• Type: Bug
• Resolution: Not A Defect
• Priority: Critical
• Component/s: credentials-binding-plugin, pipeline, workflow-cps-plugin
• Labels:

  • credentials-binding
  • security
• Environment:

  Hide

  Jenkins: 2.431 ( as well as 2.401.3 LTS, 2.414.1 LTS, ... )
  OS: Linux - 6.4.16-linuxkit
  Java: 17.0.8.1 - Eclipse Adoptium (OpenJDK 64-Bit Server VM)
  ---
  antisamy-markup-formatter:162.v0e6ec0fcfcf6
  apache-httpcomponents-client-4-api:4.5.14-208.v438351942757
  bootstrap5-api:5.3.2-2
  bouncycastle-api:2.29
  branch-api:2.1135.v8de8e7899051
  build-timeout:1.31
  caffeine-api:3.1.8-133.v17b_1ff2e0599
  checks-api:2.0.2
  cloudbees-folder:6.858.v898218f3609d
  commons-lang3-api:3.13.0-62.v7d18e55f51e2
  commons-text-api:1.11.0-94.v3e1f4a_926e49
  configuration-as-code:1737.v652ee9b_a_e0d9
  copyartifact:722.v0662a_9b_e22a_c
  credentials:1309.v8835d63eb_d8a_
  credentials-binding:642.v737c34dea_6c2
  display-url-api:2.200.vb_9327d658781
  durable-task:523.va_a_22cf15d5e0
  echarts-api:5.4.0-7
  email-ext:2.102
  font-awesome-api:6.4.2-1
  git:5.2.1
  git-client:4.5.0
  instance-identity:185.v303dc7c645f9
  ionicons-api:56.v1b_1c8c49374e
  jackson2-api:2.15.3-372.v309620682326
  jakarta-activation-api:2.0.1-3
  jakarta-mail-api:2.0.1-3
  javax-activation-api:1.2.0-6
  javax-mail-api:1.6.2-9
  jaxb:2.3.9-1
  jquery3-api:3.7.1-1
  junit:1240.vf9529b_881428
  mailer:463.vedf8358e006b_
  matrix-auth:3.2.1
  matrix-project:818.v7eb_e657db_924
  mina-sshd-api-common:2.11.0-86.v836f585d47fa_
  mina-sshd-api-core:2.11.0-86.v836f585d47fa_
  pipeline-build-step:516.v8ee60a_81c5b_9
  pipeline-graph-analysis:202.va_d268e64deb_3
  pipeline-groovy-lib:689.veec561a_dee13
  pipeline-input-step:477.v339683a_8d55e
  pipeline-milestone-step:111.v449306f708b_7
  pipeline-model-api:2.2151.ve32c9d209a_3f
  pipeline-model-definition:2.2151.ve32c9d209a_3f
  pipeline-model-extensions:2.2151.ve32c9d209a_3f
  pipeline-rest-api:2.34
  pipeline-stage-step:305.ve96d0205c1c6
  pipeline-stage-tags-metadata:2.2151.ve32c9d209a_3f
  pipeline-stage-view:2.34
  plain-credentials:143.v1b_df8b_d3b_e48
  plugin-util-api:3.6.0
  prism-api:1.29.0-8
  resource-disposer:0.23
  scm-api:683.vb_16722fb_b_80b_
  script-security:1275.v23895f409fb_d
  snakeyaml-api:2.2-111.vc6598e30cc65
  ssh-credentials:308.ve4497b_ccd8f4
  ssh-slaves:2.916.vd17b_43357ce4
  structs:325.vcb_307d2a_2782
  timestamper:1.26
  token-macro:384.vf35b_f26814ec
  trilead-api:2.84.v72119de229b_7
  variant:60.v7290fc0eb_b_cd
  workflow-aggregator:596.v8c21c963d92d
  workflow-api:1283.v99c10937efcb_
  workflow-basic-steps:1042.ve7b_140c4a_e0c
  workflow-cps:3806.va_3a_6988277b_2
  workflow-durable-task-step:1289.v4d3e7b_01546b_
  workflow-job:1360.vc6700e3136f5
  workflow-multibranch:756.v891d88f2cd46
  workflow-scm-step:415.v434365564324
  workflow-step-api:639.v6eca_cd8c04a_a_
  workflow-support:865.v43e78cc44e0d
  ws-cleanup:0.45

  Show

  Jenkins: 2.431 ( as well as 2.401.3 LTS, 2.414.1 LTS, ... ) OS: Linux - 6.4.16-linuxkit Java: 17.0.8.1 - Eclipse Adoptium (OpenJDK 64-Bit Server VM) --- antisamy-markup-formatter:162.v0e6ec0fcfcf6 apache-httpcomponents-client-4-api:4.5.14-208.v438351942757 bootstrap5-api:5.3.2-2 bouncycastle-api:2.29 branch-api:2.1135.v8de8e7899051 build-timeout:1.31 caffeine-api:3.1.8-133.v17b_1ff2e0599 checks-api:2.0.2 cloudbees-folder:6.858.v898218f3609d commons-lang3-api:3.13.0-62.v7d18e55f51e2 commons-text-api:1.11.0-94.v3e1f4a_926e49 configuration-as-code:1737.v652ee9b_a_e0d9 copyartifact:722.v0662a_9b_e22a_c credentials:1309.v8835d63eb_d8a_ credentials-binding:642.v737c34dea_6c2 display-url-api:2.200.vb_9327d658781 durable-task:523.va_a_22cf15d5e0 echarts-api:5.4.0-7 email-ext:2.102 font-awesome-api:6.4.2-1 git:5.2.1 git-client:4.5.0 instance-identity:185.v303dc7c645f9 ionicons-api:56.v1b_1c8c49374e jackson2-api:2.15.3-372.v309620682326 jakarta-activation-api:2.0.1-3 jakarta-mail-api:2.0.1-3 javax-activation-api:1.2.0-6 javax-mail-api:1.6.2-9 jaxb:2.3.9-1 jquery3-api:3.7.1-1 junit:1240.vf9529b_881428 mailer:463.vedf8358e006b_ matrix-auth:3.2.1 matrix-project:818.v7eb_e657db_924 mina-sshd-api-common:2.11.0-86.v836f585d47fa_ mina-sshd-api-core:2.11.0-86.v836f585d47fa_ pipeline-build-step:516.v8ee60a_81c5b_9 pipeline-graph-analysis:202.va_d268e64deb_3 pipeline-groovy-lib:689.veec561a_dee13 pipeline-input-step:477.v339683a_8d55e pipeline-milestone-step:111.v449306f708b_7 pipeline-model-api:2.2151.ve32c9d209a_3f pipeline-model-definition:2.2151.ve32c9d209a_3f pipeline-model-extensions:2.2151.ve32c9d209a_3f pipeline-rest-api:2.34 pipeline-stage-step:305.ve96d0205c1c6 pipeline-stage-tags-metadata:2.2151.ve32c9d209a_3f pipeline-stage-view:2.34 plain-credentials:143.v1b_df8b_d3b_e48 plugin-util-api:3.6.0 prism-api:1.29.0-8 resource-disposer:0.23 scm-api:683.vb_16722fb_b_80b_ script-security:1275.v23895f409fb_d snakeyaml-api:2.2-111.vc6598e30cc65 ssh-credentials:308.ve4497b_ccd8f4 ssh-slaves:2.916.vd17b_43357ce4 structs:325.vcb_307d2a_2782 timestamper:1.26 token-macro:384.vf35b_f26814ec trilead-api:2.84.v72119de229b_7 variant:60.v7290fc0eb_b_cd workflow-aggregator:596.v8c21c963d92d workflow-api:1283.v99c10937efcb_ workflow-basic-steps:1042.ve7b_140c4a_e0c workflow-cps:3806.va_3a_6988277b_2 workflow-durable-task-step:1289.v4d3e7b_01546b_ workflow-job:1360.vc6700e3136f5 workflow-multibranch:756.v891d88f2cd46 workflow-scm-step:415.v434365564324 workflow-step-api:639.v6eca_cd8c04a_a_ workflow-support:865.v43e78cc44e0d ws-cleanup:0.45

1. 

   image-2023-11-13-16-59-19-686.png

   179 kB

   2023-11-14 00:59

2. 

   Screenshot 2023-11-13 at 17.02.11.png

   1.10 MB

   2023-11-14 01:02

[JENKINS-72320] withCredential in Snippet Generator disrespect global credential settings

Collapse comment: Daniel Beck added a comment - 2023-11-14 08:17

Daniel Beck added a comment - 2023-11-14 08:17

Could you clarify what behavior you expected to see?

Users do not need Credentials/View permission to be offered a list of credentials for (job) configuration. Having Job/Configure here is enough.

Expand comment: Daniel Beck added a comment - 2023-11-14 08:17

Daniel Beck added a comment - 2023-11-14 08:17 Could you clarify what behavior you expected to see? Users do not need Credentials/View permission to be offered a list of credentials for (job) configuration. Having Job/Configure here is enough.

Collapse comment: Marslo Jiao added a comment - 2023-11-14 22:32

Marslo Jiao added a comment - 2023-11-14 22:32

Hmmm, right, currently Job/Configuration permission can list 'all' available credentials ( since Jenkins 1.0 by using freestyle jobs ).

 

So, is there any solution to help "keep credential in permission" ? means some of credential can share with Job/Configuration, but some only available for Jenkins admin.

Expand comment: Marslo Jiao added a comment - 2023-11-14 22:32

Marslo Jiao added a comment - 2023-11-14 22:32 Hmmm, right, currently Job/Configuration permission can list 'all' available credentials ( since Jenkins 1.0 by using freestyle jobs ).   So, is there any solution to help "keep credential in permission" ? means some of credential can share with Job/Configuration, but some only available for Jenkins admin.

Collapse comment: Daniel Beck added a comment - 2023-11-15 00:54

Daniel Beck added a comment - 2023-11-15 00:54

• Set the Scope of the credential to System (instead of Global) to make the credentials only available to system level configuration (e.g. to connect agents).
• Define the credentials on a folder than no non-admin user has access to and put the jobs using them in there.

Anyway, closing, as there doesn't seem to be a bug here.

Expand comment: Daniel Beck added a comment - 2023-11-15 00:54

Daniel Beck added a comment - 2023-11-15 00:54 Set the Scope of the credential to System (instead of Global) to make the credentials only available to system level configuration (e.g. to connect agents). Define the credentials on a folder than no non-admin user has access to and put the jobs using them in there. Anyway, closing, as there doesn't seem to be a bug here.

Collapse comment: Marslo Jiao added a comment - 2023-11-16 22:59

Marslo Jiao added a comment - 2023-11-16 22:59

Thanks danielbeck ,

 

so my case is, some of git ssh credential  ( accounts can push directly ), I'd like it only allow to using for Jenkins Admin, and some of git ssh credential ( accounts can only clone ) allows using for non-admin users in Jenkins pipelines.

any advise on this ?

 

marslo

Expand comment: Marslo Jiao added a comment - 2023-11-16 22:59

Marslo Jiao added a comment - 2023-11-16 22:59 Thanks danielbeck ,   so my case is, some of git ssh credential  ( accounts can push directly ), I'd like it only allow to using for Jenkins Admin, and some of git ssh credential ( accounts can only clone ) allows using for non-admin users in Jenkins pipelines. any advise on this ?   marslo

Collapse comment: Daniel Beck added a comment - 2023-11-27 12:09

Daniel Beck added a comment - 2023-11-27 12:09

Not currently a supported use case.

Expand comment: Daniel Beck added a comment - 2023-11-27 12:09

Daniel Beck added a comment - 2023-11-27 12:09 Not currently a supported use case.