Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-66246

Credential handling should be more fine-grained

XMLWordPrintable

      We use:

      Jenkins 2.289.2

      Micro Focus Application Automation Plugin 6.9

       

      after installing your plugin, we are faced with a big security issue.

      in order to use the plugin we are required to enter ALL the users and their password in the Jenkins Configure System screen.

       

      this causes us:

      1. the need to have jenkins administrative access server to change/add/remove users.
      2. the need to have jenkins administrative access to change a password for a user.
      3. a problem in which any user with access to the jenkins server can choose any pre-defined user to access the ALM server (since it is configured in the server level, and not in the job level) - THIS IS THE SECURITY PROBLEM....

      I would expect you to use the credentials system embedded in the jenkins server in order to be able to receive the credentials on the job/script level (like almost any other plugin).

      this way:

      1. each user can only access the credentials he is allowed.
      2. each user can add/change/remove credentials without jenkins administrative privilege but only with credential privilege.
      3. other users in the system are not exposed to credentials they are not allowed to see.

       

      I'm available to provide any needed information regarding this issue.

       

          [JENKINS-66246] Credential handling should be more fine-grained

          Amit Dar created issue -
          radislav made changes -
          Assignee Original: radislav [ radislav_berkovich ] New: Dorin Bogdan [ dbogdan7 ]
          Daniel Beck made changes -
          Summary Original: SECURITY BREACH - ability to use other user credentials New: Credential handling should be more fine-grained
          Daniel Beck made changes -
          Priority Original: Critical [ 2 ] New: Major [ 3 ]
          Daniel Beck made changes -
          Issue Type Original: Bug [ 1 ] New: New Feature [ 2 ]
          Dorin Bogdan made changes -
          Status Original: Open [ 1 ] New: In Progress [ 3 ]
          Dorin Bogdan made changes -
          Resolution New: Fixed [ 1 ]
          Status Original: In Progress [ 3 ] New: Fixed but Unreleased [ 10203 ]
          Hilda made changes -
          Status Original: Fixed but Unreleased [ 10203 ] New: Closed [ 6 ]
          Jenkins CERT Bot made changes -
          Labels Original: credentials hp-application-automation-tools security New: credentials hp-application-automation-tools jcabot:001 jcabot:002 security

            dbogdan7 Dorin Bogdan
            amidar Amit Dar
            Votes:
            0 Vote for this issue
            Watchers:
            7 Start watching this issue

              Created:
              Updated:
              Resolved: