Is there a way to share Jenkins service endpoint credentials across multiple TFS projects? We have close to 30 projects, and each build requires us to configure the same set of credentials.
I would like to set an environment variable or something that would allow us to manage those credentials in one place for all TFS projects.
For a specific project, you click the gear here:
And then enter the credentials here:
This is not possible yet, there is a Feature Request about it, you can up vote there.
To automate the process you can create the Jenkins endpoints with the Rest API Endpoints - Create.
No. Service connections are scoped at the Team Project level. Team Projects are intended to be largely isolated from one another, so there is limited ability to share things between them. If you need to manage a service endpoint across many projects, you'll need to look at the REST APIs and write a programmatic solution.
Related
We have Jenkins setup in our organisation with two organisational folders which basically does builds for repo's from two different github organizations.
We use Keycloak to authenticate to Jenkins. (Not sure if that's relevant or not) and we authenticate using openid connect with Keycloak.
I would like to know if it is possible to restrict access for a certain group of users to only be able to view builds on one of the github organizations. So for example if we have two github organizations: mrrobot_org and evilcorp_org, then I would like to be able to make an evilcorp_org_devs_group and add users to that group which would then restrict those developers from only accesing builds from the evilcorp_org github organization.
Someone told me this might be possible to do from Keycloak, but it does not seem likely.
I've tried quite a few things already but from what I've read the best option seems to use this plugin
https://plugins.jenkins.io/role-strategy/
and match the organzation using a regex to match a folder:"Folders can be matched using expressions like
^foo/bar.*".
Any other suggestions how I could do this?
Thanks so much.
For anyone reading this. I ended up using the Folder auth plugin for Jenkins.
I ended up sticking to Keycloak for Authentication, but used the folder auth plugin for Authorization.
So this allows me to restrict access per Jenkins folder. Each folder containing the builds of a given github organization.
The plugin is pretty easy to use. You can check it out here:
https://github.com/jenkinsci/folder-auth-plugin
The docs are here:
https://github.com/jenkinsci/folder-auth-plugin/blob/master/docs/usage.md
I like the use of Jenkinsfiles and shared-libraries for their purported benefits, but i have some governance concerns about execution of arbitrary Jenkinsfiles (and potential use of broadly scoped credentials).
I'm thinking it would be convenient to lock down credentials to use by a specific shared-library to enforce usage patterns (at the same time, i think it's entirely possible that there are better ways to approach the problem space), so i'm just reaching out for any ideas/guidance in this space.
Not sure if our solution would work for you or not.
We have a shared library; reviewed and rather locked down so that not just anyone can make a change to it. We have that library attached to two separate folders on our Jenkins.
In one folder, our users have their own personal or team based folders and can create jobs and credentials in that space. There are no shared credentials on this big folder and teams do not share their credentials with each other.
There is a second folder, which none of the users/teams have edit access to, but can execute existing jobs. There are no Jenkinsfile, SCM-based jobs in that folder where they can modify the job via SCM. This folder has the "locked down" credentials on it that are not meant to be shared or accessible. The users/teams can edit their jobs (in their folders) to call these jobs - but they can't edit these protected jobs to gain access to the credentials.
It's awkward in a way. But it has preserved the divide between users and credentials they shouldn't have access to.
I have two projects in JIRA: software project and service desk project.
My goal it to enable my service desk customers to access the software project but in a limited way. E.g.:
clients could create stories,
comment on them,
assign priorities
and assist with assigning them to iterations / releases.
But they would not be able to perform and see some actions e.g.:
see the logged time
and ideally to keep some of the ticket / story fields and comments as internal use only so I can have technical discussions with my team without the client seeing them etc.
I can see in documentation that "Service Desk Customers can't log in to JIRA applications":
https://confluence.atlassian.com/servicedeskcloud/setting-up-service-desk-users-732528877.html
But is there any workaround to give Service Desk Customers access to JIRA applications? Is there any simpler method than making a REST API bind? If yes, then how it could be achieved?
The documentation is not clear. Add their accounts to the jira-users group and they will be able to log into JIRA as regular users. The point is that member of jira-users consumes a JIRA user license, while "pure" customer account does not.
As regular regular users they will have permissions just as you configure your project Permission Scheme, so everything is in your hands. Using roles you can restrict issue comments to those roles. There's also nice Comment Security Default plugin to use with that.
I am learning Jenkins and i am using version 1.605. I am learning about setting security options in jenkins. I found below options in jenkins configure global security page under the security realms:-
Delegate to servlet container
Jenkins'own user database
LDAP
I want to understand in which scenario, which option should be used?Please help me understand.
The "servlet container" refers to the web server that you are using to host Jenkins, typically Tomcat. The configuration file $CATALINA_BASE/conf/tomcat-users.xml may already be set up and managed by your organization. In this case: "why reinvent the wheel?". Use this if your organization already has a process that manages the Tomcat users configuration. This is also probably the most archaic solution.
The "own user database" is just what it sound like. Instead of relying on something else, Jenkins keeps it's own database of users. You can create and delete users through the Jenkins UI. You can even let new users sign up right from UI. If you don't know what to use, use this one. It's simple and self-contained.
The "LDAP" provides integration with LDAP/ Windows Active Directory. If you are in a corporate/small business environment that already utilizes LDAP for maintaining users and groups, it will be very beneficial to hook into that and off-load user management to the IT team that manages LDAP/AD. Note that unless you are that IT admin, you will need to contact the said admins for connection information/credentials to the LDAP/AD
Slav did a very clear answer.
If you choose the option 2 or 3, you can use the Role Stragegy plugin to create application roles and assign roles to Jenkins users, LDAP users or LDAP static/virtual groups.
If you have a lot of users, this plugin can save your life to assign permissions :)
We use LDAP security for our TFS internally, but we have a few vendors who we would like to give web access to for viewing, creating or updating work items.
Can anyone recommend a good approach to accomplish this without moving our TFS host to an external location?
You will have to open your TFS externally and create user accounts for the vendors.
A couple of references to expose your TFS to the internet:
http://msdn.microsoft.com/en-us/library/bb668967.aspx
http://www.christiano.ch/wordpress/2010/05/01/microsoft-team-foundation-server-2010-and-external-access-fqdn/