Details
-
Type:
Bug
-
Status: Open (View Workflow)
-
Priority:
Major
-
Resolution: Unresolved
-
Component/s: credentials-binding-plugin
-
Labels:None
-
Similar Issues:
Description
Environment
- Jenkins 2.46.2
- credentials:2.1.13 'Credentials Plugin'
- credentials-binding:1.11 'Credentials Binding Plugin'
- workflow-aggregator:2.5 'Pipeline'
- workflow-api:2.12 'Pipeline: API'
- workflow-basic-steps:2.4 'Pipeline: Basic Steps'
- workflow-cps:2.29 'Pipeline: Groovy'
- workflow-cps-checkpoint:2.4 'CloudBees Pipeline: Groovy Checkpoint Plugin'
- workflow-cps-global-lib:2.7 'Pipeline: Shared Groovy Libraries'
- workflow-durable-task-step:2.10 'Pipeline: Nodes and Processes'
- workflow-job:2.10 'Pipeline: Job'
- workflow-multibranch:2.14 'Pipeline: Multibranch'
- workflow-scm-step:2.4 'Pipeline: SCM Step'
- workflow-step-api:2.9 'Pipeline: Step API'
- workflow-support:2.14 'Pipeline: Supporting APIs'
Scenario to Use User Scoped Credentials in "withCredentials()"
Many organizations use GPG Signing Key and special permissions on Nexus / Artifactory to create releases. For traceability and security, these privileged credentials may be managed as are "per individual/personal credentials", they may not be shared with team members.
For this kind of credentials, we want to use Jenkins User Scoped Credentials in pipeline (withCredentials, git, config-file-provider, ssh-agent...)
Description
When using the authorize project plugin,
- User Scoped Credentials are not found by the "withCredentials" pipeline step.
- Global Credentials overwritten by user scoped credentials are not overwritten when used with the "withCredentials" pipeline step.
Reproduce
- Install the Project Authorize Plugin and configure it "Run as user who triggered the build"
- Create a global credential "global-credentials-intended-to-be-overwritten-at-the-user-scope"
- Create user scoped credentials "global-credentials-intended-to-be-overwritten-at-the-user-scope"
- create a pipeline with "withCredentials" binding 'global-bitbucket-credentials-intended-to-be-overwritten-at-the-user-scope' and writing it in a text file
- run the build, open the text file in the workspace and verify that the global credentials are NOT overwritten
- Create user scoped credentials "my-username-password"
- Create a pipeline with "withCredentials" and the "my-username-password" credentials
- job will fail with "CredentialNotFoundException"
node { // verify that the build is properly impersonated by the https://wiki.jenkins-ci.org/display/JENKINS/Authorize+Project+plugin echo "Build is running as user " + org.acegisecurity.context.SecurityContextHolder.getContext().getAuthentication().toString() stage ("Global Credentials Overwritten at the user scope") { // credentials declared globally and overwritten by a user scoped credentials withCredentials([ usernamePassword( credentialsId: 'global-credentials-intended-to-be-overwritten-at-the-user-scope', passwordVariable: 'PASSWORD_VAR', usernameVariable: 'USERNAME_VAR')]) { sh "echo $PASSWORD_VAR > spy-overwritten-creds.txt" } } stage ("User Scoped Credentials") { withCredentials([ usernamePassword( credentialsId: 'my-username-password', passwordVariable: 'PASSWORD_VAR', usernameVariable: 'USERNAME_VAR')]) { sh "echo $PASSWORD_VAR > spy-user-scoped-credentials.txt" } } }
Started by user admin [Pipeline] node Running on agent-1 in /home/ubuntu/jenkins-aws-home/workspace/tests/user-scoped-credentials-pipeline-step-with-credentials [Pipeline] { [Pipeline] echo Build is running as user org.acegisecurity.providers.UsernamePasswordAuthenticationToken@965748a4: Username: admin; Password: [PROTECTED]; Authenticated: true; Details: null; Granted Authorities: authenticated [Pipeline] stage [Pipeline] { (Global Credentials Overwritten at the user scope) [Pipeline] withCredentials [Pipeline] { [Pipeline] sh [user-scoped-credentials-pipeline-step-with-credentials] Running shell script + echo **** [Pipeline] } [Pipeline] // withCredentials [Pipeline] } [Pipeline] // stage [Pipeline] stage [Pipeline] { (User Scoped Credentials) [Pipeline] withCredentials [Pipeline] // withCredentials [Pipeline] } [Pipeline] // stage [Pipeline] } [Pipeline] // node [Pipeline] End of Pipeline org.jenkinsci.plugins.credentialsbinding.impl.CredentialNotFoundException: my-username-password at org.jenkinsci.plugins.credentialsbinding.MultiBinding.getCredentials(MultiBinding.java:153) at org.jenkinsci.plugins.credentialsbinding.impl.UsernamePasswordMultiBinding.bind(UsernamePasswordMultiBinding.java:76) at org.jenkinsci.plugins.credentialsbinding.impl.BindingStep$Execution.start(BindingStep.java:114) at org.jenkinsci.plugins.workflow.cps.DSL.invokeStep(DSL.java:184) at org.jenkinsci.plugins.workflow.cps.DSL.invokeMethod(DSL.java:126) at org.jenkinsci.plugins.workflow.cps.CpsScript.invokeMethod(CpsScript.java:108) at