We are using Hudson as a CI tool. At present we are needed to use Jenkins, to deploy the build to Stage, Prod environment. What is the best aproach we should follow.
I know about promote buld plugin, but the issue is authentication. I want whevener we need to promote a build to deploy to Stage or Prod, it should ask for netqwork credential first. And then the promote job should execute the Batch command using the creadential supplied. At present, the promote plugin, runs using the credentials which the Tomcat server is configured to run.
Same issue with Build Pipeline plugin.
I want only dev or even hudson admin also should not be able to execute the promote build unless credential supplied. (We have windows 2008 r2 OS)
Can you please help me in resolving the issue. so that basically whenever a user click on Promote build to QA\Stage\Prod the plugin should ask for credential or should use the logged on users credential and execute the batch script using the logged users credential only and not by using the credentials of the account with which the tomcat server is configured.
Can you please help me?
Please suggests us the best aproach for making automated build on prod\stage.
Have you considered making the job which deploys to Stage or to Prod a parameterized job, with the credentials as the parameter? I think your batch file could then reference the credentials which were passed as job parameters.
Possibly also may want
I don't understand the security threat against which you are trying to defend yourself. I'll propose some alternatives as my feeble attempt to understand the threat you're describing.
If your concern is "how do I create jobs which only a certain user can run", you could consider https://wiki.jenkins-ci.org/display/JENKINS/Role+Strategy+Plugin
If your concern is "how do I store secret information on the Jenkins server", you could consider https://wiki.jenkins-ci.org/display/JENKINS/Build+Secret+Plugin
If neither of those is your concern, here is another guess.
Jenkins executes processes as the user running the Jenkins process (as you said). If Jenkins need to perform an operation as a different user, the credentials for that other user are required. Those credentials must be provided from somewhere.
You described that "I want only dev or even hudson admin also should not be able to execute the promote build unless credential supplied. (We have windows 2008 r2 OS)". Jenkins jobs are run and managed within the java process which started jenkins.war. There is no concept within that context (as far as I know) of "becoming another user". I think you're asking for a way to "become another user" inside the java process which is running jenkins.war. I'm not even sure it can reasonably be done with Java.
I think you could consider changing your strategy from "become another user from within the Jenkins process" to "become another user in a subprocess which the Jenkins user starts". In that case, you don't care who executes the "promote build" job, but if they do not provide the correct credentials, the job will not execute.
Thanks Mark for the detailed explanation on this.
Actually it’s my bad, I didn’t explained things properly. Let me explain one more time.
We have one server (dvappbuildwb04) . All the dev team members have ADMIN privileges to both the server and the Jenkin application. So that all the developers can remote login to the server and they have the privilege to create, delete, manage Jenkin. We are using LDAP as a Security Realm in Manage Hudson. We are need to perform deployment of applications to Stage and Prod server using Jenkins. Now since all the dev team members have ADMIN privilege to manage Jenkins, they *can* add themselves to any role and get the power to promote build to Stage and Prod (however they will not succeed even if they click on promote to Stage\Prod, because neither the dev teams credential nor the service account which Tomcat is configured can access Stage\Prod web servers, well this is different story, let’s get back to the main business J). Now consider, the Operation team member who has access to Stage\Prod servers, but they also cant deploy build to Stage\Prod servers, because Jenkins executes jobs using the service account Tomcat is configured, that service account don’t have access to Stage\Prod server. So even the Operation team member who has remote RDP\Admin access to Stage\prod, they too cant deploy the builds to Stage\Prod from Jenkins.
As I mentioned, the problem is, Jenkins uses service account of Tomcat for executing Jobs\promoting builds etc. I want Jenkins to use credential of Logged on user to execute job\promote build etc. Is there any way to tell Jenkin that please use logged on users credential to execute this job? A simple checkbox on the Job should have done the trick.
Or is there anything like Windows authenticate just like we have in IIS, available for Tomcat, so that Jenkins can then execute any information using the credential of the logged on user?
Based on your previous message, I think, this is not possible.
On Sat, Oct 20, 2012 at 8:42 PM, Mark Waite <[hidden email]> wrote:
|Powered by Nabble||Edit this page|