Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-65059

GitLab plugin uses common user (API token) for all jobs


      In current setup gitlab-branch-source uses one common user (GitLab API token) and one shared GitLab Webhook token per GitLab instance. This opens up each installation to security threats, especially with multi-tenant setups. Potentially unrelated users are able to schedule all jobs via REST API (Webhook token is known since it's stored in plain text in Gitlab), not only those related to their project. Additionally when GitLab service user credentials are compromised it affects all projects in the instance using gitlab-branch-source plugin.

      To increase security service user (GitLab API token) and Webhook token should be provided per Jenkins Organization Folder (per Jenkins job for a group), not globally in the Jenkins settings.

            baymac Parichay Barpanda
            szubersk Damian Szuberski
            4 Vote for this issue
            7 Start watching this issue