Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-65059

GitLab plugin uses common user (API token) for all jobs

    XMLWordPrintable

Details

    Description

      In current setup gitlab-branch-source uses one common user (GitLab API token) and one shared GitLab Webhook token per GitLab instance. This opens up each installation to security threats, especially with multi-tenant setups. Potentially unrelated users are able to schedule all jobs via REST API (Webhook token is known since it's stored in plain text in Gitlab), not only those related to their project. Additionally when GitLab service user credentials are compromised it affects all projects in the instance using gitlab-branch-source plugin.

      To increase security service user (GitLab API token) and Webhook token should be provided per Jenkins Organization Folder (per Jenkins job for a group), not globally in the Jenkins settings.

      Attachments

        Activity

          Hi, any estimates how long it takes to handle this issue?

          wolniewicz Maciej Wolniewicz added a comment - Hi, any estimates how long it takes to handle this issue?
          didier_c Didier Crest added a comment -

          Hi, I'm pretty agree with the description.

          At least, It'll be nice to save the token at system level instead global.

          Because all users can get the credentials in their Jenkinsfile. If it's system only admin can get the credentials and the plugin.

          didier_c Didier Crest added a comment - Hi, I'm pretty agree with the description. At least, It'll be nice to save the token at system level instead global. Because all users can get the credentials in their Jenkinsfile. If it's system only admin can get the credentials and the plugin.

          People

            baymac Parichay Barpanda
            szubersk Damian Szuberski
            Votes:
            3 Vote for this issue
            Watchers:
            6 Start watching this issue

            Dates

              Created:
              Updated: