwords (and other secrets) to environment variables, and masks their values where they appear inside the block.
            Hide
            elliotweiser Elliot Weiser added a comment -

            Then what is the point of the `var` variable? Performing this assignment seems like a no-brainer to me. What I expected was a `withEnv` step called under the covers that assigned the masked string to environment variables. While it is true that we could do this ourselves, it looks dirty, the true usage of it is opaque (see my first question), and it puts the burden on the person writing the pipeline script.

            While it is true that the credentials binding plugin helps link environment variables to secrets, it requires that there be a stored credential per secret. An example use-case in which this is insufficient is repository-based secrets, whereby a single credential is kept in a domain that is then used for decrypting secrets stored in a git repository and storing them as "masked passwords". As I mentioned before, withCredentials demands a credential per secret.

            Show
            elliotweiser Elliot Weiser added a comment - Then what is the point of the `var` variable? Performing this assignment seems like a no-brainer to me. What I expected was a `withEnv` step called under the covers that assigned the masked string to environment variables. While it is true that we could do this ourselves, it looks dirty, the true usage of it is opaque (see my first question), and it puts the burden on the person writing the pipeline script. While it is true that the credentials binding plugin helps link environment variables to secrets, it requires that there be a stored credential per secret. An example use-case in which this is insufficient is repository-based secrets, whereby a single credential is kept in a domain that is then used for decrypting secrets stored in a git repository and storing them as "masked passwords". As I mentioned before, withCredentials demands a credential per secret.
            Hide
            nels4784 Jeffrey Nelson added a comment - - edited

            Furthermore, in freestyle jobs, the mask passwords plugin also enables global passwords for use. This is the main feature that I see is missing in the workflow/pipeline support.

            The 'withCredentials' support helps a little, but how do I access global passwords in a pipeline/workflow job?

            Show
            nels4784 Jeffrey Nelson added a comment - - edited Furthermore, in freestyle jobs, the mask passwords plugin also enables global passwords for use. This is the main feature that I see is missing in the workflow/pipeline support. The 'withCredentials' support helps a little, but how do I access global passwords in a pipeline/workflow job?
            Hide
            jglick Jesse Glick added a comment -

            The “global passwords” feature in the Mask Passwords plugin should not be used. This predates the Credentials plugin. Define global credentials instead.

            Show
            jglick Jesse Glick added a comment - The “global passwords” feature in the Mask Passwords plugin should not be used. This predates the Credentials plugin. Define global credentials instead.
            Hide
            oleg_nenashev Oleg Nenashev added a comment -

            Mask Passwords plugin is in the stale state. I agree with Jesse that it's Global Password functionality is not what recommended for new Jenkins instances.
            I'll convert this bug to the medium-priority enhancement, but I do not plan to work on it in the short-term.

            Show
            oleg_nenashev Oleg Nenashev added a comment - Mask Passwords plugin is in the stale state. I agree with Jesse that it's Global Password functionality is not what recommended for new Jenkins instances. I'll convert this bug to the medium-priority enhancement, but I do not plan to work on it in the short-term.
            Hide
            sebglon sébastien glon added a comment -

            this not work on
            def userInput = input(
            [$class: 'PasswordParameterDefinition', description: 'Password', name: 'pwd']
            ])

            with sh '"${userInput['login']}"
            passwork is on masked on log

            Show
            sebglon sébastien glon added a comment - this not work on def userInput = input( [$class: 'PasswordParameterDefinition', description: 'Password', name: 'pwd'] ]) with sh '"${userInput ['login'] }" passwork is on masked on log
            Hide
            oleg_nenashev Oleg Nenashev added a comment -

            No middle-term plan to implement this feature.
            If somebody takes initiative and implements it, I'll do my best with change reviews and integration

            Show
            oleg_nenashev Oleg Nenashev added a comment - No middle-term plan to implement this feature. If somebody takes initiative and implements it, I'll do my best with change reviews and integration
            Hide
            flominatortm Florian Straub added a comment -

            Jeffrey Nelson: Managed to use global passwords defined in credentials with the approach described at https://mtijhof.wordpress.com/2019/06/03/jenkins-working-with-credentials-in-your-pipeline/

            Show
            flominatortm Florian Straub added a comment - Jeffrey Nelson : Managed to use global passwords defined in credentials with the approach described at https://mtijhof.wordpress.com/2019/06/03/jenkins-working-with-credentials-in-your-pipeline/

              People

              Assignee:
              Unassigned Unassigned
              Reporter:
              nels4784 Jeffrey Nelson
              Votes:
              2 Vote for this issue
              Watchers:
              11 Start watching this issue

                Dates

                Created:
                Updated:
                Resolved: