Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-65059

GitLab plugin uses common user (API token) for all jobs

    XMLWordPrintable

    Details

    • Similar Issues:

      Description

      In current setup gitlab-branch-source uses one common user (GitLab API token) and one shared GitLab Webhook token per GitLab instance. This opens up each installation to security threats, especially with multi-tenant setups. Potentially unrelated users are able to schedule all jobs via REST API (Webhook token is known since it's stored in plain text in Gitlab), not only those related to their project. Additionally when GitLab service user credentials are compromised it affects all projects in the instance using gitlab-branch-source plugin.

      To increase security service user (GitLab API token) and Webhook token should be provided per Jenkins Organization Folder (per Jenkins job for a group), not globally in the Jenkins settings.

        Attachments

          Activity

          Hide
          wolniewicz Maciej Wolniewicz added a comment -

          Hi, any estimates how long it takes to handle this issue?

          Show
          wolniewicz Maciej Wolniewicz added a comment - Hi, any estimates how long it takes to handle this issue?

            People

            Assignee:
            baymac Parichay Barpanda
            Reporter:
            szubersk Damian Szuberski
            Votes:
            2 Vote for this issue
            Watchers:
            4 Start watching this issue

              Dates

              Created:
              Updated: