Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

How can we execute Jenkins job using other user credential

Tags:

jenkins

hudson

I need to execute few of the Jenkins jobs such as "Release to Production" through Jenkins UI using logged on user credential. The reason is, we have separate Support Team Members, who have access to the production boxes and not the Dev team members. So, in order to deploy any code base to production, all the Windows Deploy Commands (ex, create, update files, folder etc.) needs to be run with specific user credential who has access to the Production Box. So that even the Dev team members who don't have access to the Production box but are Jenkins Admin, execute the same job should result in failure due to "Access Denied". The job should succeed only if its been run by Support Team members with their credential.

I tried using parameterized plugin but couldn't able to pass the Password successfully to the batch file which contains MSDeploy instructions. Even the Jenkins console log displays the parameter passed in its console output, which is a security issue.

I checked Role based security plugin, but that doesn't help me much. I just need a plugin which should ask for user to provide their credential before start building the Job and should use the user credential to get the job executed, so that my MSDeploy command will be able to deploy the code on Production boxes, when the Support team member build that Job using their credential. I wish there was support for impersonation.

Right now all the Jenkins Jobs are getting executed using the service account which the Tomcat service is configured to run with on which Jenkins is hosted.

Any help would be appreciated.

like image 428
user1233802 Avatar asked Jun 20 '13 05:06

user1233802


People also ask

How can someone execute the jobs in Jenkins without having permissions to execute the job?

Jenkins allows you to give different permissions to a user across different jobs,using "Project-based Matrix Authorization strategy". Follow the steps to do this, From the jenkins dashboard,click on Manage Jenkins. under Manage jenkins->Configure Global Security->select Enable security.

How do I pass credentials in Jenkins?

To use, first go to the Credentials link and add items of type Secret file and/or Secret text. Now in a freestyle job, check the box Use secret text(s) or file(s) and add some variable bindings which will use your credentials. The resulting environment variables can be accessed from shell script build steps and so on.

How do I run Jenkins on a different user in Windows?

Hi, Make sure you have the Jenkins workspace and root folder outside the user account where every user can access the Jenkins folder. Inside the Manage Jenkins you can set those path. You copy back you stuff from account A into the new folder and restart Jenkins and it should be able to see them into the new path.

How do I add user credentials in Jenkins?

From the Jenkins home page (i.e. the Dashboard of the Jenkins classic UI), click Manage Jenkins > Manage Credentials. Under Stores scoped to Jenkins on the right, click on Jenkins. Under System, click the Global credentials (unrestricted) link to access this default domain. Click Add Credentials on the left.


1 Answers

Just in case there is any confusion a Jenkins job will always run as the same OS user. The Matrix based security applies to users who log into the Jenkins server and controls features like creating or launching jobs.

You could configure the job to use a set of generic production credentials and then prevent your developers from invoking the job.

Perhaps a better approach would be to separate the process that builds the code from the one that deploys the code. The following diagram (Taken from the xebia-france project) demonstrates how some of my favourite tools Rundeck and Nexus can be integrated with Jenkins.

enter image description here

Finally, I highly recommend reading the following link:

  • Using Rundeck and Chef to build devops tool chains
like image 96
Mark O'Connor Avatar answered Oct 05 '22 17:10

Mark O'Connor