Type: Bug
Resolution: Unresolved
Priority: Major
Component/s: credentials-binding-plugin
Labels:
None

Environment

Jenkins 2.46.2
credentials:2.1.13 'Credentials Plugin'
credentials-binding:1.11 'Credentials Binding Plugin'
workflow-aggregator:2.5 'Pipeline'
workflow-api:2.12 'Pipeline: API'
workflow-basic-steps:2.4 'Pipeline: Basic Steps'
workflow-cps:2.29 'Pipeline: Groovy'
workflow-cps-checkpoint:2.4 'CloudBees Pipeline: Groovy Checkpoint Plugin'
workflow-cps-global-lib:2.7 'Pipeline: Shared Groovy Libraries'
workflow-durable-task-step:2.10 'Pipeline: Nodes and Processes'
workflow-job:2.10 'Pipeline: Job'
workflow-multibranch:2.14 'Pipeline: Multibranch'
workflow-scm-step:2.4 'Pipeline: SCM Step'
workflow-step-api:2.9 'Pipeline: Step API'
workflow-support:2.14 'Pipeline: Supporting APIs'

Scenario to Use User Scoped Credentials in "withCredentials()"

Many organizations use GPG Signing Key and special permissions on Nexus / Artifactory to create releases. For traceability and security, these privileged credentials may be managed as are "per individual/personal credentials", they may not be shared with team members.

For this kind of credentials, we want to use Jenkins User Scoped Credentials in pipeline (withCredentials, git, config-file-provider, ssh-agent...)

Description

When using the authorize project plugin,

User Scoped Credentials are not found by the "withCredentials" pipeline step.
Global Credentials overwritten by user scoped credentials are not overwritten when used with the "withCredentials" pipeline step.

Reproduce

Install the Project Authorize Plugin and configure it "Run as user who triggered the build"
Create a global credential "global-credentials-intended-to-be-overwritten-at-the-user-scope"
Create user scoped credentials "global-credentials-intended-to-be-overwritten-at-the-user-scope"
create a pipeline with "withCredentials" binding 'global-bitbucket-credentials-intended-to-be-overwritten-at-the-user-scope' and writing it in a text file
run the build, open the text file in the workspace and verify that the global credentials are NOT overwritten

Create user scoped credentials "my-username-password"
Create a pipeline with "withCredentials" and the "my-username-password" credentials
job will fail with "CredentialNotFoundException"

node {
    // verify that the build is properly impersonated by the https://wiki.jenkins-ci.org/display/JENKINS/Authorize+Project+plugin
    echo "Build is running as user " + org.acegisecurity.context.SecurityContextHolder.getContext().getAuthentication().toString()
    
    stage ("Global Credentials Overwritten at the user scope") {
        // credentials declared globally and overwritten by a user scoped credentials
        withCredentials([
            usernamePassword(
                credentialsId: 'global-credentials-intended-to-be-overwritten-at-the-user-scope', 
                passwordVariable: 'PASSWORD_VAR', 
                usernameVariable: 'USERNAME_VAR')]) {
           sh "echo $PASSWORD_VAR > spy-overwritten-creds.txt"
        }
    }
    stage ("User Scoped Credentials") {
        withCredentials([
            usernamePassword(
                credentialsId: 'my-username-password', 
                passwordVariable: 'PASSWORD_VAR', 
                usernameVariable: 'USERNAME_VAR')]) {
           sh "echo $PASSWORD_VAR > spy-user-scoped-credentials.txt"
        }
    }
}

Started by user admin
[Pipeline] node
Running on agent-1 in /home/ubuntu/jenkins-aws-home/workspace/tests/user-scoped-credentials-pipeline-step-with-credentials
[Pipeline] {
[Pipeline] echo
Build is running as user org.acegisecurity.providers.UsernamePasswordAuthenticationToken@965748a4: Username: admin; Password: [PROTECTED]; Authenticated: true; Details: null; Granted Authorities: authenticated
[Pipeline] stage
[Pipeline] { (Global Credentials Overwritten at the user scope)
[Pipeline] withCredentials
[Pipeline] {
[Pipeline] sh
[user-scoped-credentials-pipeline-step-with-credentials] Running shell script
+ echo ****
[Pipeline] }
[Pipeline] // withCredentials
[Pipeline] }
[Pipeline] // stage
[Pipeline] stage
[Pipeline] { (User Scoped Credentials)
[Pipeline] withCredentials
[Pipeline] // withCredentials
[Pipeline] }
[Pipeline] // stage
[Pipeline] }
[Pipeline] // node
[Pipeline] End of Pipeline
org.jenkinsci.plugins.credentialsbinding.impl.CredentialNotFoundException: my-username-password
  at org.jenkinsci.plugins.credentialsbinding.MultiBinding.getCredentials(MultiBinding.java:153)
  at org.jenkinsci.plugins.credentialsbinding.impl.UsernamePasswordMultiBinding.bind(UsernamePasswordMultiBinding.java:76)
  at org.jenkinsci.plugins.credentialsbinding.impl.BindingStep$Execution.start(BindingStep.java:114)
  at org.jenkinsci.plugins.workflow.cps.DSL.invokeStep(DSL.java:184)
  at org.jenkinsci.plugins.workflow.cps.DSL.invokeMethod(DSL.java:126)
  at org.jenkinsci.plugins.workflow.cps.CpsScript.invokeMethod(CpsScript.java:108)
  at groovy.lang.GroovyObject$invokeMethod.call(Unknown Source)
  at org.codehaus.groovy.runtime.callsite.CallSiteArray.defaultCall(CallSiteArray.java:48)
  at org.codehaus.groovy.runtime.callsite.AbstractCallSite.call(AbstractCallSite.java:113)
  at org.kohsuke.groovy.sandbox.impl.Checker$1.call(Checker.java:151)
  at org.kohsuke.groovy.sandbox.GroovyInterceptor.onMethodCall(GroovyInterceptor.java:21)
  at org.jenkinsci.plugins.scriptsecurity.sandbox.groovy.SandboxInterceptor.onMethodCall(SandboxInterceptor.java:115)
  at org.kohsuke.groovy.sandbox.impl.Checker$1.call(Checker.java:149)
  at org.kohsuke.groovy.sandbox.impl.Checker.checkedCall(Checker.java:146)
  at org.kohsuke.groovy.sandbox.impl.Checker.checkedCall(Checker.java:123)
  at org.kohsuke.groovy.sandbox.impl.Checker.checkedCall(Checker.java:123)
  at com.cloudbees.groovy.cps.sandbox.SandboxInvoker.methodCall(SandboxInvoker.java:16)
  at WorkflowScript.run(WorkflowScript:16)
  at ___cps.transform___(Native Method)
  at com.cloudbees.groovy.cps.impl.ContinuationGroup.methodCall(ContinuationGroup.java:57)
  at com.cloudbees.groovy.cps.impl.FunctionCallBlock$ContinuationImpl.dispatchOrArg(FunctionCallBlock.java:109)
  at com.cloudbees.groovy.cps.impl.FunctionCallBlock$ContinuationImpl.fixArg(FunctionCallBlock.java:82)
  at sun.reflect.GeneratedMethodAccessor591.invoke(Unknown Source)
  at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
  at java.lang.reflect.Method.invoke(Method.java:498)
  at com.cloudbees.groovy.cps.impl.ContinuationPtr$ContinuationImpl.receive(ContinuationPtr.java:72)
  at com.cloudbees.groovy.cps.impl.ClosureBlock.eval(ClosureBlock.java:46)
  at com.cloudbees.groovy.cps.Next.step(Next.java:74)
  at com.cloudbees.groovy.cps.Continuable.run0(Continuable.java:154)
  at org.jenkinsci.plugins.workflow.cps.SandboxContinuable.access$001(SandboxContinuable.java:18)
  at org.jenkinsci.plugins.workflow.cps.SandboxContinuable$1.call(SandboxContinuable.java:33)
  at org.jenkinsci.plugins.workflow.cps.SandboxContinuable$1.call(SandboxContinuable.java:30)
  at org.jenkinsci.plugins.scriptsecurity.sandbox.groovy.GroovySandbox.runInSandbox(GroovySandbox.java:108)
  at org.jenkinsci.plugins.workflow.cps.SandboxContinuable.run0(SandboxContinuable.java:30)
  at org.jenkinsci.plugins.workflow.cps.CpsThread.runNextChunk(CpsThread.java:165)
  at org.jenkinsci.plugins.workflow.cps.CpsThreadGroup.run(CpsThreadGroup.java:328)
  at org.jenkinsci.plugins.workflow.cps.CpsThreadGroup.access$100(CpsThreadGroup.java:80)
  at org.jenkinsci.plugins.workflow.cps.CpsThreadGroup$2.call(CpsThreadGroup.java:240)
  at org.jenkinsci.plugins.workflow.cps.CpsThreadGroup$2.call(CpsThreadGroup.java:228)
  at org.jenkinsci.plugins.workflow.cps.CpsVmExecutorService$2.call(CpsVmExecutorService.java:64)
  at java.util.concurrent.FutureTask.run(FutureTask.java:266)
  at hudson.remoting.SingleLaneExecutorService$1.run(SingleLaneExecutorService.java:112)
  at jenkins.util.ContextResettingExecutorService$1.run(ContextResettingExecutorService.java:28)
  at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:511)
  at java.util.concurrent.FutureTask.run(FutureTask.java:266)
  at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
  at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
  at java.lang.Thread.run(Thread.java:745)
Finished: FAILURE

- - Sort By Name
  - Sort By Date
  - Ascending
  - Descending
  - Thumbnails
  - List
  - Download All

cloudbees-support_cje-master.alliances.beescloud.com_2017-04-27_14.09.05.zip
939 kB
2017-06-08 11:19

is duplicated by

JENKINS-44635 Declarative credentials() can't see user store credentials

Closed

is related to

JENKINS-47699 Cannot use user-scoped credentials from pipeline input step parameters

Resolved

JENKINS-44773 User Scoped credentials are not used by the "git" pipeline step

Closed

JENKINS-55052 Different behavior accessing user credentials using RunAs Specific vs. Triggered User

Fixed but Unreleased

JENKINS-38963 User-scoped credentials cannot be looked up in pipeline

Resolved

JENKINS-44774 User Scoped credentials don't appear in credentials drop down lists

Resolved

relates to

JENKINS-58170 Allow credential parameters to shadow credential ids in lookup

Resolved

links to

CloudBees Internal CD-46

(1 is related to, 1 relates to, 1 links to)

Details

Description

Environment

Scenario to Use User Scoped Credentials in "withCredentials()"

Description

Reproduce

Attachments

Attachments

Issue Links

Activity

People

Dates