Does Jenkins provide a way to namespace credentials?

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
2 messages Options
Reply | Threaded
Open this post in threaded view
|

Does Jenkins provide a way to namespace credentials?

Chris Kilding
Hello,

I've had some users express interest in being able to namespace their credentials, so that they can reuse credential IDs in different namespaces. The motivation is to make it simpler to reference the same credential (e.g. an Artifactory deploy key) across environments (e.g. staging, production) where that credential's value is different per environment.

This can obviously be done today by prefixing the credential with the environment name, but they would like a more elegant solution.

Example:

- The backing store secret with ID "staging/foo" becomes a credential with ID "foo" in the namespace "staging"
- The backing store secret with ID "production/foo" becomes a credential with ID "foo" in the namespace "production"
- The backing store secret with ID "foo" becomes a credential with ID "foo" in the default namespace

Does Jenkins provide a way to namespace credentials, so that a credential ID need only be unique within its namespace, rather than within the whole provider or globally?

Regards,

Chris

PS We have looked at credential domains, which do some of what the users want. But unfortunately they don't seem to support full namespacing: if a credential is within a domain, it's still visible in the provider's overall list, so its ID must still be unique within the whole provider. This means the example above can't work, and prefixes would still be necessary.

PS We have also looked at the folders credential provider, but namespaces are not necessarily aligned 1:1 with folders or access control: we may want credentials in a certain namespace to be used by jobs in more than 1 folder (or no folder).

--
You received this message because you are subscribed to the Google Groups "Jenkins Developers" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-dev/b0fe0928-b839-4d2d-8244-acab2fcea203%40www.fastmail.com.
Reply | Threaded
Open this post in threaded view
|

Re: Does Jenkins provide a way to namespace credentials?

Jesse Glick-4
On Tue, Oct 13, 2020 at 10:04 AM Chris Kilding
<[hidden email]> wrote:
> We have also looked at the folders credential provider, but namespaces are not necessarily aligned 1:1 with folders or access control

Folder-based hierarchy is the recommended technique for managing both
credentials and access control over a large number of items. I suppose
you could define a novel credential provider implementation using some
ad-hoc regular expressions or something.

--
You received this message because you are subscribed to the Google Groups "Jenkins Developers" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-dev/CANfRfr1Doj7La5-BXLsPUZLGBPpWrxDy6Bn8eAPO8SCcne%3DgKg%40mail.gmail.com.