I am seeing the following issues
While secrets/passwords are redacted in jenkins console log, redirecting output to a file prints teh secrets / passwords in plain text even with mask passwords plugin enabled
Steps to reproduce:
Create new freestyle job and do teh following steps
Select 'Inject passwords to the build as environment variables'
Select 'Global passwords'
Select 'Mask password parameters';
Add BuildStep 'Execute Shell';
In the shell enter
env 2>&1 | tee "log.log"
Save the config
Build
Workspace
List item
open log.log and you will see the passwords printed in plain text
Is there any way to hide passwords / secrets from redirected output?
Unfortunately no. Once you redirect output to a file it's no longer managed by Jenkins and you have provide your own secret obfuscation.
Related
I am working on jenkins, which has dropdownlist/select list load with set MQ broker details. Each broker have different passwords stored in AWS secrets manger. I have written shell script to fetch password AWS secrets manager, i can able to get the password in execute shell build step.
I tried using mask passwords plugin-> mask passwords and regex, i am using same variable(BR_PASSWORD) defined in mask password option, even in shell script also.
What i provided default value with variables defined in global or password parameter , for default value.
All these options masking defined in default password in console output. But values which are coming trough shell script dynamically is not masking in console out put.
please add an example of your code.
And use groove string 'command ' for mask passwords
sh '$password'
Jenkins ver. 2.73.3
I have a sample build task that is triggered by a commit to a Github repository. This is how the build information looks:
We need to write this username to a separate file and store it in a particular location. How can I achieve it?
**********Edit-1**********
Added a build step that executes a shell command to write the variable GIT_COMMITTER_NAME to a file. This fails(empty file) but if I write, say JENKINS_URL, it is written to the file:
I guess the github plugin doesn't set, by default, the variables like GIT_AUTHOR_NAME, GIT_AUTHOR_EMAIL etc.
Taking a cue from this answer, I proceeded with using the placeholders of the 'pretty option' of git show command. I added the following command in the 'Execute Shell' build step of Jenkins job:
git show -s --pretty='GIT_AUTHOR_NAME='%aN%n'GIT_AUTHOR_EMAIL='%aE%n'GIT_COMMITTER_NAME='%cN%n'GIT_COMMITTER_EMAIL='%cE >> github.properties
The output:
GIT_AUTHOR_NAME=LastName FirstName
GIT_AUTHOR_EMAIL=FirstName.LastName#company.com
GIT_COMMITTER_NAME=GitHub Enterprise
GIT_COMMITTER_EMAIL=noreply#github.company.com
Instead of echo $variable name execute env in shell, it will give you all environment variables at the time of execution and then you can pick the correct variable. (From Gitlab to Jenkins its $gitlabUserName)
I have a job to be triggered by developers where they have to put their AD's before triggering build. But thoes passwords are displayed on console output. I have tried mask passwords plugin. But the problem is I cannot store all developers AD's in job configuration.
Please suggest me any solution.
Please find below my findings with solution [without using Mask Passwords plugin]:
Brief Description about my jenkins job:
I wrote a job which downloads the artifacts from Nexus based on the parameters given at run-time and then makes a Database SQL connection and deploy the SQL scripts using maven flyway plugin. My job takes - Environment, Database Schema, Artifact version number, Flyway command, Database User and it's password as input parameters.
Brief Background about problem:
While passing the PASSWORD as MAVEN GOAL (Parameter), it was coming in Jenkins Console as a plain text.
Although I was using "Password Parameter" to pass the password at run-time but then also it was coming as plain text in console.
I tried to use the "secret text" to encrypt the password but then my job started failing because the encrypted password was getting passed to Maven Goals, which was not able to connect to DB.
Solution:
I used "Inject passwords to the build as environment variables" from Build Environment and defined its value as my "password parameter" (my password parameter name was db_password) which I am passing as parameter at run-time (eg.: I defined my inject password value as : ${db_password} ).
And this is working as expected. The password which I am passing while running my job is coming as [*******]
[console log:
Executing Maven: -B -f /work/jenkins_data/workspace/S2/database-deployment-via-flyway-EDOS/pom.xml clean compile -Ddb=UAT_cms_core -DdatabaseSchema=cms-core -Dmode=info -DdeploymentVersion=1.2.9 -Ddb_user=DB_USER -Ddb_password=[*******]
]
Regards,
Rohit Rajpoot
Here's an answer I just came across in the Jenkins documentation:
Normally you will start your script with
set +x
so that commands you run are not echoed to the log, in case you
mention the values of secrets in those commands.
Is there a way with the Jenkins Workflow 'sh' step to hide or mask whats being executed from the builds console output?
I'm currently using it to execute a command that contains a password and this is being exposed in plain text in the build output.
Install the Credentials Binding plugin and use the withCredentials step to obtain your password from a secure source. It will be automatically suppressed from any build output within that block.
You should take a look at this plugin
This will allow you to mask the password variable in the job & its output.
I wanted to have 2-factor authentication in Jenkins for all the users (even super admin) and wanted to know, if it's possible and if it is, what is the possible way or do we need a plugin for it.
Plus can we have authorization for scheduling the deployment in Jenkins and if it's possible, how can we do it.
Jenkins authorization is explained in detail here:
https://wiki.jenkins-ci.org/display/JENKINS/Standard+Security+Setup
The "Authorize Project plugin" is not for what you are asking.
You will not be prompted for password everytime you start a job. Instead, you should configure individual jobs to give access to individual people. Jenkins allows that granularity.
If you really want to prompt for password at every job execution, you will have to configure job to create a new password parameter, and then as one of your first build steps, validate the entered password against... against whatever it is that you want. But that means your validation script will probably reside on Jenkins itself.
Edit:
Configure Job
Select "This build is parameterized"
Add "String" parameter
Call it "password"
If on *nix environment, select "Execute Shell" for the first build step:
set +x
if ! [[ "$password" == "mysecret" ]]; then
echo "Bad password"
exit 1
fi
exit 0
If on Windows environment, select "Execute Windows batch command" for the first build step:
#echo off
if not "%password%" == "mysecret" (
echo "Bad password"
exit /b 1
)
exit /b 0
Add other build steps as normal.
Now, every time the job runs, it will prompt for "password", and if it doesn't match string "mysecret", the job will fail.
Important Notes:
This will run after SCM checkout. If you want to run it before SCM checkout, you'd need Pre-SCM build step plugin.
Anyone with "Configuration" access to the job permission or above will be able to see the "mysecret" in plain text. You can use EnvInject plugin to configure global (or job local) password and validate against that variable, instead of "mysecret"
Anyone with direct/remote login to the Jenkins machine will be able see the configuration file with "mysecret" in plain text (unless using EnvInject from above).
People with enough permissions could modify or copy the job, and remove this validation.
Once again, I implore you that the correct approach is to provide granular per-user permissions through default Jenkins security/authorization. Use "matrix" authorization to give permissions per user per job.