Password-like file parameter type?

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
7 messages Options
Reply | Threaded
Open this post in threaded view
|

Password-like file parameter type?

Jakub Bocheński

Jenkins has file and password parameter types, but I'm looking for a combination of the two.
Screenshot_20200817_160840.png

My problem with file parameter is that the file is stored in the build and can be retrieved later.
Is there some parameter implementation that would handle files without making them available later?

--
You received this message because you are subscribed to the Google Groups "Jenkins Developers" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-dev/265098f7-1269-4b9b-9dfe-4bb4094cf210n%40googlegroups.com.
Reply | Threaded
Open this post in threaded view
|

Re: Password-like file parameter type?

Jakub Bocheński
For now I just use this script to delete the file after build
           // do not store the secret files on master's disk
           systemGroovyCommand('''
                import java.io.File;
                new File(build.getRootDir(), "fileParameters").deleteDir();
           ''')

On Mon, Aug 17, 2020 at 4:10 PM [hidden email] <[hidden email]> wrote:

Jenkins has file and password parameter types, but I'm looking for a combination of the two.
Screenshot_20200817_160840.png

My problem with file parameter is that the file is stored in the build and can be retrieved later.
Is there some parameter implementation that would handle files without making them available later?

--
You received this message because you are subscribed to a topic in the Google Groups "Jenkins Developers" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/jenkinsci-dev/pr04Pf-p89U/unsubscribe.
To unsubscribe from this group and all its topics, send an email to [hidden email].
To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-dev/265098f7-1269-4b9b-9dfe-4bb4094cf210n%40googlegroups.com.

--
You received this message because you are subscribed to the Google Groups "Jenkins Developers" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-dev/CAGiELgoyB3NKv%2B-0GMtZSjYxi3cAOkGsS%2BVtvZjimW%2Bgrt%3Drgg%40mail.gmail.com.
Reply | Threaded
Open this post in threaded view
|

Re: Password-like file parameter type?

Jesse Glick-4
In reply to this post by Jakub Bocheński
On Mon, Aug 17, 2020 at 10:10 AM [hidden email]
<[hidden email]> wrote:
> My problem with file parameter is that the file is stored in the build and can be retrieved later.
> Is there some parameter implementation that would handle files without making them available later?

I do not think so. Would be especially thorny for Pipeline because
what is “later”? If you restart Jenkins in the middle of a build and
it needs the parameter after the restart, what then? What if you
*Replay* the build?

You could _predefine_ secret file credentials and then use a
credentials parameter.

--
You received this message because you are subscribed to the Google Groups "Jenkins Developers" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-dev/CANfRfr27F-wz1%2B5bkR%2Bi2uVy58dHpuwoMw_v-4uZVc1MsUkU%2Bw%40mail.gmail.com.
Reply | Threaded
Open this post in threaded view
|

Re: Password-like file parameter type?

Jakub Bocheński
Well, file parameter is not supported for Pipelie at the moment anyhow :)

But in principle I don't see why it couldn't be kept until the build is finished.
I don't mind storing it for some time. The main problems are:
 - after the build is done anybody with view permission can see the parameter
 - the file will be stored on disk as long as the build is, I'd like to get rid of it earlier

I guess having an aggressive log rotator policy could limit the impact of it, but it would be removing too much.

> You could _predefine_ secret file credentials and then use a
credentials parameter.

The whole point is to allow users to upload a certificate, so that won't help.

Jakub Bocheński


On Wed, Aug 19, 2020 at 10:03 PM Jesse Glick <[hidden email]> wrote:
On Mon, Aug 17, 2020 at 10:10 AM [hidden email]
<[hidden email]> wrote:
> My problem with file parameter is that the file is stored in the build and can be retrieved later.
> Is there some parameter implementation that would handle files without making them available later?

I do not think so. Would be especially thorny for Pipeline because
what is “later”? If you restart Jenkins in the middle of a build and
it needs the parameter after the restart, what then? What if you
*Replay* the build?

You could _predefine_ secret file credentials and then use a
credentials parameter.

--
You received this message because you are subscribed to a topic in the Google Groups "Jenkins Developers" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/jenkinsci-dev/pr04Pf-p89U/unsubscribe.
To unsubscribe from this group and all its topics, send an email to [hidden email].
To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-dev/CANfRfr27F-wz1%2B5bkR%2Bi2uVy58dHpuwoMw_v-4uZVc1MsUkU%2Bw%40mail.gmail.com.

--
You received this message because you are subscribed to the Google Groups "Jenkins Developers" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-dev/CAGiELgpeX4PEWaKm06Q4g2v-B%3DJJgnu21XGqahUaN_mMdE_Kxg%40mail.gmail.com.
Reply | Threaded
Open this post in threaded view
|

Re: Password-like file parameter type?

Gavin Mogan
if its not using the credentials system, then what is the difference between a password and a text parameter?

I havn't checked in a while, but at one point credentials could be attached to a user. Why not do that and let them use that credential id, the the only thing stored is the id, and its safe and secure and encrypted?

Gavin

On Thu, Aug 20, 2020 at 7:17 AM Jakub Bocheński <[hidden email]> wrote:
Well, file parameter is not supported for Pipelie at the moment anyhow :)

But in principle I don't see why it couldn't be kept until the build is finished.
I don't mind storing it for some time. The main problems are:
 - after the build is done anybody with view permission can see the parameter
 - the file will be stored on disk as long as the build is, I'd like to get rid of it earlier

I guess having an aggressive log rotator policy could limit the impact of it, but it would be removing too much.

> You could _predefine_ secret file credentials and then use a
credentials parameter.

The whole point is to allow users to upload a certificate, so that won't help.

Jakub Bocheński


On Wed, Aug 19, 2020 at 10:03 PM Jesse Glick <[hidden email]> wrote:
On Mon, Aug 17, 2020 at 10:10 AM [hidden email]
<[hidden email]> wrote:
> My problem with file parameter is that the file is stored in the build and can be retrieved later.
> Is there some parameter implementation that would handle files without making them available later?

I do not think so. Would be especially thorny for Pipeline because
what is “later”? If you restart Jenkins in the middle of a build and
it needs the parameter after the restart, what then? What if you
*Replay* the build?

You could _predefine_ secret file credentials and then use a
credentials parameter.

--
You received this message because you are subscribed to a topic in the Google Groups "Jenkins Developers" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/jenkinsci-dev/pr04Pf-p89U/unsubscribe.
To unsubscribe from this group and all its topics, send an email to [hidden email].
To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-dev/CANfRfr27F-wz1%2B5bkR%2Bi2uVy58dHpuwoMw_v-4uZVc1MsUkU%2Bw%40mail.gmail.com.

--
You received this message because you are subscribed to the Google Groups "Jenkins Developers" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-dev/CAGiELgpeX4PEWaKm06Q4g2v-B%3DJJgnu21XGqahUaN_mMdE_Kxg%40mail.gmail.com.

--
You received this message because you are subscribed to the Google Groups "Jenkins Developers" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-dev/CAG%3D_DusngUGEtkN9GodgV3dDQJUR0BEjAfp1AuzFTxAaEg28Ag%40mail.gmail.com.
Reply | Threaded
Open this post in threaded view
|

Re: Password-like file parameter type?

Jakub Bocheński
Interesting idea, I can indeed add credentials to a user in  JENKINS_URL/user/USERNAME/credentials/store/user/domain/_/

I assume those credentials are only available to the user who uploaded them?

Jakub Bocheński


On Thu, Aug 20, 2020 at 6:51 PM 'Gavin Mogan' via Jenkins Developers <[hidden email]> wrote:
if its not using the credentials system, then what is the difference between a password and a text parameter?

I havn't checked in a while, but at one point credentials could be attached to a user. Why not do that and let them use that credential id, the the only thing stored is the id, and its safe and secure and encrypted?

Gavin

On Thu, Aug 20, 2020 at 7:17 AM Jakub Bocheński <[hidden email]> wrote:
Well, file parameter is not supported for Pipelie at the moment anyhow :)

But in principle I don't see why it couldn't be kept until the build is finished.
I don't mind storing it for some time. The main problems are:
 - after the build is done anybody with view permission can see the parameter
 - the file will be stored on disk as long as the build is, I'd like to get rid of it earlier

I guess having an aggressive log rotator policy could limit the impact of it, but it would be removing too much.

> You could _predefine_ secret file credentials and then use a
credentials parameter.

The whole point is to allow users to upload a certificate, so that won't help.

Jakub Bocheński


On Wed, Aug 19, 2020 at 10:03 PM Jesse Glick <[hidden email]> wrote:
On Mon, Aug 17, 2020 at 10:10 AM [hidden email]
<[hidden email]> wrote:
> My problem with file parameter is that the file is stored in the build and can be retrieved later.
> Is there some parameter implementation that would handle files without making them available later?

I do not think so. Would be especially thorny for Pipeline because
what is “later”? If you restart Jenkins in the middle of a build and
it needs the parameter after the restart, what then? What if you
*Replay* the build?

You could _predefine_ secret file credentials and then use a
credentials parameter.

--
You received this message because you are subscribed to a topic in the Google Groups "Jenkins Developers" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/jenkinsci-dev/pr04Pf-p89U/unsubscribe.
To unsubscribe from this group and all its topics, send an email to [hidden email].
To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-dev/CANfRfr27F-wz1%2B5bkR%2Bi2uVy58dHpuwoMw_v-4uZVc1MsUkU%2Bw%40mail.gmail.com.

--
You received this message because you are subscribed to the Google Groups "Jenkins Developers" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-dev/CAGiELgpeX4PEWaKm06Q4g2v-B%3DJJgnu21XGqahUaN_mMdE_Kxg%40mail.gmail.com.

--
You received this message because you are subscribed to a topic in the Google Groups "Jenkins Developers" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/jenkinsci-dev/pr04Pf-p89U/unsubscribe.
To unsubscribe from this group and all its topics, send an email to [hidden email].
To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-dev/CAG%3D_DusngUGEtkN9GodgV3dDQJUR0BEjAfp1AuzFTxAaEg28Ag%40mail.gmail.com.

--
You received this message because you are subscribed to the Google Groups "Jenkins Developers" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-dev/CAGiELgqNSHKZHUg_BFRo19r6Pf-GMyfpay433jCcwCeZOQhHNQ%40mail.gmail.com.
Reply | Threaded
Open this post in threaded view
|

Re: Password-like file parameter type?

Matt Sicker
User scoped credentials are only available to that user, yes. If you
use the authorize project plugin, you can also allow a build to use a
user's credentials provided that's the user you configured the build
to run as. Otherwise, they're only available through selecting them in
a parameterized build of some sort.

On Fri, Aug 21, 2020 at 6:51 AM Jakub Bocheński
<[hidden email]> wrote:

>
> Interesting idea, I can indeed add credentials to a user in  JENKINS_URL/user/USERNAME/credentials/store/user/domain/_/
>
> I assume those credentials are only available to the user who uploaded them?
>
> Jakub Bocheński
>
>
> On Thu, Aug 20, 2020 at 6:51 PM 'Gavin Mogan' via Jenkins Developers <[hidden email]> wrote:
>>
>> if its not using the credentials system, then what is the difference between a password and a text parameter?
>>
>> I havn't checked in a while, but at one point credentials could be attached to a user. Why not do that and let them use that credential id, the the only thing stored is the id, and its safe and secure and encrypted?
>>
>> Gavin
>>
>> On Thu, Aug 20, 2020 at 7:17 AM Jakub Bocheński <[hidden email]> wrote:
>>>
>>> Well, file parameter is not supported for Pipelie at the moment anyhow :)
>>>
>>> But in principle I don't see why it couldn't be kept until the build is finished.
>>> I don't mind storing it for some time. The main problems are:
>>>  - after the build is done anybody with view permission can see the parameter
>>>  - the file will be stored on disk as long as the build is, I'd like to get rid of it earlier
>>>
>>> I guess having an aggressive log rotator policy could limit the impact of it, but it would be removing too much.
>>>
>>> > You could _predefine_ secret file credentials and then use a
>>> credentials parameter.
>>>
>>> The whole point is to allow users to upload a certificate, so that won't help.
>>>
>>> Jakub Bocheński
>>>
>>>
>>> On Wed, Aug 19, 2020 at 10:03 PM Jesse Glick <[hidden email]> wrote:
>>>>
>>>> On Mon, Aug 17, 2020 at 10:10 AM [hidden email]
>>>> <[hidden email]> wrote:
>>>> > My problem with file parameter is that the file is stored in the build and can be retrieved later.
>>>> > Is there some parameter implementation that would handle files without making them available later?
>>>>
>>>> I do not think so. Would be especially thorny for Pipeline because
>>>> what is “later”? If you restart Jenkins in the middle of a build and
>>>> it needs the parameter after the restart, what then? What if you
>>>> *Replay* the build?
>>>>
>>>> You could _predefine_ secret file credentials and then use a
>>>> credentials parameter.
>>>>
>>>> --
>>>> You received this message because you are subscribed to a topic in the Google Groups "Jenkins Developers" group.
>>>> To unsubscribe from this topic, visit https://groups.google.com/d/topic/jenkinsci-dev/pr04Pf-p89U/unsubscribe.
>>>> To unsubscribe from this group and all its topics, send an email to [hidden email].
>>>> To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-dev/CANfRfr27F-wz1%2B5bkR%2Bi2uVy58dHpuwoMw_v-4uZVc1MsUkU%2Bw%40mail.gmail.com.
>>>
>>> --
>>> You received this message because you are subscribed to the Google Groups "Jenkins Developers" group.
>>> To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
>>> To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-dev/CAGiELgpeX4PEWaKm06Q4g2v-B%3DJJgnu21XGqahUaN_mMdE_Kxg%40mail.gmail.com.
>>
>> --
>> You received this message because you are subscribed to a topic in the Google Groups "Jenkins Developers" group.
>> To unsubscribe from this topic, visit https://groups.google.com/d/topic/jenkinsci-dev/pr04Pf-p89U/unsubscribe.
>> To unsubscribe from this group and all its topics, send an email to [hidden email].
>> To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-dev/CAG%3D_DusngUGEtkN9GodgV3dDQJUR0BEjAfp1AuzFTxAaEg28Ag%40mail.gmail.com.
>
> --
> You received this message because you are subscribed to the Google Groups "Jenkins Developers" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
> To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-dev/CAGiELgqNSHKZHUg_BFRo19r6Pf-GMyfpay433jCcwCeZOQhHNQ%40mail.gmail.com.



--
Matt Sicker
Senior Software Engineer, CloudBees

--
You received this message because you are subscribed to the Google Groups "Jenkins Developers" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-dev/CAEot4ox4OeGY7FKq%3DSc4QL%3DDm1k34EKs2vTO%2BPVsMUe%2BEc7A1w%40mail.gmail.com.