How to restrict Jenkins credentials to Github organisations in multibranch projects? - jenkins

I have set up a Jenkins server which builds multiple projects using "Github Organisation" Items. I now want to restrict some credentials so they can only be used in specific organisations.
I figured this should be possible, since such a Multibranch project just creates folders and the folder plugin integrates with the credentials plugin.
However, I have not found any documentation on how to restrict credentials to folders (only that it is possible).

In the meantime, I found out myself.
While being in a folder (or github organisation/multibranch project), click on "Credentials" (left sidebar).
After that, the same credentials entry gets a child entry, called "Folder". Click on it, and you can edit the credentials(-domains) scoped to the folder like usual.
Current Limitation: The folder plugin does only support "Username with password" credentials.

Related

Set group of Jenkins system user when creating a job

I'm using the Authorize User plugin in Jenkins, and I'm trying to setup a multi-tenant jenkins with genuine access control. I want to have a folder with a set of jobs which group A can see, and another folder with another set of jobs which group B can see.
At the master/controller, the $JENKINS_HOME/jobs/ folder creates a new job folder when a build is triggered. However this folder is created as the SYSTEM user, not the build user. The issue is although I could just put the build user into the SYSTEM user's group, this would ALSO give them access to any job on the filesystem, not just the folder they should have.
Is there a way to configure what user:group is set when a job folder is created?
Perhaps this helps:
https://support.cloudbees.com/hc/en-us/articles/204173600-How-do-I-limit-users-access-to-the-folders-to-which-they-belong-to-?page=94
It should also work with vanilla Jenkins.
Warning: untried ;-)

"Trigger builds remotely" does not appear after installing Build Token Root Plugin in Jenkins

I have installed Build Token Root Plugin (Version 1.2) in Jenkins. But the "Trigger builds remotely" options doesn't appear.
The end goal is to trigger Jenkins from SlackBot. I followed this tutorial.
I must be doing something very silly. Please help.
Stackoverflow articles referred with no vain
Hudson - missing Trigger builds remotely option
Triggering builds remotely in Jenkins
You need to read it: Quick and Simple Security
Enable the security setting, go to http://yourhost/jenkins/configureSecurity and select enable security, then choose Delegate to servlet container for security realm and Legacy mode for authorization strategy. Or, you may click on the Manage Jenkins link on the left side of the main Jenkins dashboard page to get to the configuration page, then click Configure Global Security.
To log into Jenkins go to http://yourhost/jenkins/loginEntry, or click on the login link located on the top right hand corner of any Jenkins Dashboard page.
This will bring you to the Login page. Enter the user name and password, and click on the Submit button. This will take you back to the main Jenkins dashboard. You will now see the Manage Jenkins link on the left side of the page.
To logout simply click the logout link located on the top right hand corner of any Jenkins dashboard page.
Anonymous read access required
The preceding instructions require that anonymous users have read access to Jenkins. If you disable overall read access for anonymous users, the Build Token Root Plugin allows use of tokens.
Be carreful while applying the accepted answer. It locked me out of Jenkins.
Here is an alternative:
* Security Realm: Jenkins' own user database (uncheck Allow users to sign up)
* Authorization: Logged-in users can do anything
The “Trigger builds remotely” then appears.

How to restrict credentials in Jenkins?

I have multiple users on a Jenkins server, each with their own credentials for external secured servers needed to run their builds. I am using the credentials plugin to manage the stored credentials. Currently, when a user configures a project, they can use anyones credentials for doing external jobs. I need to make it so that each user only sees the credentials they own when they configure jobs on the jenkins server. How would I do this?
The Folders plugin allows to limit the scope of credentials to a specific folder.
If you're fine with restricting access of different users to different folders (e.g., with the Role Strategy plugin), then this could be a solution.
Just create the folder, enter the folder, then select the "Credentials" link on the sidebar. A new link should appear called "Folder" click that and then define your credentials. Jobs in other folders will not be able to use those.

Jenkins: Use personal credentials for project

I'm hosting a project on my Jenkins server. That project has a GitHub repo and I have it set up so it automatically builds new commits. In order for that to work, I need to input credentials for a github account that has full access to the repo.
The problem is, that if I want him to add his login info to the credentials list, I'd have to give him acces to all credentials on the server (I don't want that).
I tried using the credentials under "{username}" > "Credentials", but those didn't show up in the project setup (even with 100% access to everything on the server).
Is there a way for the user to store his credentials and use them for the project without giving him full access to all credentials on the server?
Add the user's credentials under Global security and then allow project based Matrix Authorization Strategy per project as shown:
I found the answer in this mailing list entry:
In short: You need to
install and activate the Authorize Projects Plugin,
enable "run as specific user" strategy in global security settings,
enable this for the project in question.
This allows you to use the credentials for this specific user.
Enabling ssh-agent is the final step to make this work conveniently.

How to use Jenkins credential store when accessing CVS?

Is there a way to use the credential store with the CVS plugin to access a CVS repository? Looking for a way to store credential once and have one place to change it, despite many jobs making use of it.
The CVS plugin doesn't use the credentials store directly (although there are potential plans to move to this in a future overhaul of the plugin), but it does have a concept of global credentials which should provide what you need. The reason for having something separate from global credentials was that CVS introduced this prior to the credentials plugin being available and the steps have never been taken to try and perform a migration.
To use this credential feature, ensure you have version 2.4 or above of the CVS plugin, goto your 'Manage Configuration' screen, scroll down to the CVS section and click the 'Add' button next to the 'Authentication' option. Once you've added any credentials in here, go back to the jobs you're wanting to use the global credentials on, check the CVS root matches what you put in the authentication section and that it doesn't contain a username and then run your job. When running, the console should then show 'Using globally configured credentials for...' when trying to connect to CVS.

Resources