-
Improvement
-
Resolution: Fixed
-
Major
-
None
-
-
credentials 2.5, ssh-credentials 1.19, credentials-binding 1.25
Is there a way to disable or configure the password masking feature? This is causing a number of issues for us, as it seems that not only are passwords masked, but usernames as well. This causes commonly used words (such as "jenkins", "android", "artifactory", "admin", etc.) to appear as **** in our console output, as we have credentials with usernames like that. This causes a number of problems with our auditability.
If there currently isn't a way, would it be possible to implement the ability to turn this on/off?
- is blocking
-
JENKINS-64631 String interpolation warning too broad; should apply to only passwords not usernames as well.
-
- Resolved
-
-
-
- Resolved
-
- is duplicated by
-
-
- Closed
-
- links to
[JENKINS-44860] Disable masking of usernames
Tyler MacPherson
created issue -
| Labels | Original: plugin |
| Summary | Original: Disable Password Masking | New: Disable masking of usernames |
| Remote Link | New: This issue links to "PR 44 (Web Link)" [ 19758 ] |
| Status | Original: Open [ 1 ] | New: In Progress [ 3 ] |
| Status | Original: In Progress [ 3 ] | New: In Review [ 10005 ] |
We came across this issue last week as well and, having discovered this issue, are contemplating contributing a fix.
Just to be clear, we'd like to:
- use the username/password credentials type
- use the following pipeline script to provide username and password as environment variables to the pipeline script closure and e.g. any shell commands within it:
withCredentials([usernamePassword(credentialsId: 'MY_CRED_ID', usernameVariable: 'USER_ENV_VAR', passwordVariable: 'PASSWORD_ENV_VAR')]) { ... }
- have any instances of whatever the password is be masked in console output
- NOT have any instances of whatever the username is masked in console output.
This would then correlate correctly with the view on the jenkinsUrl/credentials page, which shows user-name/****** (description) in the Name column for credentials of this type.
jglick we already found the UsernamePasswordMultiBinding class; but it looks to us (perhaps naively?) that the return value of the `bind()` method is used in BindingStep.Execution.start() both for actually providing the environment variables (through the use of EnvironmentExpander) and for obfuscating the secrets into **** (through the use of Filter). So it's not clear to me how the patch you're suggesting would allow us to still provide the username from a Credential without it being obfuscated. Have I misunderstood your comment? Many thanks.
I made a new PR for this in July, but seems I didn't get it linked up here correctly. https://github.com/jenkinsci/credentials-binding-plugin/pull/50
Fixing this would be wonderful. Console logs with every occurrence of `jenkins`, `release`, `artifactory`, `git` and `user` etc being masked out can make debugging really quite tedious!
UsernamePasswordMultiBinding could be patched to to treat usernameVariable as optional (move it to a @DataBoundSetter, document that it may be left blank).