Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-63390

Personal access token should be optional in instance configuration

      It is impossible to configure an Bitbucket Server instance without supplying a personal access token with admin rights. The token is used only for automatic webhook configuration.

      It should be possible to configure to skip webhook configuration here and let it be overriden during project creation and have users supply a credential to use for it.

      In large organisations its rarely the case a single user has admin access to all repositories.

          [JENKINS-63390] Personal access token should be optional in instance configuration

          Hi Bas, thanks for the suggestion.

          There are a few approaches we can take here. The ideal fix for this in the future is introducing proper two-way applinking between Jenkins and Bitbucket, which will remove the need for personal access tokens entirely, but this is a large feature we don't anticipate shipping soon.
          A workaround for this is to add multiple Bitbucket Server configurations to your global config. Each configuration can point to the same instance, but you can use personal access tokens with, for example, project admin privileges provided that instance is only used to build jobs on that particular project. This would also work with a repo admin token, but it would only work for that repo, so if you can manage with project admin, that would be the better way to go.

          I will leave this ticket open for now. If we commit to a two-way applink in the future, I'll close this as a duplicate- otherwise will leave this as a feature suggestion to appraise later. Thanks again.

          Martin Henschke added a comment - Hi Bas, thanks for the suggestion. There are a few approaches we can take here. The ideal fix for this in the future is introducing proper two-way applinking between Jenkins and Bitbucket, which will remove the need for personal access tokens entirely, but this is a large feature we don't anticipate shipping soon. A workaround for this is to add multiple Bitbucket Server configurations to your global config. Each configuration can point to the same instance, but you can use personal access tokens with, for example, project admin privileges provided that instance is only used to build jobs on that particular project. This would also work with a repo admin token, but it would only work for that repo, so if you can manage with project admin, that would be the better way to go. I will leave this ticket open for now. If we commit to a two-way applink in the future, I'll close this as a duplicate- otherwise will leave this as a feature suggestion to appraise later. Thanks again.

          Bas Passon added a comment -

          Hey Martin,

          Why not follow the strategy of the community Bitbucket Branch Source plugin, which lets you skip webhook creation. That way you can define a Bitbucket Server instance without having to supply admin API credentials.

          On a job level you have to supply API credentials for the repository used to discover branches and PRs. Optionally you can have it create a webhook but you then need to supply API credentials with admin rights to that specific repository.

          This gives users exceptional flexibility on how to use the Bitbucket Jenkins integration and removes the necessity for a global admin credential. It would be great if you can support this through the official Atlassian Bitbucket integration.

          Bas Passon added a comment - Hey Martin, Why not follow the strategy of the community Bitbucket Branch Source plugin, which lets you skip webhook creation. That way you can define a Bitbucket Server instance without having to supply admin API credentials. On a job level you have to supply API credentials for the repository used to discover branches and PRs. Optionally you can have it create a webhook but you then need to supply API credentials with admin rights to that specific repository. This gives users exceptional flexibility on how to use the Bitbucket Jenkins integration and removes the necessity for a global admin credential. It would be great if you can support this through the official Atlassian Bitbucket integration.

          Anders Hammar added a comment -

          I would expect any larger orginaisation not to allow system accounts (which is needed for this personal access token) with such a high admin privs. Requiring this should make this plugin useless unless a small shop.
          The suggested solution with multiple Bitbucket Server configs won't work either for pretty much the same security reasons. It will also be a nightmare to administrate.
          This automatic webhook feature should be optional as already suggested by Bas. (Or implemented as a two-way applink.)

          Anders Hammar added a comment - I would expect any larger orginaisation not to allow system accounts (which is needed for this personal access token) with such a high admin privs. Requiring this should make this plugin useless unless a small shop. The suggested solution with multiple Bitbucket Server configs won't work either for pretty much the same security reasons. It will also be a nightmare to administrate. This automatic webhook feature should be optional as already suggested by Bas. (Or implemented as a two-way applink.)

            Unassigned Unassigned
            basp Bas Passon
            Votes:
            7 Vote for this issue
            Watchers:
            9 Start watching this issue

              Created:
              Updated: