I want to use the bitbucket pull request plugin with jenkins. It works great without two factor authentication. But with two factor authentication enabled it does not work.
Has anybody got it to work with TFA enabled, or is this just not supported?
If you're using 2FA in Bitbucket Cloud, you'll need to change the repository configuration in Jenkins to use App Passwords. If Jenkins is currently checking out using your account password, 2FA will prevent that by definition, but if you configure the repo with an app password it should all just work.
Related
I need to setup multi factor authentication on users who login to Jenkins, using Google Authenticator. I looked on the internet and couldn't find any solution or jenkins plugin to achieve this.
Does anyone have an idea about how to do this?
You could test:
OpenId Connect Authentication plugin
OpenID plugin
Both supports Google OpenId endpoint
As discussed in jenkinsci/oic-auth-plugin issue 25, that would bypass the MFA (Multi-Factor Authentication) though.
I have been using Git Plugin in Jenkins to pull the source code from the GitHub repository.
I have been using UserName and Password for authentication
However, GitHub has announced
Deprecation Notice: GitHub will discontinue password authentication to
the API. You must now authenticate to the GitHub API with an API
token, such as an OAuth access token, GitHub App installation access
token, or personal access token, depending on what you need to do with
the token
So i need to change the authentication to use oAuth token.
1> I have created a oAuth token in GitHub
2> Then in Jenkins i created Secret Text as Global Credentials. (using the GitHub's oAuth token)
3> However, when i goto job configuration, the Git Plug-In does not show any credentials in the DropDownList whose type is secret text ( it shows all other credentials though)
How do i configure Git Pug-in to use oAuth token?
Check first if you have the github-oauth Jenkins plugin installed, as described in "Use the Jenkins OAuth plug-in to securely pull from GitHub", from Walker Rowe.
That would allow to register your Jenkins server as an application which can then access GitHub resources:
Stick with the "Username with Password" credential type, created with a token (usually a Personal Access Token) in place of the password.
The GitHub docs you linked to mention this type of use case specifically:
curl -u username:token https://api.github.com/user
This approach is useful if your tools only support Basic Authentication but you want to take advantage of OAuth access token security features.
The Git Plugin doesn't accept a SecretText credential because it wouldn't know what to do with it. While it isn't limited to Basic Auth only (it supports SSH, after all), it doesn't know what to do with just an OAuth token.
Fortunately, GitHub has provided a work around for this exact type of use case, by allowing you to pass a token (virtually) anywhere you would otherwise use a password.
Using this method allows you to take advantage of the security features of tokens, such as per-token scopes, without having to retro-fit your existing tooling.
Another approach is to take advantage of the GitHub App authentication support
It is released in April 2020 with GitHub Branch Source 2.7.0-beta1 which is available in the Jenkins experimental update center.
Why authenticate as a GitHub app?
Larger rate limits - The rate limit for a GitHub app scales with your organization size, whereas a user based token has a limit of 5000 regardless of how many repositories you have.
User-independent authentication - Each GitHub app has its own user-independent authentication.
No more need for 'bot' users or figuring out who should be the owner of 2FA or OAuth tokens.
Improved security and tighter permissions - GitHub Apps offer much finer-grained permissions compared to a service user and its personal access tokens.
This lets the Jenkins GitHub app require a much smaller set of privileges to run properly.
Access to GitHub Checks API - GitHub Apps can access the the GitHub Checks API to create check runs and check suites from Jenkins jobs and provide detailed feedback on commits as well as code annotation
And:
In addition to usage of GitHub App authentication for Multi-Branch Pipeline, you can also use app authentication directly in your Pipelines.
You can access the Bearer token for the GitHub API by just loading a 'Username/Password' credential as usual, the plugin will handle authenticating with GitHub in the background.
This answer describes the entire process of setting up OAuth with Github in Jenkins: https://stackoverflow.com/a/61995795/9962007
I am connecting to TFS server using terminal on my MacBook according to the website: https://learn.microsoft.com/en-us/visualstudio/mac/tf-version-control?view=vsmac-2019. Yes i have created the workspace successfully but when I try to map it to local folder, it always shows error about access denied even though my credentials is absolutely correct, I am using personal access token as username and leave empty for the password.
The error is:
Access denied connecting to TFS server https://dev.azure.com/myworkbaseasolutemobile/VersionControl/v4.0/repository.asmx (authenticating as f). After that, it prompt me to enter the username and password, once I type in, terminal do nothing but give me new line to enter the new command. When I entered the tf workfold command again, the error comes out again.
I don't even know where is the 'f' comes from. I don't know where is the problem. Anyone can help me on this?
Personal access tokens (PATs) are alternate passwords that you can use to authenticate into Azure DevOps.
Azure DevOps uses enterprise-grade authentication to help protect and secure your data. Clients like Visual Studio and Eclipse (with the Team Explorer Everywhere plug-in) also support Microsoft account and Azure AD authentication. Since PATs are an alternate form of user authentication, using a PAT gives you the same access level. If you create a PAT with a narrower scope, your access is limited to that scope.
Please leave the username empty and use PAT as password to access your TFS server.
Besides, , since you are using PAT with on-premise TFS server, check if you already turned off Basic Authentication.
We recommend you keep IIS Basic Authentication turned off at all times
when using Azure DevOps Server. Only if necessary should you enable
IIS Basic Authentication. When IIS Basic Authentication is enabled on
your windows machine, it prevents you from using personal access
tokens (PATs) as an authentication mechanism.
More details please take a look at this official link.
I am trying to write some automation that sets up a Jenkins instance and configures it with the GitHub OAuth Plugin. For this to work, I would need to programmatically register an OAuth Application on GitHub and then pass the generated Client ID and Client Secret to Jenkins. Is this possible?
We have a Jenkins installation that uses the OpenID plugin to authenticate our company users. The problem we have is that our source control (Kiln/Mercurial) pushes notifications to Jenkins either anonymously or via username/password. As all users use OpenID I cannot use username/password. So with that being said what is the minimum set of permissions for an anonymous user to be able to kick of a job build in Jenkins?
If you use matrix-based security (or project-based matrix), the user needs to have the "build" column in the "job" group ticked.