Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-59482

Improve UX for selecting user-scoped credentials

      Hi there, since JENKINS-58170 there's a new checkbox - "List user credentials" in the credentials parameter, that's by default unchecked. When checked, the user-scoped secrets can be selected from the drop-down.

      This changed the previous behavior which had no checkbox and the drop-down contained the user-scoped creds by default.

      Although I think I understand the reasoning behind why it was added, I don't think all users need to explicitly consent twice that they want to select a user-scoped credential.

      My whole team uses these parameters as a workaround to JENKINS-44772 several times a day and we all would be thrilled for a fix. As I know there's quite some hesitance to fix it at all, we'll be grateful for at least some old-days compatible UX:

      • One approach could be to add a config option for the default state of the user-scoped checkbox in the configuration/pipeline script (along these lines).
      • Another option could be to allow selecting user-scoped credentials by default as before, but display the warning when a user-scoped credential gets selected.

      Both options are IMHO quite easy to implement and they would give users more control while retaining the new safety measures where desired.

          [JENKINS-59482] Improve UX for selecting user-scoped credentials

          Vít Zikmund added a comment - - edited

          FYI:
          jvz, as author of the latest change you might want to put in your 2¢.

          stephenconnolly (I know you’re very busy) since you have a vision for how user credentials work you may be interested too.

          Apologies for not explaining why I was tagging you originally in this comment.

          Vít Zikmund added a comment - - edited FYI: jvz , as author of the latest change you might want to put in your 2¢. stephenconnolly (I know you’re very busy) since you have a vision for how user credentials work you may be interested too. Apologies for not explaining why I was tagging you originally in this comment.

          Matt Sicker added a comment -

          You can add an includeUser=true parameter in the URL to auto-fill it. It's been a while since I worked on this (I'm looking through some old issues that I've missed somehow), but from what I remember, the idea behind the checkbox is to get positive consent from the user since they may be invoking pipelines that they haven't written or verified. It'd be interesting if there were some way to configure trustability there, but I'm unsure what that might look like.

          Are you using the authorize project plugin? That's one of the main ways to even use user-scoped credentials in builds that aren't manually invoked.

          Matt Sicker added a comment - You can add an includeUser=true parameter in the URL to auto-fill it. It's been a while since I worked on this (I'm looking through some old issues that I've missed somehow), but from what I remember, the idea behind the checkbox is to get positive consent from the user since they may be invoking pipelines that they haven't written or verified. It'd be interesting if there were some way to configure trustability there, but I'm unsure what that might look like. Are you using the authorize project plugin? That's one of the main ways to even use user-scoped credentials in builds that aren't manually invoked.

          Vít Zikmund added a comment - - edited

          Hello jvz, thanks for the answer (and sorry for a late response).

          I'm not "very" experienced with Jenkins innards, however, there surely could be a per-user setting that could whitelist certain jobs if the user so wishes. (and then a "remember my decision" tickbox in the parameter itself that would automatically add that job to the whitelist).

          Just a thought. I undertstand all this is based on best effort
          Thank you.
          Vit

          Vít Zikmund added a comment - - edited Hello jvz , thanks for the answer (and sorry for a late response). I'm not "very" experienced with Jenkins innards, however, there surely could be a per-user setting that could whitelist certain jobs if the user so wishes. (and then a "remember my decision" tickbox in the parameter itself that would automatically add that job to the whitelist). Just a thought. I undertstand all this is based on best effort Thank you. Vit

          Matt Sicker added a comment -

          That sort of feature generally exists with the authorize-project plugin plus enabling the UseOwn permission on those jobs for the specific user. Take a look at the credentials plugin optionally-enabled permissions here: https://github.com/jenkinsci/credentials-plugin/blob/master/docs/fflags.adoc

          Matt Sicker added a comment - That sort of feature generally exists with the authorize-project plugin plus enabling the UseOwn permission on those jobs for the specific user. Take a look at the credentials plugin optionally-enabled permissions here: https://github.com/jenkinsci/credentials-plugin/blob/master/docs/fflags.adoc

            Unassigned Unassigned
            vit_zikmund Vít Zikmund
            Votes:
            3 Vote for this issue
            Watchers:
            3 Start watching this issue

              Created:
              Updated: