• Icon: New Feature New Feature
    • Resolution: Unresolved
    • Icon: Minor Minor
    • credentials-plugin
    • None

      Once a credential is no longer needed, we want to delete it from the credential store in order to keep it clean. However, the risk here is that if the credential is still used somewhere, the job will start failing, and unless the credential was manually stored elsewhere, it cannot be recovered. It would be handy if we could simply disable the credential without actually deleting it. Then, after running the relevant jobs again, we could confirm the credential truly was not used, and then safely delete it.

          [JENKINS-62494] Allow disabling credential

          Matt Sicker added a comment -

          So would you expect that a job that tries to look up a disabled credential to still fail?

          Matt Sicker added a comment - So would you expect that a job that tries to look up a disabled credential to still fail?

          Jesse Rittner added a comment -

          I expect that it would work as if that credential didn't exist. So in the case of folder-scoped credentials, it would keep searching up the folder hierarchy. If no such credential is found, then it should fail in the same way that attempting to use any non-existent credential would fail.

          Jesse Rittner added a comment - I expect that it would work as if that credential didn't exist. So in the case of folder-scoped credentials, it would keep searching up the folder hierarchy. If no such credential is found, then it should fail in the same way that attempting to use any non-existent credential would fail.

          Matt Sicker added a comment -

          I suppose that makes sense. The closest behavior that exists to match that might be, say, your job references a credential id that only exists in your user credentials or inside a folder that isn't an ancestor of the job; then the credential lookup will end up attempting global credentials before eventually finding that no credentials with that id exists. Since ids are supposed to be unique, this feature idea sounds like it would work out fine with how credentials work today. It might be a little tricky depending on existing behavior, though, as this plugin is fairly old.

          Do you think this option would make sense on a per-credential basis then? I think credentials stores themselves can already be disabled, though I could be wrong (there's the includes/excludes configuration settings, but they're a bit more generic than what you're requesting).

          Matt Sicker added a comment - I suppose that makes sense. The closest behavior that exists to match that might be, say, your job references a credential id that only exists in your user credentials or inside a folder that isn't an ancestor of the job; then the credential lookup will end up attempting global credentials before eventually finding that no credentials with that id exists. Since ids are supposed to be unique, this feature idea sounds like it would work out fine with how credentials work today. It might be a little tricky depending on existing behavior, though, as this plugin is fairly old. Do you think this option would make sense on a per-credential basis then? I think credentials stores themselves can already be disabled, though I could be wrong (there's the includes/excludes configuration settings, but they're a bit more generic than what you're requesting).

            Unassigned Unassigned
            rittneje Jesse Rittner
            Votes:
            1 Vote for this issue
            Watchers:
            3 Start watching this issue

              Created:
              Updated: