Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-34264

Support Global passwords from Mask Passwords in Pipeline

      The mask-passwords-plugin does not enable global or even locally defined variables within the block when used in a pipeline/workflow job. I have configured a global password variable "MARATHON_PASSWORD". You'll see that I've tried referencing variables in two ways (echo and sh)

      Example job config:

      node {
          stage 'Test Mask Passwords in Pipeline'
          
          wrap([$class: 'MaskPasswordsBuildWrapper', varPasswordPairs: [[password: 'thePassword', var: 'MY_PASSWORD']]]) {
              echo "retrive MY_PASSWORD by var = ${env.MY_PASSWORD}"
              sh 'echo retrieve MY_PASSWORD by var = $MY_PASSWORD'
              echo "retrieve MARATHON_PASSWORD by var = ${env.MARATHON_PASSWORD}"
              sh 'echo retrieve MARATHON_PASSWORD by var = $MARATHON_PASSWORD'
              
              echo "masking MY_PASSWORD value works = thePassword"
              sh 'echo masking MY_PASSWORD value works = thePassword'
          }
      }

      Output from running job:

      [Pipeline] Allocate node : Start
      Running on jenlxs7 in /apps/jenkins/slave1/workspace/CWL/AAA-TestPipeline
      [Pipeline] node {
      [Pipeline] stage (Test Mask Passwords in Pipeline)
      Entering stage Test Mask Passwords in Pipeline
      Proceeding
      [Pipeline] General Build Wrapper : Start
      [Pipeline] wrap {
      retrive MY_PASSWORD by var = null
      [Pipeline] echo
      [Pipeline] sh
      [AAA-TestPipeline] Running shell script
      + echo retrieve MY_PASSWORD by var =
      retrieve MY_PASSWORD by var =
      [Pipeline] echo
      retrieve MARATHON_PASSWORD by var = null
      [Pipeline] sh
      [AAA-TestPipeline] Running shell script
      + echo retrieve MARATHON_PASSWORD by var =
      retrieve MARATHON_PASSWORD by var =
      [Pipeline] echo
      masking MY_PASSWORD value works = ********
      [Pipeline] sh
      [AAA-TestPipeline] Running shell script
      + echo masking MY_PASSWORD value works = ********
      masking MY_PASSWORD value works = ********
      [Pipeline] } //wrap
      [Pipeline] General Build Wrapper : End
      [Pipeline] } //node
      [Pipeline] Allocate node : End
      [Pipeline] End of Pipeline
      Finished: SUCCESS

      As you can see, the plugin does effectively mask the value of given passwords when you use the value directly within the block. However, you should be able to use the password via it's variable name.

          [JENKINS-34264] Support Global passwords from Mask Passwords in Pipeline

          Jesse Glick added a comment -

          The plugin merely masks passwords, it does not set them.

          What you are looking for is the Credentials Binding plugin, which has a Pipeline step and both binds passwords (and other secrets) to environment variables, and masks their values where they appear inside the block.

          Jesse Glick added a comment - The plugin merely masks passwords, it does not set them. What you are looking for is the Credentials Binding plugin, which has a Pipeline step and both binds passwords (and other secrets) to environment variables, and masks their values where they appear inside the block.

          Elliot Weiser added a comment -

          Then what is the point of the `var` variable? Performing this assignment seems like a no-brainer to me. What I expected was a `withEnv` step called under the covers that assigned the masked string to environment variables. While it is true that we could do this ourselves, it looks dirty, the true usage of it is opaque (see my first question), and it puts the burden on the person writing the pipeline script.

          While it is true that the credentials binding plugin helps link environment variables to secrets, it requires that there be a stored credential per secret. An example use-case in which this is insufficient is repository-based secrets, whereby a single credential is kept in a domain that is then used for decrypting secrets stored in a git repository and storing them as "masked passwords". As I mentioned before, withCredentials demands a credential per secret.

          Elliot Weiser added a comment - Then what is the point of the `var` variable? Performing this assignment seems like a no-brainer to me. What I expected was a `withEnv` step called under the covers that assigned the masked string to environment variables. While it is true that we could do this ourselves, it looks dirty, the true usage of it is opaque (see my first question), and it puts the burden on the person writing the pipeline script. While it is true that the credentials binding plugin helps link environment variables to secrets, it requires that there be a stored credential per secret. An example use-case in which this is insufficient is repository-based secrets, whereby a single credential is kept in a domain that is then used for decrypting secrets stored in a git repository and storing them as "masked passwords". As I mentioned before, withCredentials demands a credential per secret.

          Jeffrey Nelson added a comment - - edited

          Furthermore, in freestyle jobs, the mask passwords plugin also enables global passwords for use. This is the main feature that I see is missing in the workflow/pipeline support.

          The 'withCredentials' support helps a little, but how do I access global passwords in a pipeline/workflow job?

          Jeffrey Nelson added a comment - - edited Furthermore, in freestyle jobs, the mask passwords plugin also enables global passwords for use. This is the main feature that I see is missing in the workflow/pipeline support. The 'withCredentials' support helps a little, but how do I access global passwords in a pipeline/workflow job?

          Jesse Glick added a comment -

          The “global passwords” feature in the Mask Passwords plugin should not be used. This predates the Credentials plugin. Define global credentials instead.

          Jesse Glick added a comment - The “global passwords” feature in the Mask Passwords plugin should not be used. This predates the Credentials plugin. Define global credentials instead.

          Oleg Nenashev added a comment -

          Mask Passwords plugin is in the stale state. I agree with Jesse that it's Global Password functionality is not what recommended for new Jenkins instances.
          I'll convert this bug to the medium-priority enhancement, but I do not plan to work on it in the short-term.

          Oleg Nenashev added a comment - Mask Passwords plugin is in the stale state. I agree with Jesse that it's Global Password functionality is not what recommended for new Jenkins instances. I'll convert this bug to the medium-priority enhancement, but I do not plan to work on it in the short-term.

          this not work on
          def userInput = input(
          [$class: 'PasswordParameterDefinition', description: 'Password', name: 'pwd']
          ])

          with sh '"${userInput['login']}"
          passwork is on masked on log

          sébastien glon added a comment - this not work on def userInput = input( [$class: 'PasswordParameterDefinition', description: 'Password', name: 'pwd'] ]) with sh '"${userInput ['login'] }" passwork is on masked on log

          Oleg Nenashev added a comment -

          No middle-term plan to implement this feature.
          If somebody takes initiative and implements it, I'll do my best with change reviews and integration

          Oleg Nenashev added a comment - No middle-term plan to implement this feature. If somebody takes initiative and implements it, I'll do my best with change reviews and integration

          nels4784: Managed to use global passwords defined in credentials with the approach described at https://mtijhof.wordpress.com/2019/06/03/jenkins-working-with-credentials-in-your-pipeline/

          Florian Straub added a comment - nels4784 : Managed to use global passwords defined in credentials with the approach described at https://mtijhof.wordpress.com/2019/06/03/jenkins-working-with-credentials-in-your-pipeline/

            Unassigned Unassigned
            nels4784 Jeffrey Nelson
            Votes:
            2 Vote for this issue
            Watchers:
            11 Start watching this issue

              Created:
              Updated:
              Resolved: