Similar to this question How can we execute Jenkins job using other user credential
I have users who will login to Jenkins using active-directory credentials, and then as part of the job use publish-over-cifs, which must use the same domain credentials they supplied when logging in.
This would require that Jenkins retains the password in memory in order to provide it to the cifs plugin.
How should I do this?
I've added a Jenkins Issue https://issues.jenkins-ci.org/browse/JENKINS-22561?focusedCommentId=198490#comment-198490 sponsored for $25 https://freedomsponsors.org/core/issue/483/publish-over-cifs-should-be-able-to-use-jenkins-session-credentials-including-domain-when-jenkins-active-directory-authentication-is-used?alert=SPONSOR#
I am sorry, I don't know how to answer your question, but here is a completely off-the-wall hypothetical solution.
The AD user, on their own machine, is already logged in and can use the AD shares/SMB with their logged in credentials.
Design a job that asks the user for the IP address of their machine. Then have the job spawn a Jenkins Slave on that machine, and execute the job on that Slave, so that it inherently gets access to AD.
This answer probably deserves a downvote
Related
I am trying to set up Jenkins for software hosted in Google Cloud VM. I have a VM with user account A and user account B. Jenkins is hosted in user account A. All the other softwares are hosted in user account B. In order to authorize Jenkins to ssh into userB#VM_ADDRESS, I am placing user A's .ssh/id_rsa.pub into user B's .ssh/authorized_keys. This allows for Jenkins to ssh into userB#VM_ADDRESS to update my software whenever I push changes to Github. However, after awhile, for some reason the .ssh/authorized_keys in user account B is replaced/refreshed and my key is gone, and the ssh from Jenkins would fail with permission denied. How should I solve this? Or am I doing Jenkins wrong?
I saw this thread at https://groups.google.com/g/gce-discussion/c/iHqRb2KlMZg/m/x59xV4pYAQAJ?pli=1 that seems to be a similar problem but after reading through I still do not know what I need to do.
The SSH keys in the metadata are redeployed regularly. To solve the issue, instead of performing manually the copy/paste in the system, copy the key and (add it to the compute engine metadata](https://cloud.google.com/compute/docs/instances/adding-removing-ssh-keys)
However, I'm not sure that is the good way to follow. Why you don't log in with the account A, because it's the "reality" and perform action on software? You can put the account A and the account B in the same Linux group, or performing a chown to change the owner of the fresh files at the end.
What's the requirements behind this tricky question?
Update 1:
The fact to use the key of the account A to log into the user B, is like an impersonation. At the end, you don't know if it's the user account A or B which have performed stuff on your file.
Anyway, in linux you have 3 level of permission UGA (User, Group, All), that's why you have something like this when you perform a ls -la: rwxr-xr-- which mean U (User) can do RWX (Read Write eXecute), group can only Read and eXecute and all can only read.
Therefore, if the user account A and user account B are in the same Group, you can set common group permissions and avoid all (others) to access to the files.
We have a CI jenkins platform and we want to manage our deployments with an email confirmation. A user send a request to the deployment plan for starting. But in the first step, the plan send an email confirmation to an administrator. If the admin click the request link, deployment will be start, otherwise wont start.
Is there a way to do this with jenkins or any jenkins plugin?
yes there is a way to do that, honestly, more than one way to do that and you can choose by your preferneces. What I will suggest you is to consider the way explained in the issues of Jenkins https://issues.jenkins-ci.org/browse/JENKINS-33793
though it have status Unresolved, but it looks like by my knowledge that it will work even right now , cause it is just an URL.
I am developing a Dashboard on top of Jenkins. The Dashboard would list all the jobs available and would also have a trigger button to initiate a build which shoots a post request using the secret token. The problem is every build would have the same cause which says "Started by remote host 19.XX.XX.XX". Since the dashboard needs to display the user name triggering the job as the person who logged, is there a way we can pass the a username as well in the jenkins remote trigger url like below so that jenkins would capture the cause as the user name.
https://jenkinsurl:port/job/testLDAP/build?token=DDJjk$###*bB&userName=abc
There is no parameter that you can use for this. A workaround that I've used is adding &cause=This+was+started+by+abc which results in
Started by remote host 192.168.x.x with note: This was started by abc
Perhaps this might help you.
I want to create a Groovy script using Pipeline plugin in Jenkins handling the security for only some users can enter to the node.
This would be the example:
node('master') {
//code..... more code
}
node('production') {
//more code.....
}
I want to be able that only some users can run succesful the production node without using the input step that ask for only specific users/groups can approve it.
Is there a configuration option where I can configure the security of a specific Node about what users (or group) can execute scripts on it.
Note: I am using only Jenkisn 1.6 (not Cloudbees which it is with more complex security options)
Edited 04/20/2016 reflecting discussions in comment:
Update: Goal: Preventing unauthorized user from executing jobs on a selection of Jenkins node.
Update: The Job Restrictions Plugin referred by luka5z would be a promising fit for the goal, when using it in conjunction with Role Strategy Plugin.
Give Matrix-based security a try with this plugin Role Strategy Plugin. First, you need to set users/anonymous group global role to have a very minimal access. Then you can set slave roles that only allow users to use node name in staring in a pattern e.g QA_Slave*, and only a small group, say admin, have all permissions on all slaves, which implies Production.
Update: Role Strategy Plugin can prevent user from modifying policy applied to node, but would not protect node from running a job it was tagged to. [unauthorized slave assignment in job configuration] where Job Restrictions Plugin would independently apply restrictions on the node level, without go extreme and taking all job configuration access away.
Our CI system uses the python module jenkinsapi to launch test jobs on Jenkins. But it's slow - the time taken to run a single job varies between 10 - 30 seconds. That really bogs the system down.
Our production Jenkins is tied into our corporate LDAP. Hence jenkinsapi requires a username/password. Without a doubt this contributes to the problem. I suspect that each time it runs a job it needs to perform a login on Jenkins. The issue is vastly reduced when I run the setup against my local unsecured instance of Jenkins.
Is there any way to workaround these limitation? Can I speed up the execution of jenkinsapi? Or is there an alternative approach that will work better with a secure Jenkins?
If the LDAP authentication is really the bottleneck, you may be able to get around it by using the user's API token instead of the password on API login. It should be as simple as replacing the password with the API token (available on the user's configuration page in Jenkins) in your scripts.
You can try to use the parameter: lazy=True
server = Jenkins(
JENKINS_HOST,
username=JENKINS_USER,
password=JENKINS_TOKEN,
lazy=True,
)