Restrict credential retrieval to a specific slave

classic Classic list List threaded Threaded
11 messages Options
Reply | Threaded
Open this post in threaded view
|

Restrict credential retrieval to a specific slave

Jhonny Oliveira
Hi!

is it possible to limit the usage of a credential to a specific slave?

With this restriction, I could fully empower developers to create their own Pipelines (Jenkinsfile) while avoiding passwords to be leaked in the wrong slaves/environments.

Just for further context, in my scenario and at infrastructure level, only specific slaves are allowed to deploy to specific environments. E.g.: dev_slave -> deploy to DEV; tst_slave -> deploy to TST and so on.

Cheers,
Jhonny Oliveira

--
You received this message because you are subscribed to the Google Groups "Jenkins Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-users/2540cf8f-0413-4ec1-ae4a-136f2eeaf894%40googlegroups.com.
Reply | Threaded
Open this post in threaded view
|

Re: Restrict credential retrieval to a specific slave

Mark Waite-2


On Thu, Sep 19, 2019 at 4:21 AM Jhonny Oliveira <[hidden email]> wrote:
Hi!

is it possible to limit the usage of a credential to a specific slave?

Not with Jenkins as far as I know.  Credentials can be defined on the Jenkins master, on folders, and on multibranch Pipelines.  They can't be defined on Freestyle jobs or on agents.
 
With this restriction, I could fully empower developers to create their own Pipelines (Jenkinsfile) while avoiding passwords to be leaked in the wrong slaves/environments.

Could you attach the credentials to a folder and then limit access to the folders instead?  Those with access to the folder can use the credential attached to that folder.  Those without access to the folder could not use that credential.
 

Just for further context, in my scenario and at infrastructure level, only specific slaves are allowed to deploy to specific environments. E.g.: dev_slave -> deploy to DEV; tst_slave -> deploy to TST and so on.

Cheers,
Jhonny Oliveira

--
You received this message because you are subscribed to the Google Groups "Jenkins Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-users/2540cf8f-0413-4ec1-ae4a-136f2eeaf894%40googlegroups.com.


--
Thanks!
Mark Waite

--
You received this message because you are subscribed to the Google Groups "Jenkins Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-users/CAO49JtFCvn4k-DW%2BY5ew30bLAhaNBc-UHgaFx6dDTn17qAoyRQ%40mail.gmail.com.
Reply | Threaded
Open this post in threaded view
|

Re: Restrict credential retrieval to a specific slave

Jhonny Oliveira
What do you mean with agents?

The idea is to have a self contained application (as in source repo), where you have everything you need to maintain its SDLC: source, build, tests (unit, regression, ...), continuous integration/automation (Jenkinsfile). The Jenkinsfile should be part of the source code and cover the entire process (end to end). Breaking it into pieces kind of defeats our main purpose of having everyone working together in the same source (developers, testers, operations).

--
You received this message because you are subscribed to the Google Groups "Jenkins Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-users/8f589383-dfca-40d5-b5ef-1296997bf006%40googlegroups.com.
Reply | Threaded
Open this post in threaded view
|

Re: Restrict credential retrieval to a specific slave

Jhonny Oliveira
In reply to this post by Mark Waite-2
The idea is to have a self contained application (as in source repo), where you have everything you need to maintain its SDLC: source, build, tests (unit, regression, ...), continuous integration/automation (Jenkinsfile).

The Jenkinsfile should be part of the source code and cover the entire process (end to end). Breaking it into pieces kind of defeats our main purpose of having everyone working together in the same source (developers, testers, operations, ...).

Is there any chance such feature could be included in future releases? To whom can I address this question?

--
You received this message because you are subscribed to the Google Groups "Jenkins Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-users/fca0f38f-1b9a-4843-8572-fb77dc716aa7%40googlegroups.com.
Reply | Threaded
Open this post in threaded view
|

Re: Restrict credential retrieval to a specific slave

Dirk Heinrichs-3
In reply to this post by Jhonny Oliveira
Am Donnerstag, den 19.09.2019, 05:26 -0700 schrieb Jhonny Oliveira:

What do you mean with agents?

Jenkins people have stopped using the word "slave" some time ago.

Bye...

