• Type: New Feature
• Resolution: Unresolved
• Priority: Minor
• Component/s: credentials-plugin
• Labels:

  None

1. 

   screenshot-job-restrictions-plugin-config.png

   164 kB

   2018-09-27 01:30

[JENKINS-53806] Class-based DomainSpecification filter for more flexibility of restricting credentials

Sam Gleske created issue - 2018-09-27 01:30

Sam Gleske made changes - 2018-09-27 01:30

Attachment

New: screenshot-job-restrictions-plugin-config.png [ 44608 ]

Sam Gleske made changes - 2018-09-27 01:30

Description

Original: h2. User Story As an admin of Jenkins, I would like the flexibility to restrict how credentials are accessed based on the class type of the caller requesting the credential so that I can flexibly restrict credentials without the need to add new scopes. h2. Acceptance Criteria * Verify that arbitrary classes can be selected for restricting. (e.g. hudson.model.Item) h2. Additional Information This will likely require at least 3 new classes (I'm not completely sure): * {{ClassnameSpecification}} extending from [DomainSpecification.java|https://github.com/jenkinsci/credentials-plugin/blob/master/src/main/java/com/cloudbees/plugins/credentials/domains/DomainSpecification.java] * {{ClassnameRequirement}} extending from [DomainRequirement.java|https://github.com/jenkinsci/credentials-plugin/blob/master/src/main/java/com/cloudbees/plugins/credentials/domains/DomainRequirement.java] * Perhaps a {{ClassnameMatcher}} which implements [CredentialsMatcher.java|https://github.com/jenkinsci/credentials-plugin/blob/master/src/main/java/com/cloudbees/plugins/credentials/CredentialsMatcher.java] (I'm really not sure about this) I would like the configuration of the DomainSpecification to be similar to how the job restrictions plugin allows configuration of restricting by class.

New: h2. User Story As an admin of Jenkins, I would like the flexibility to restrict how credentials are accessed based on the class type of the caller requesting the credential so that I can flexibly restrict credentials without the need to add new scopes. h2. Acceptance Criteria * Verify that arbitrary classes can be selected for restricting. (e.g. hudson.model.Item) h2. Additional Information This will likely require at least 3 new classes (I'm not completely sure): * {{ClassnameSpecification}} extending from [DomainSpecification.java|https://github.com/jenkinsci/credentials-plugin/blob/master/src/main/java/com/cloudbees/plugins/credentials/domains/DomainSpecification.java] * {{ClassnameRequirement}} extending from [DomainRequirement.java|https://github.com/jenkinsci/credentials-plugin/blob/master/src/main/java/com/cloudbees/plugins/credentials/domains/DomainRequirement.java] * Perhaps a {{ClassnameMatcher}} which implements [CredentialsMatcher.java|https://github.com/jenkinsci/credentials-plugin/blob/master/src/main/java/com/cloudbees/plugins/credentials/CredentialsMatcher.java] (I'm really not sure about this) I would like the configuration of the DomainSpecification to be similar to how the job restrictions plugin allows configuration of restricting by class. See the following screenshot:

Sam Gleske made changes - 2018-09-27 01:31

Description

Original: h2. User Story As an admin of Jenkins, I would like the flexibility to restrict how credentials are accessed based on the class type of the caller requesting the credential so that I can flexibly restrict credentials without the need to add new scopes. h2. Acceptance Criteria * Verify that arbitrary classes can be selected for restricting. (e.g. hudson.model.Item) h2. Additional Information This will likely require at least 3 new classes (I'm not completely sure): * {{ClassnameSpecification}} extending from [DomainSpecification.java|https://github.com/jenkinsci/credentials-plugin/blob/master/src/main/java/com/cloudbees/plugins/credentials/domains/DomainSpecification.java] * {{ClassnameRequirement}} extending from [DomainRequirement.java|https://github.com/jenkinsci/credentials-plugin/blob/master/src/main/java/com/cloudbees/plugins/credentials/domains/DomainRequirement.java] * Perhaps a {{ClassnameMatcher}} which implements [CredentialsMatcher.java|https://github.com/jenkinsci/credentials-plugin/blob/master/src/main/java/com/cloudbees/plugins/credentials/CredentialsMatcher.java] (I'm really not sure about this) I would like the configuration of the DomainSpecification to be similar to how the job restrictions plugin allows configuration of restricting by class. See the following screenshot:

New: h2. User Story As an admin of Jenkins, I would like the flexibility to restrict how credentials are accessed based on the class type of the caller requesting the credential so that I can flexibly restrict credentials without the need to add new scopes. h2. Acceptance Criteria * Verify that arbitrary classes can be selected for restricting. (e.g. hudson.model.Item) h2. Additional Information This will likely require at least 3 new classes (I'm not completely sure): * {{ClassnameSpecification}} extending from [DomainSpecification.java|https://github.com/jenkinsci/credentials-plugin/blob/master/src/main/java/com/cloudbees/plugins/credentials/domains/DomainSpecification.java] * {{ClassnameRequirement}} extending from [DomainRequirement.java|https://github.com/jenkinsci/credentials-plugin/blob/master/src/main/java/com/cloudbees/plugins/credentials/domains/DomainRequirement.java] * Perhaps a {{ClassnameMatcher}} which implements [CredentialsMatcher.java|https://github.com/jenkinsci/credentials-plugin/blob/master/src/main/java/com/cloudbees/plugins/credentials/CredentialsMatcher.java] (I'm really not sure about this) I would like the configuration of the DomainSpecification to be similar to how the job restrictions plugin allows configuration of restricting by class. See the following screenshot:  !screenshot-job-restrictions-plugin-config.png|thumbnail!

Sam Gleske made changes - 2018-09-27 01:31

Link

New: This issue is related to SECURITY-1175 [ SECURITY-1175 ]

Collapse comment: Stephen Connolly added a comment - 2018-10-31 09:59

Stephen Connolly added a comment - 2018-10-31 09:59

Removing myself as assignee. My current work assignments do not provide sufficient bandwidth to review these issues and in the majority of cases I am only assigned by virtue of being the default assignee. For the credentials-api and scm-api related plugins I have permission to allocate time reviewing changes to these APIs themselves to ensure these APIs remain cohesive, but that can be handled through PR reviews rather than assigning issues in JIRA

Expand comment: Stephen Connolly added a comment - 2018-10-31 09:59

Stephen Connolly added a comment - 2018-10-31 09:59 Removing myself as assignee. My current work assignments do not provide sufficient bandwidth to review these issues and in the majority of cases I am only assigned by virtue of being the default assignee. For the credentials-api and scm-api related plugins I have permission to allocate time reviewing changes to these APIs themselves to ensure these APIs remain cohesive, but that can be handled through PR reviews rather than assigning issues in JIRA

Stephen Connolly made changes - 2018-10-31 09:59

Assignee

Original: Stephen Connolly [ stephenconnolly ]