groovy.lang.GroovyObject$invokeMethod.call(Unknown Source) at org.codehaus.groovy.runtime.callsite.CallSiteArray.defaultCall(CallSiteArray.java:48) at org.codehaus.groovy.runtime.callsite.AbstractCallSite.call(AbstractCallSite.java:113) at org.kohsuke.groovy.sandbox.impl.Checker$1.call(Checker.java:151) at org.kohsuke.groovy.sandbox.GroovyInterceptor.onMethodCall(GroovyInterceptor.java:21) at org.jenkinsci.plugins.scriptsecurity.sandbox.groovy.SandboxInterceptor.onMethodCall(SandboxInterceptor.java:115) at org.kohsuke.groovy.sandbox.impl.Checker$1.call(Checker.java:149) at org.kohsuke.groovy.sandbox.impl.Checker.checkedCall(Checker.java:146) at org.kohsuke.groovy.sandbox.impl.Checker.checkedCall(Checker.java:123) at org.kohsuke.groovy.sandbox.impl.Checker.checkedCall(Checker.java:123) at com.cloudbees.groovy.cps.sandbox.SandboxInvoker.methodCall(SandboxInvoker.java:16) at WorkflowScript.run(WorkflowScript:16) at ___cps.transform___(Native Method) at com.cloudbees.groovy.cps.impl.ContinuationGroup.methodCall(ContinuationGroup.java:57) at com.cloudbees.groovy.cps.impl.FunctionCallBlock$ContinuationImpl.dispatchOrArg(FunctionCallBlock.java:109) at com.cloudbees.groovy.cps.impl.FunctionCallBlock$ContinuationImpl.fixArg(FunctionCallBlock.java:82) at sun.reflect.GeneratedMethodAccessor591.invoke(Unknown Source) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.lang.reflect.Method.invoke(Method.java:498) at com.cloudbees.groovy.cps.impl.ContinuationPtr$ContinuationImpl.receive(ContinuationPtr.java:72) at com.cloudbees.groovy.cps.impl.ClosureBlock.eval(ClosureBlock.java:46) at com.cloudbees.groovy.cps.Next.step(Next.java:74) at com.cloudbees.groovy.cps.Continuable.run0(Continuable.java:154) at org.jenkinsci.plugins.workflow.cps.SandboxContinuable.access$001(SandboxContinuable.java:18) at org.jenkinsci.plugins.workflow.cps.SandboxContinuable$1.call(SandboxContinuable.java:33) at org.jenkinsci.plugins.workflow.cps.SandboxContinuable$1.call(SandboxContinuable.java:30) at org.jenkinsci.plugins.scriptsecurity.sandbox.groovy.GroovySandbox.runInSandbox(GroovySandbox.java:108) at org.jenkinsci.plugins.workflow.cps.SandboxContinuable.run0(SandboxContinuable.java:30) at org.jenkinsci.plugins.workflow.cps.CpsThread.runNextChunk(CpsThread.java:165) at org.jenkinsci.plugins.workflow.cps.CpsThreadGroup.run(CpsThreadGroup.java:328) at org.jenkinsci.plugins.workflow.cps.CpsThreadGroup.access$100(CpsThreadGroup.java:80) at org.jenkinsci.plugins.workflow.cps.CpsThreadGroup$2.call(CpsThreadGroup.java:240) at org.jenkinsci.plugins.workflow.cps.CpsThreadGroup$2.call(CpsThreadGroup.java:228) at org.jenkinsci.plugins.workflow.cps.CpsVmExecutorService$2.call(CpsVmExecutorService.java:64) at java.util.concurrent.FutureTask.run(FutureTask.java:266) at hudson.remoting.SingleLaneExecutorService$1.run(SingleLaneExecutorService.java:112) at jenkins.util.ContextResettingExecutorService$1.run(ContextResettingExecutorService.java:28) at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:511) at java.util.concurrent.FutureTask.run(FutureTask.java:266) at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142) at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617) at java.lang.Thread.run(Thread.java:745) Finished: FAILURE
Attachments
Issue Links
- is duplicated by
-
JENKINS-44635 Declarative credentials() can't see user store credentials
-
- Closed
-
- is related to
-
JENKINS-47699 Cannot use user-scoped credentials from pipeline input step parameters
-
- Resolved
-
-
JENKINS-44773 User Scoped credentials are not used by the "git" pipeline step
-
- Closed
-
-
JENKINS-55052 Different behavior accessing user credentials using RunAs Specific vs. Triggered User
-
- Fixed but Unreleased
-
-
JENKINS-38963 User-scoped credentials cannot be looked up in pipeline
-
- Resolved
-
-
JENKINS-44774 User Scoped credentials don't appear in credentials drop down lists
-
- Resolved
-
- relates to
-
JENKINS-58170 Allow credential parameters to shadow credential ids in lookup
-
- Resolved
-
- links to
You've primarily described https://issues.jenkins.io/browse/JENKINS-59109 which would add support for propagating user credentials from one build to another via the build step. The low level API is described here: https://github.com/jenkinsci/credentials-plugin/blob/master/docs/consumer.adoc#binding-user-supplied-credentials-parameters-to-builds which would be used in an implementation for JENKINS-59109 and any other plugins that wish to integrate this further. Ideally, this feature would offer the ability to specify which loaded credentials to propagate. The gist of the integration would propagate the user who bound each credential parameter so that downstream jobs still know which user corresponds to which credential binding for authorization purposes.