Dirk
-- 
Dirk Heinrichs
Senior Systems Engineer, Delivery Pipeline
OpenText ™ Discovery | Recommind
Phone: +49 2226 15966 18
Recommind GmbH, Von-Liebig-Straße 1, 53359 Rheinbach
Vertretungsberechtigte Geschäftsführer Gordon Davies, Madhu Ranganathan, Christian Waida, Registergericht Amtsgericht Bonn, Registernummer HRB 10646
This e-mail may contain confidential and/or privileged information. If you are not the intended recipient (or have received this e-mail in error) please notify the sender immediately and destroy this e-mail. Any unauthorized copying, disclosure or distribution of the material in this e-mail is strictly forbidden
Diese E-Mail enthält vertrauliche und/oder rechtlich geschützte Informationen. Wenn Sie nicht der richtige Adressat sind oder diese E-Mail irrtümlich erhalten haben, informieren Sie bitte sofort den Absender und vernichten Sie diese Mail. Das unerlaubte Kopieren sowie die unbefugte Weitergabe dieser Mail sind nicht gestattet.

--
You received this message because you are subscribed to the Google Groups "Jenkins Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-users/935083deb1d09f9bca2fb321c9a9e5be49b341c6.camel%40opentext.com.
Reply | Threaded
Open this post in threaded view
|

Re: Restrict credential retrieval to a specific slave

Mark Waite-2
In reply to this post by Jhonny Oliveira


On Thu, Sep 19, 2019 at 6:30 AM Jhonny Oliveira <[hidden email]> wrote:
The idea is to have a self contained application (as in source repo), where you have everything you need to maintain its SDLC: source, build, tests (unit, regression, ...), continuous integration/automation (Jenkinsfile).

The Jenkinsfile should be part of the source code and cover the entire process (end to end). Breaking it into pieces kind of defeats our main purpose of having everyone working together in the same source (developers, testers, operations, ...).


Yes, that's the right way to do it.  You've described the storage of the definition of the application very well.  Keep it all in source code and run it from source. 

Place the limited use credential on a folder in Jenkins, then control who is allowed to access that folder.  The jobs inside the folder will be able to use the credential.  Jobs outside the folder won't have access to the credential.
 
Is there any chance such feature could be included in future releases? To whom can I address this question?


This is the right place to address the question.

I'm not aware of anyone working to add credentials to agents.  Since agents are treated more and more as ephemeral workers that are exist only long enough to perform their task and are then discarded, it seems unlikely that anyone would add credential storage to agents.

There are still plenty of cases where agents live a long time (as in your case), but Jenkins work now needs to consider both long-lived agents and ephemeral agents.  Most capabilities that are being added are done so that they can be used with all types of agents.
 
--
You received this message because you are subscribed to the Google Groups "Jenkins Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-users/fca0f38f-1b9a-4843-8572-fb77dc716aa7%40googlegroups.com.


--
Thanks!
Mark Waite

--
You received this message because you are subscribed to the Google Groups "Jenkins Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-users/CAO49JtFWwo4vp2sHhF5Og-N%2Bt4FoH6QaGNF%3DoCGuZsCE_0QUYg%40mail.gmail.com.
Reply | Threaded
Open this post in threaded view
|

Re: Restrict credential retrieval to a specific slave

Jhonny Oliveira
Dear Mark,

I agree with you, I'm relying on long-lived agents. I read your answer, but I'm not understanding your suggestion to use folders, I do not comprehend how they can help. I mean, with folders I can avoid cross application credential usage and that is great, but I can't prevent cross environment credential leakage within the same application.

Please have a look at the code snippet below. As you will be able to see, with this implementation nothing prevents anyone with access to the source code from flipping the IDs around and getting the credentials in the wrong environment (mistake or malicious action). Furthermore, and to give a little extra context, the Pipeline is completely autonomous and will be triggered automatically on every (almost) pull request. It is also smart enough to detect a release and proceed towards production (with some approvals - of course - to adhere to release management).

In such scenario, and considering that the agents only have access to their own environment, the only way to prevent a credential to be used or exposed in the wrong one would be to deliberately restrict it to that specific agent.

Maybe I'm taking this idea of automation and complete SDLC from source to far! :-)

I appreciate your answers, thanks you!
J. Oliveira

def WLS_CRED_DEV=’111aaa11-a3a1-4aab-9a20-a11666666a80’
def WLS_CRED_TST=’222aaa11-a3a1-4aab-9a20-a11666666a80 ‘
(…)
stage ('Deploy to DEV') {
            agent { label "${agent_dev}"}
            steps {
                        script {
                                    withCredentials([usernamePassword(credentialsId: "$WLS_CRED_DEV", usernameVariable: 'WL_USER', passwordVariable: 'WL_PASS')]){
                                                sh "mvn -U weblogic:redeploy -DskipTests=true -Dfailonerror=true -Duser='${WL_USER}' -Dpassword='${WL_PASS}' -Dname=${ARTIFACTID} -Dupload=true -Dsource=target/${ARTIFACTID}-${VERSION}.war -Dtargets=${ARTIFACTID} -Dadminurl='${URL_DEV}'"
                                    }
                        }
            }
}
stage ('Deploy to TST) {
            agent { label "${agent_tst}"}
            steps {
                        script {
                                    withCredentials([usernamePassword(credentialsId: "$WLS_CRED_TST", usernameVariable: 'WL_USER', passwordVariable: 'WL_PASS')]){
                                                sh "mvn -U weblogic:redeploy -DskipTests=true -Dfailonerror=true -Duser='${WL_USER}' -Dpassword='${WL_PASS}' -Dname=${ARTIFACTID} -Dupload=true -Dsource=target/${ARTIFACTID}-${VERSION}.war -Dtargets=${ARTIFACTID} -Dadminurl='${URL_TST}'"
                                    }
                        }
            }
}


--
You received this message because you are subscribed to the Google Groups "Jenkins Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-users/ac762c3b-3488-4a4f-a8f5-2408aac38284%40googlegroups.com.
Reply | Threaded
Open this post in threaded view
|

Re: Restrict credential retrieval to a specific slave

Mark Waite-2


On Thu, Sep 19, 2019 at 8:41 AM Jhonny Oliveira <[hidden email]> wrote:
Dear Mark,

I agree with you, I'm relying on long-lived agents. I read your answer, but I'm not understanding your suggestion to use folders, I do not comprehend how they can help. I mean, with folders I can avoid cross application credential usage and that is great, but I can't prevent cross environment credential leakage within the same application.


My suggestion is
  • Dev-Folder defines a credential (scoped to Dev-Folder) with ID 'weblogic-deploy-credential-2019-09-19'
    • Job inside Dev-Folder refers to credential  'weblogic-deploy-credential-2019-09-19 ' and uses it to deploy to dev
  • Test-Folder defines a credential (scoped to Test-Folder) with ID ' weblogic-deploy-credential-2019-09-19'
    •   Job inside Test-Folder refers to credential  'weblogic-deploy-credential-2019-09-19 ' and uses it to deploy to test
The same source code can be used for the job inside Dev-Folder and the job inside Test-Folder if the other things that vary between dev and test are also parameterized in that job.  In the case you provided, rather than URL_TST and URL_DEV, you would define a parameter DESTINATION_URL and would pass in the test value.  The "folder properties" plugin looks like it may be needed in that case so that each folder can have its own value for the DESTINATION_URL without requiring that developers pass the parameter to the job.

If a malicious developer in Dev-Folder modifies their Jenkinsfile to deploy to test, it will be rejected because the credentials in the Dev-Folder don't have permission to deploy to test.

If a malicious developer in Dev-Folder modifies their Jenkinsfile to display the values of the credentials, only the credentials from the Dev-Folder will be exposed.
 
Please have a look at the code snippet below. As you will be able to see, with this implementation nothing prevents anyone with access to the source code from flipping the IDs around and getting the credentials in the wrong environment (mistake or malicious action). Furthermore, and to give a little extra context, the Pipeline is completely autonomous and will be triggered automatically on every (almost) pull request. It is also smart enough to detect a release and proceed towards production (with some approvals - of course - to adhere to release management).

In such scenario, and considering that the agents only have access to their own environment, the only way to prevent a credential to be used or exposed in the wrong one would be to deliberately restrict it to that specific agent.

Maybe I'm taking this idea of automation and complete SDLC from source to far! :-)

I appreciate your answers, thanks you!
J. Oliveira

def WLS_CRED_DEV=’111aaa11-a3a1-4aab-9a20-a11666666a80’
def WLS_CRED_TST=’222aaa11-a3a1-4aab-9a20-a11666666a80 ‘
(…)
stage ('Deploy to DEV') {
            agent { label "${agent_dev}"}
            steps {
                        script {
                                    withCredentials([usernamePassword(credentialsId: "$WLS_CRED_DEV", usernameVariable: 'WL_USER', passwordVariable: 'WL_PASS')]){
                                                sh "mvn -U weblogic:redeploy -DskipTests=true -Dfailonerror=true -Duser='${WL_USER}' -Dpassword='${WL_PASS}' -Dname=${ARTIFACTID} -Dupload=true -Dsource=target/${ARTIFACTID}-${VERSION}.war -Dtargets=${ARTIFACTID} -Dadminurl='${URL_DEV}'"
                                    }
                        }
            }
}
stage ('Deploy to TST) {
            agent { label "${agent_tst}"}
            steps {
                        script {
                                    withCredentials([usernamePassword(credentialsId: "$WLS_CRED_TST", usernameVariable: 'WL_USER', passwordVariable: 'WL_PASS')]){
                                                sh "mvn -U weblogic:redeploy -DskipTests=true -Dfailonerror=true -Duser='${WL_USER}' -Dpassword='${WL_PASS}' -Dname=${ARTIFACTID} -Dupload=true -Dsource=target/${ARTIFACTID}-${VERSION}.war -Dtargets=${ARTIFACTID} -Dadminurl='${URL_TST}'"
                                    }
                        }
            }
}


--
You received this message because you are subscribed to the Google Groups "Jenkins Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-users/ac762c3b-3488-4a4f-a8f5-2408aac38284%40googlegroups.com.


--
Thanks!
Mark Waite

--
You received this message because you are subscribed to the Google Groups "Jenkins Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-users/CAO49JtGpwuUf2yvsE7ztsgmvboBGfwbYPLn4dxDjrXdkUwQ1hQ%40mail.gmail.com.
Reply | Threaded
Open this post in threaded view
|

Re: Restrict credential retrieval to a specific slave

Jhonny Oliveira
Dear Mark,

I understand your suggestion, however in such case you would have to create multiple jobs, whereas, as it is right now, I only need one. No parameters, no additional settings just the minimal configuration to pick up the changes, build, test and deploy. I even get for free all the statistics together.

Nevertheless, I will try to come with an alternative solution. I believe your input may be valuable in there.

Thank you very much,
J Oliveira

--
You received this message because you are subscribed to the Google Groups "Jenkins Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-users/ad651eb7-b8c1-4451-b92d-11bfe9dee911%40googlegroups.com.
Reply | Threaded
Open this post in threaded view
|

Re: Restrict credential retrieval to a specific slave

Pietro Giannini
Hi!

I just came across this post and realized this is exactly what we need. We are heavily using pipelines at our agency and being able to restrict credentials to a specific node would enable us to give total freedom the developers while keeping control of the passwords at infra level.

Is there any chance we could get this feature onboard?

Br,
Pietro



On Friday, September 20, 2019 at 3:07:27 PM UTC+2, Jhonny Oliveira wrote:
Dear Mark,

I understand your suggestion, however in such case you would have to create multiple jobs, whereas, as it is right now, I only need one. No parameters, no additional settings just the minimal configuration to pick up the changes, build, test and deploy. I even get for free all the statistics together.

Nevertheless, I will try to come with an alternative solution. I believe your input may be valuable in there.

Thank you very much,
J Oliveira

--
You received this message because you are subscribed to the Google Groups "Jenkins Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-users/25d0de20-d7c4-4336-8645-d6302768d2db%40googlegroups.com.
Reply | Threaded
Open this post in threaded view
|

Re: Restrict credential retrieval to a specific slave

Mark Waite-2
I am not aware of anyone working to allow credentials to be limited to an agent.  I believe the same capabilities are available by assigning the credentials to folders and then limiting user access to specific folders.  Choose a credential name that should be the same in several different folders, then define the credential with the value specific to the folder that is using it.

The test jobs would reside in a "Test-Folder" and refer to a credential named 'credential-2019-10-10'.  In that folder, the value of the credential should be chosen so that it only allows access to things related to test.

The development jobs would reside in a "Development-Folder" and refer to a credential named 'credential-2019-10-10'.  In that folder, the value of the credential should be chosen so that it only allows access to things related to development.

The jobs reference the same credential but since the credentials are defined inside the folder, they are only accessible to jobs in that folder (and below).

On Wed, Oct 9, 2019 at 12:55 AM Pietro Giannini <[hidden email]> wrote:
Hi!

I just came across this post and realized this is exactly what we need. We are heavily using pipelines at our agency and being able to restrict credentials to a specific node would enable us to give total freedom the developers while keeping control of the passwords at infra level.

Is there any chance we could get this feature onboard?

Br,
Pietro



On Friday, September 20, 2019 at 3:07:27 PM UTC+2, Jhonny Oliveira wrote:
Dear Mark,

I understand your suggestion, however in such case you would have to create multiple jobs, whereas, as it is right now, I only need one. No parameters, no additional settings just the minimal configuration to pick up the changes, build, test and deploy. I even get for free all the statistics together.

Nevertheless, I will try to come with an alternative solution. I believe your input may be valuable in there.

Thank you very much,
J Oliveira

--
You received this message because you are subscribed to the Google Groups "Jenkins Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-users/25d0de20-d7c4-4336-8645-d6302768d2db%40googlegroups.com.


--
Thanks!
Mark Waite

--
You received this message because you are subscribed to the Google Groups "Jenkins Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-users/CAO49JtFkgNGtp5KeMTC5aKtSBcDB8QmHkypF1DzfeFj39Vg_Qw%40mail.gmail.com.