I wanted to have 2-factor authentication in Jenkins for all the users (even super admin) and wanted to know, if it's possible and if it is, what is the possible way or do we need a plugin for it.
Plus can we have authorization for scheduling the deployment in Jenkins and if it's possible, how can we do it.
Jenkins authorization is explained in detail here:
https://wiki.jenkins-ci.org/display/JENKINS/Standard+Security+Setup
The "Authorize Project plugin" is not for what you are asking.
You will not be prompted for password everytime you start a job. Instead, you should configure individual jobs to give access to individual people. Jenkins allows that granularity.
If you really want to prompt for password at every job execution, you will have to configure job to create a new password parameter, and then as one of your first build steps, validate the entered password against... against whatever it is that you want. But that means your validation script will probably reside on Jenkins itself.
Edit:
Configure Job
Select "This build is parameterized"
Add "String" parameter
Call it "password"
If on *nix environment, select "Execute Shell" for the first build step:
set +x
if ! [[ "$password" == "mysecret" ]]; then
echo "Bad password"
exit 1
fi
exit 0
If on Windows environment, select "Execute Windows batch command" for the first build step:
#echo off
if not "%password%" == "mysecret" (
echo "Bad password"
exit /b 1
)
exit /b 0
Add other build steps as normal.
Now, every time the job runs, it will prompt for "password", and if it doesn't match string "mysecret", the job will fail.
Important Notes:
This will run after SCM checkout. If you want to run it before SCM checkout, you'd need Pre-SCM build step plugin.
Anyone with "Configuration" access to the job permission or above will be able to see the "mysecret" in plain text. You can use EnvInject plugin to configure global (or job local) password and validate against that variable, instead of "mysecret"
Anyone with direct/remote login to the Jenkins machine will be able see the configuration file with "mysecret" in plain text (unless using EnvInject from above).
People with enough permissions could modify or copy the job, and remove this validation.
Once again, I implore you that the correct approach is to provide granular per-user permissions through default Jenkins security/authorization. Use "matrix" authorization to give permissions per user per job.
Related
I am seeing the following issues
While secrets/passwords are redacted in jenkins console log, redirecting output to a file prints teh secrets / passwords in plain text even with mask passwords plugin enabled
Steps to reproduce:
Create new freestyle job and do teh following steps
Select 'Inject passwords to the build as environment variables'
Select 'Global passwords'
Select 'Mask password parameters';
Add BuildStep 'Execute Shell';
In the shell enter
env 2>&1 | tee "log.log"
Save the config
Build
Workspace
List item
open log.log and you will see the passwords printed in plain text
Is there any way to hide passwords / secrets from redirected output?
Unfortunately no. Once you redirect output to a file it's no longer managed by Jenkins and you have provide your own secret obfuscation.
Software levels:
Jenkins 2.121.2
Credentials Plugin 2.1.18
Credentials Binding Plugin 1.16
Plain Credentials Plugin 1.4
I am working with a Freestyle project (not a pipeline) and want to use a Groovy command build step for the job's main processing.
I am trying to obtain the userid and password from a user credential so the groovy script can use them for various CLI manipulations. I spent a lot of time searching for answers, but none of the ones I've found worked. Most were not clear, many were geared toward pipelines.
I would greatly appreciate a little guidance at this point.
Here are the gory details.
I created a new parameterized Freestyle project in which I added a Credentials Parameter for a "Username and password" credential. It defaults to one of the credentials that I defined to Jenkins via the Credentials Plugin. I'm not sure this is necessary if the binding selects the credential to use explicitly.
I checked "Use secret text(s) or file(s)" in the Build Environment section, although I'm not certain that is essential for a Username/password style binding.
I added a "Username and password (separated)" binding and set USERID and PASSWORD as the respective variables.
My groovy command window has this sole line:
println("${USERID} ${PASSWORD}")
When I build the job, I get this error:
The both ways will inject the credential into Environment Variable, thus you can access them from Environment Variable in Groovy Script as following for both ways.
def env = System.getenv()
println env['auth']
println env['USERNAME']
println env['PASSSWORD']
But the injected value of the both ways are different.
1) Adding a Credential job parameter for user to choose when run job
In this way, the credentialId is injected, so you not get the username and password.
credentialId example: 1dd4755a-9396-4819-9327-86f25650c7d7
2) Using Credential Bindings
In this way, the username and password are injected, I think this is what you wanted.
def env = System.getenv()
def username = env['USERNAME']
def password = env['PASSSWORD']
def cmd = "curl -u $username:$password ...."
Add a Jenkins Build Step supply by plugin Execute Groovy script
To summarize, the techniques identified by #yong's post will only work with System Groovy Script build steps. The latest plugin and Jenkins levels will obfuscate the credential parameters, so println cannot be used to verify their content by visual inspection.
I have a job to be triggered by developers where they have to put their AD's before triggering build. But thoes passwords are displayed on console output. I have tried mask passwords plugin. But the problem is I cannot store all developers AD's in job configuration.
Please suggest me any solution.
Please find below my findings with solution [without using Mask Passwords plugin]:
Brief Description about my jenkins job:
I wrote a job which downloads the artifacts from Nexus based on the parameters given at run-time and then makes a Database SQL connection and deploy the SQL scripts using maven flyway plugin. My job takes - Environment, Database Schema, Artifact version number, Flyway command, Database User and it's password as input parameters.
Brief Background about problem:
While passing the PASSWORD as MAVEN GOAL (Parameter), it was coming in Jenkins Console as a plain text.
Although I was using "Password Parameter" to pass the password at run-time but then also it was coming as plain text in console.
I tried to use the "secret text" to encrypt the password but then my job started failing because the encrypted password was getting passed to Maven Goals, which was not able to connect to DB.
Solution:
I used "Inject passwords to the build as environment variables" from Build Environment and defined its value as my "password parameter" (my password parameter name was db_password) which I am passing as parameter at run-time (eg.: I defined my inject password value as : ${db_password} ).
And this is working as expected. The password which I am passing while running my job is coming as [*******]
[console log:
Executing Maven: -B -f /work/jenkins_data/workspace/S2/database-deployment-via-flyway-EDOS/pom.xml clean compile -Ddb=UAT_cms_core -DdatabaseSchema=cms-core -Dmode=info -DdeploymentVersion=1.2.9 -Ddb_user=DB_USER -Ddb_password=[*******]
]
Regards,
Rohit Rajpoot
Here's an answer I just came across in the Jenkins documentation:
Normally you will start your script with
set +x
so that commands you run are not echoed to the log, in case you
mention the values of secrets in those commands.
I have automated test which takes input from the user and runs the test.
Any idea on if we can give the argument from jenkins for the robot testcase and run the test?
ex:
scenario: Test if a lighting device works well or not.
steps:
ssh login to light device,
run some predefined set of commands,
verify the lighting_flag set to 0 or 1,
ssh logout from device
In this case,
I need to take light device username and password as input from user.
Is it possible to get it from jenkins (build with parameters) and run the robot test case?
You can use variables. For example, a user keyword connecting and logging in might be like:
Connect To Device
[Arguments] ${HOST}
Open Connection ${HOST}
Login ${USERNAME} ${PASSWORD}
Now, provided your Jenkins parameters are username and password, you can use the execute shell task like this:
pybot --variable USERNAME:[username] --variable PASSWORD:[password] <path/to/tests>
This sets global variables ${USERNAME} and ${PASSWORD} for the test execution.
More info in the user guide.
Passing Arguments from Jenkins.
Go to Jenkins Job_Name -> Configure, in Job Notification area you can find a checkbox named "This build is parameterised".
Click on "Add Parameter" select "string parameter" in options.
Now you can find Name, Default Value, Description(optional).
Name: USERNAME
Default Value: user1
Repeat the same for password.
In Execute Shell:
export USERNAME=$USERNAME
export PASSWORD=$PASSWORD
I am currently trying to find a way to allow only certain users to use stored credentials in jenkins. I have not found a way to do this using the credential plugin. I am using the role based Access plugin as well.
is there a way to create credential domains that can only be accessed by allowed users?
how can a user use the credentials that they provide in their own "user profile" configuration area?
Is this possible ? or is there another plugin that can do this.
Not to miss an obvious answer - undocumented, but easy enough to figure out.
It only works for ssh/sftp access.
Edit a job.
Mark it "parameterized".
Add a parameter
type: credential
named my-ssh-private-key
Mark "SSH agent"
parameterized credential = ${my-ssh-private-key}
Enter ssh my_host "echo Hello world" as job's batch script action
Try to build the job. You would be asked to choose credentials, and here, lo and behold, you can pick also your private credentials amongst the global ones. But other users can only run this job if they have their own authorized ssh private key (with public part included in the remote authorized_keys).
If you have "host key verification" error, just go to jenkins shell to fix:
su - jenkins
ssh my_host # confirm the host key to be saved into your known_hosts
tail ~/.ssh/known_hosts