Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-59327

Allow a downstream job to use credentials from an upstream job

    • Icon: New Feature New Feature
    • Resolution: Unresolved
    • Icon: Major Major
    • git-plugin
    • None

      Hi Team,

      When I am creating Multibranch Pipeline job which executes another pipeline job as a branch apparently it's not reading git credentials in branch.
      So in a branch which is a pipeline script, I have stage stage('git checkout') {
      stage('git checkout') {
      steps {
      git credentialsId: 'My credentials', poll: false, url: 'mygit.git' }}
      But it's falling on Windows machine with the following error. When I create just a simple pipeline job with the same stage it's working as should.
      From test which I did when I specified credentials in a multibranch job which is managing my script in the branch then it's working.
      So apparently git credentials from the stage are ignored.

      Steps to Reproduce:
      1. Create Multibranch Job without specified git credentials with script-path where is a script.
      2. In a script create step with git checkout and specified credentials
      3. Run the branch script and it should fail.
      4. Add in Multibranch configuration credentials and run branch script it should work.

      No credentials specified
      No credentials specified
      Wiping out workspace first.
      Cloning the remote Git repository
      Cloning with configured refspecs honoured and without tags
      ERROR: Error cloning remote repo 'origin'hudson.plugins.git.GitException: Command "C:\Program Files\Git\cmd\git.exe fetch --no-tags --force --progress MyRepo.git +refs/heads/*:refs/remotes/origin/*" returned status code 128:
      stdout: 
      stderr: mygitserver: Permission denied (publickey).fatal: Could not read from remote repository.
      Please make sure you have the correct access rightsand the repository exists.
       at org.jenkinsci.plugins.gitclient.CliGitAPIImpl.launchCommandIn(CliGitAPIImpl.java:2042) 
       at org.jenkinsci.plugins.gitclient.CliGitAPIImpl.launchCommandWithCredentials(CliGitAPIImpl.java:1761)
       at org.jenkinsci.plugins.gitclient.CliGitAPIImpl.access$400(CliGitAPIImpl.java:72)
       at org.jenkinsci.plugins.gitclient.CliGitAPIImpl$1.execute(CliGitAPIImpl.java:442)
       at org.jenkinsci.plugins.gitclient.CliGitAPIImpl$2.execute(CliGitAPIImpl.java:655)
       at org.jenkinsci.plugins.gitclient.RemoteGitImpl$CommandInvocationHandler$1.call(RemoteGitImpl.java:153)
       at org.jenkinsci.plugins.gitclient.RemoteGitImpl$CommandInvocationHandler$1.call(RemoteGitImpl.java:146)
       at hudson.remoting.UserRequest.perform(UserRequest.java:212)
       at hudson.remoting.UserRequest.perform(UserRequest.java:54)
       at hudson.remoting.Request$2.run(Request.java:369)
       at hudson.remoting.InterceptingExecutorService$1.call(InterceptingExecutorService.java:72)
       at java.util.concurrent.FutureTask.run(Unknown Source)
       at java.util.concurrent.ThreadPoolExecutor.runWorker(Unknown Source)
       at java.util.concurrent.ThreadPoolExecutor$Worker.run(Unknown Source)
       at hudson.remoting.Engine$1.lambda$newThread$0(Engine.java:93)
       at java.lang.Thread.run(Unknown Source) Suppressed: hudson.remoting.Channel$CallSiteStackTrace: Remote call to JNLP4-connect connection from mymachine at hudson.remoting.Channel.attachCallSiteStackTrace(Channel.java:1743) at hudson.remoting.UserRequest$ExceptionResponse.retrieve(UserRequest.java:357) at hudson.remoting.Channel.call(Channel.java:957) at org.jenkinsci.plugins.gitclient.RemoteGitImpl$CommandInvocationHandler.execute(RemoteGitImpl.java:146) at sun.reflect.GeneratedMethodAccessor391.invoke(Unknown Source) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.lang.reflect.Method.invoke(Method.java:498) at org.jenkinsci.plugins.gitclient.RemoteGitImpl$CommandInvocationHandler.invoke(RemoteGitImpl.java:132) at com.sun.proxy.$Proxy83.execute(Unknown Source) at hudson.plugins.git.GitSCM.retrieveChanges(GitSCM.java:1152) at hudson.plugins.git.GitSCM.checkout(GitSCM.java:1192) at org.jenkinsci.plugins.workflow.steps.scm.SCMStep.checkout(SCMStep.java:124) at org.jenkinsci.plugins.workflow.steps.scm.SCMStep$StepExecutionImpl.run(SCMStep.java:93) at org.jenkinsci.plugins.workflow.steps.scm.SCMStep$StepExecutionImpl.run(SCMStep.java:80) at org.jenkinsci.plugins.workflow.steps.SynchronousNonBlockingStepExecution.lambda$start$0(SynchronousNonBlockingStepExecution.java:47) at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:511) at java.util.concurrent.FutureTask.run(FutureTask.java:266) at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142) at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617) at java.lang.Thread.run(Thread.java:748)
      

          [JENKINS-59327] Allow a downstream job to use credentials from an upstream job

          Mark Waite added a comment -

          I'm not sure I understand the steps you took to see the problem. Many users are using credentials to checkout multibranch pipeline repositories and operate with them regularly.

          You said in the first step:

          1 - Create Multibranch Job without specified git credentials with script-path where is a script.

          If I take that statement literally, meaning that you defined a multibranch job accessing a private repository without providing git credentials, then I would expect that to fail. The multibranch pipeline definition must have credentials in order to discover the branches in the repository and the Jenkinsfile in the root directory of each branch. If credentials are not provided, then the branches cannot be detected and the Jenkinsfile cannot be read from the root directory of the branch.

          If that is not what you did, please describe the configuration in more detail. I test very frequently with private multibranch repositories from different hosting providers and using different forms and they work as expected.

          Mark Waite added a comment - I'm not sure I understand the steps you took to see the problem. Many users are using credentials to checkout multibranch pipeline repositories and operate with them regularly. You said in the first step: 1 - Create Multibranch Job without specified git credentials with script-path where is a script. If I take that statement literally, meaning that you defined a multibranch job accessing a private repository without providing git credentials, then I would expect that to fail. The multibranch pipeline definition must have credentials in order to discover the branches in the repository and the Jenkinsfile in the root directory of each branch. If credentials are not provided, then the branches cannot be detected and the Jenkinsfile cannot be read from the root directory of the branch. If that is not what you did, please describe the configuration in more detail. I test very frequently with private multibranch repositories from different hosting providers and using different forms and they work as expected.

          Matt White added a comment -

          Sorry I used the shortcut when I was describing the issue. 

          Multibranch job is defined as yml file which is pick up as another job with define git user. -> In that yml file, I have "script-path" where is a path to my Jenkinsfile with pipeline script and scm where script is stored. Here is no problem.

          Everything is a load to Jenkins so I can see it in GUI my job e.g 

          Problem is when a script from a branch (so from Jenkins file) here named as "master" try to execute step where I am checking out info from git with all necessary credentials in the script on a windows machine. It's falling with the error described in the issue. With Linux it's passing without problem (its parallel job for Windows and Linux), as well there is no problem if pipeline job is running as a separate job. If I want to avoid failure with git credentials I have to specify credentials in multibranch configuration

          Which is pointless because I specified credentials in the Jenkins file (branch script named master on the previous script) and it should use that one from "nested" job. I don't know why but for linux it's working out of the box and windows is falling. If I am running this script as separate pipeline job(New Item ->Pipeline) it's working and read credentials correctly (

          steps

          { //git credentialsId: etc }

          )

          This is the issue. 

           

          Matt White added a comment - Sorry I used the shortcut when I was describing the issue.  Multibranch job is defined as yml file which is pick up as another job with define git user. -> In that yml file, I have "script-path" where is a path to my Jenkinsfile with pipeline script and scm where script is stored. Here is no problem. Everything is a load to Jenkins so I can see it in GUI my job e.g  Problem is when a script from a branch (so from Jenkins file) here named as "master" try to execute step where I am checking out info from git with all necessary credentials in the script on a windows machine. It's falling with the error described in the issue. With Linux it's passing without problem (its parallel job for Windows and Linux), as well there is no problem if pipeline job is running as a separate job. If I want to avoid failure with git credentials I have to specify credentials in multibranch configuration Which is pointless because I specified credentials in the Jenkins file (branch script named master on the previous script) and it should use that one from "nested" job. I don't know why but for linux it's working out of the box and windows is falling. If I am running this script as separate pipeline job(New Item ->Pipeline) it's working and read credentials correctly ( steps { //git credentialsId: etc } ) This is the issue.   

          Mark Waite added a comment - - edited

          You said:

          If I want to avoid failure with git credentials I have to specify credentials in multibranch configuration.

          That is correct. A multibranch job must be able to discover the branches which contain a Jenkinsfile. If the repository is secured (private), then the multibranch job must know the credentials to read that repository. Without the credentials, the multibranch job cannot discover branches in a secured (private) repository.

          Later you said:

          Which is pointless because I specified credentials in the Jenkins file (branch script named master on the previous script) and it should use that one from "nested" job.

          If the multibranch Pipeline does not have the credentials, it cannot read the Jenkinsfile.

          Mark Waite added a comment - - edited You said: If I want to avoid failure with git credentials I have to specify credentials in multibranch configuration. That is correct. A multibranch job must be able to discover the branches which contain a Jenkinsfile. If the repository is secured (private), then the multibranch job must know the credentials to read that repository. Without the credentials, the multibranch job cannot discover branches in a secured (private) repository. Later you said: Which is pointless because I specified credentials in the Jenkins file (branch script named master on the previous script) and it should use that one from "nested" job. If the multibranch Pipeline does not have the credentials, it cannot read the Jenkinsfile.

            Unassigned Unassigned
            somedude Matt White
            Votes:
            0 Vote for this issue
            Watchers:
            2 Start watching this issue

              Created:
              Updated: