How to restrict credentials in Jenkins? - jenkins

I have multiple users on a Jenkins server, each with their own credentials for external secured servers needed to run their builds. I am using the credentials plugin to manage the stored credentials. Currently, when a user configures a project, they can use anyones credentials for doing external jobs. I need to make it so that each user only sees the credentials they own when they configure jobs on the jenkins server. How would I do this?

The Folders plugin allows to limit the scope of credentials to a specific folder.
If you're fine with restricting access of different users to different folders (e.g., with the Role Strategy plugin), then this could be a solution.
Just create the folder, enter the folder, then select the "Credentials" link on the sidebar. A new link should appear called "Folder" click that and then define your credentials. Jobs in other folders will not be able to use those.

Related

Jenkins: Limit Credentials to 'Manage Jenkins > Configure System'

We would like to use the GitHub Pull Request Builder plugin in Jenkins, however in order to use this plugin you are required to enter credentials in the 'Manage Jenkins > Configure System' section that gives access to a given GitHub Enterprise server.
Our issue is that credentials giving access to all of github are too strong to be stored in the credentials manager. I know that you can limit the scope of credentials by using the Folders plugin, however this just limits access to those credentials to jobs in certain folders. Is there a way to restrict credentials so they can only be used in the 'Manage Jenkins > Configure System' section?
Our issue is that credentials giving access to all of github are too strong to be stored in the credentials manager.
This is why you can also use a Personal Access Token. Check the documentation for the plugin at: https://go.cloudbees.com/docs/plugins/pull-request-builder-for-github/. This is not the official plugin page but having read both, this one keeps to the best practices in terms of credentials. The important bits are:
Go to your GitHub settings page.
In the left sidebar, click Personal Access Token.
Click Generate new token.
Give your token a descriptive name
Select the scopes to grant to this token. Pull request tester plugin require permission to administer repository hooks and access repositories: repo, public_repo, admin:repo_hook, repo:status.
Then you can follow the rest of the guide to enter the token in the plugin configuration pages.
Hope this helps.

How to restrict Jenkins credentials to Github organisations in multibranch projects?

I have set up a Jenkins server which builds multiple projects using "Github Organisation" Items. I now want to restrict some credentials so they can only be used in specific organisations.
I figured this should be possible, since such a Multibranch project just creates folders and the folder plugin integrates with the credentials plugin.
However, I have not found any documentation on how to restrict credentials to folders (only that it is possible).
In the meantime, I found out myself.
While being in a folder (or github organisation/multibranch project), click on "Credentials" (left sidebar).
After that, the same credentials entry gets a child entry, called "Folder". Click on it, and you can edit the credentials(-domains) scoped to the folder like usual.
Current Limitation: The folder plugin does only support "Username with password" credentials.

Jenkins: Use personal credentials for project

I'm hosting a project on my Jenkins server. That project has a GitHub repo and I have it set up so it automatically builds new commits. In order for that to work, I need to input credentials for a github account that has full access to the repo.
The problem is, that if I want him to add his login info to the credentials list, I'd have to give him acces to all credentials on the server (I don't want that).
I tried using the credentials under "{username}" > "Credentials", but those didn't show up in the project setup (even with 100% access to everything on the server).
Is there a way for the user to store his credentials and use them for the project without giving him full access to all credentials on the server?
Add the user's credentials under Global security and then allow project based Matrix Authorization Strategy per project as shown:
I found the answer in this mailing list entry:
In short: You need to
install and activate the Authorize Projects Plugin,
enable "run as specific user" strategy in global security settings,
enable this for the project in question.
This allows you to use the credentials for this specific user.
Enabling ssh-agent is the final step to make this work conveniently.

How to use Jenkins credential store when accessing CVS?

Is there a way to use the credential store with the CVS plugin to access a CVS repository? Looking for a way to store credential once and have one place to change it, despite many jobs making use of it.
The CVS plugin doesn't use the credentials store directly (although there are potential plans to move to this in a future overhaul of the plugin), but it does have a concept of global credentials which should provide what you need. The reason for having something separate from global credentials was that CVS introduced this prior to the credentials plugin being available and the steps have never been taken to try and perform a migration.
To use this credential feature, ensure you have version 2.4 or above of the CVS plugin, goto your 'Manage Configuration' screen, scroll down to the CVS section and click the 'Add' button next to the 'Authentication' option. Once you've added any credentials in here, go back to the jobs you're wanting to use the global credentials on, check the CVS root matches what you put in the authentication section and that it doesn't contain a username and then run your job. When running, the console should then show 'Using globally configured credentials for...' when trying to connect to CVS.

How can I add a username and password to Jenkins?

When I go to mydomain.example:8080 there is no authorization mechanism by default. I have had look at the configuration area but cannot find anywhere to add a basic username and password
Go to Manage Jenkins > Configure Global Security and select the Enable Security checkbox.
For the basic username/password authentication, I would recommend selecting Jenkins Own User Database for the security realm and then selecting Logged in Users can do anything or a matrix based strategy (in case when you have multiple users with different permissions) for the Authorization.
Assuming you have Manage Jenkins > Configure Global Security > Enable Security and Jenkins Own User Database checked you would go to:
Manage Jenkins > Manage Users > Create User
Try deleting the .jenkins folder from your system which is located ate the below path.
C:\Users\"Your PC Name"\.jenkins
Now download a fresh and a stable version of .war file from official website of jenkins. For eg. 2.1 and follow the steps to install.
You will be able to do via this method
You need to Enable security and set the security realm on the Configure Global Security page (see: Standard Security Setup) and choose the appropriate Authorization method (Security Realm).
Depending on your selection, create the user using appropriate method. Recommended method is to select Jenkins’ own user database and tick Allow users to sign up, hit Save button, then you should be able to create user from the Jenkins interface. Otherwise if you've chosen external database, you need to create the user there (e.g. if it's Unix database, use credentials of existing Linux/Unix users or create a standard user using shell interface).
See also: Creating user in Jenkins via API
If installed as an admin, use:
uname - admin
pw - the passkey that was generated during installation

Resources