I am trying to set up Jenkins for software hosted in Google Cloud VM. I have a VM with user account A and user account B. Jenkins is hosted in user account A. All the other softwares are hosted in user account B. In order to authorize Jenkins to ssh into userB#VM_ADDRESS, I am placing user A's .ssh/id_rsa.pub into user B's .ssh/authorized_keys. This allows for Jenkins to ssh into userB#VM_ADDRESS to update my software whenever I push changes to Github. However, after awhile, for some reason the .ssh/authorized_keys in user account B is replaced/refreshed and my key is gone, and the ssh from Jenkins would fail with permission denied. How should I solve this? Or am I doing Jenkins wrong?
I saw this thread at https://groups.google.com/g/gce-discussion/c/iHqRb2KlMZg/m/x59xV4pYAQAJ?pli=1 that seems to be a similar problem but after reading through I still do not know what I need to do.
The SSH keys in the metadata are redeployed regularly. To solve the issue, instead of performing manually the copy/paste in the system, copy the key and (add it to the compute engine metadata](https://cloud.google.com/compute/docs/instances/adding-removing-ssh-keys)
However, I'm not sure that is the good way to follow. Why you don't log in with the account A, because it's the "reality" and perform action on software? You can put the account A and the account B in the same Linux group, or performing a chown to change the owner of the fresh files at the end.
What's the requirements behind this tricky question?
Update 1:
The fact to use the key of the account A to log into the user B, is like an impersonation. At the end, you don't know if it's the user account A or B which have performed stuff on your file.
Anyway, in linux you have 3 level of permission UGA (User, Group, All), that's why you have something like this when you perform a ls -la: rwxr-xr-- which mean U (User) can do RWX (Read Write eXecute), group can only Read and eXecute and all can only read.
Therefore, if the user account A and user account B are in the same Group, you can set common group permissions and avoid all (others) to access to the files.
Related
I exported one scheduled job I created. And it should be possible to import that task to other computers using cmd/powershell.
Is there a way to tell schtask that it should use current user that is logged on and use the highest privileges to execute this job?
May help:
All computer are in the same local network and sem system group.
Console where schtask import xml is executed already has admin rights.
schtask \create \tn <myService> \xml <my xml path>
If schtask can somehow prompt for which user to use it would be ok. Even if it will ask for a password.
But I don't want to write user password into cmd as argument (i don't see that option safe for my situation)
Perfect would be to just automatically select the current user that is logged on.
Thank you ;)
I specified to run the script as "User" and it works on all computer. If someone can explain what this User means would be nice
I am really lost in my GIT today (and a newbee too)
I have 2 bitbucket users, and with user A I created a private repository online on the bitbucket site.
I've been pushing source changes to it, and all is well. (both via sourcetree and from the command line)
Until... I saw that the user pushing the changes is user B (I once created two accounts for bitbucket), and I did not grant him rights.
I probably am doing something wrong here, but I want to understand what that is.
When I do git config user.name I get 'userb'
When I look at the raw commit in the repo I see 'userb'
I have the access level : private repository
I did not send any invitation (afaik)
I don't know If I've ever granted userB all access to userA (Is that possible, and if so, where can I see that?)
When I look in the config file in the .git directory, I see no username
Is the user that pushes the code maybe another one then the committing user? Can it be that userB edits and commits, and userA pushes?
I don't think I've just experienced a security leak, but I do like to know why this happens.
I've got an issue with Jenkins 2.6-1.1 running on CentOS v7.2.1511. I am using the Crowd 2 integration plugin v.1.8 and the Matrix Authorization Strategy plugin v.1.3.2 for authentication and authorization, respectively. Security is configured for "Project-based Matrix authorization strategy".
In my Jenkins configuration, I employ two group assignments on the Crowd server: jenkins-administrators and jenkins-users. jenkins-admininstrators has every permission enabled. jenkins-users have permission to:
Overall: Read, RunScripts
Agent: Build, Configure, Connect, Create
Job: Build, Cancel, Configure, Create, Delete, Discover, Read, Workspace
Run: Delete, Update
View: Configure, Create, Read
SCM
jenkins-administrators obviously have all of these permissions enabled as well.
The issue is that, at some point, users who are in both jenkins-administrators and jenkins-users ceased having the ability to configure nodes or create new nodes. What I mean by this is that, when the user clicks on the link to configure a node, or clicks OK on the new node (/computer/node) page, the post goes through, but a page is never returned.
If I remove the user from the jenkins-administrators group, they are able to add and configure nodes as expected.
If I configure the user such that they are in the jenkins-admininstrators group solely, they are unable to login (which seems like it could be related).
I tried modifying the security matrix so that jenkins-administrators and jenkins-users had the same configuration in re: to nodes, but this didn't change anything.
Outside of the slave logs, and the occasional message to /var/log/messages, there doesn't appear to be anything relevant in /var/log/jenkins/jenkins.log.
Any suggestions on how I can configure Jenkins logging to show me information that is more relevant to node configuration and creation, or any suggestions in general on how I might observe the node creation and configuration process?
I have a windows service that works fine with my application on the admin user, once I log into a non-admin user I need this user to be able to start,stop, and check the status of the service. I have used advapi32.dll library to be able to do this, but using this I am required to have the name of the users and the name of the service, so I would have to run this program every time a new user is added. I need a way to allow the service to communicate to all users, even newer users created after the service has been installed.
I have been trying to figure it out a way to do this by using Installshield service settings during installation. There is one field that you can create permissions, the only problem is that this is done using SDDL and it looks like this: O:<[%USERDOMAIN]>G:BAD:(D;OICI;GA;;;BG)(A;OICI;GRGWGX;;;<[%USERDOMAIN]>)(A;OICI;GA;;;BA)S:ARAI(AU;SAFA;FA;;;WD)
Does anybody knows a method to do this or can guide me through the SDDL if this is posible?
Thanks
Similar to this question How can we execute Jenkins job using other user credential
I have users who will login to Jenkins using active-directory credentials, and then as part of the job use publish-over-cifs, which must use the same domain credentials they supplied when logging in.
This would require that Jenkins retains the password in memory in order to provide it to the cifs plugin.
How should I do this?
I've added a Jenkins Issue https://issues.jenkins-ci.org/browse/JENKINS-22561?focusedCommentId=198490#comment-198490 sponsored for $25 https://freedomsponsors.org/core/issue/483/publish-over-cifs-should-be-able-to-use-jenkins-session-credentials-including-domain-when-jenkins-active-directory-authentication-is-used?alert=SPONSOR#
I am sorry, I don't know how to answer your question, but here is a completely off-the-wall hypothetical solution.
The AD user, on their own machine, is already logged in and can use the AD shares/SMB with their logged in credentials.
Design a job that asks the user for the IP address of their machine. Then have the job spawn a Jenkins Slave on that machine, and execute the job on that Slave, so that it inherently gets access to AD.
This answer probably deserves a downvote