Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-16705

Native support for settings-security.xml (i. e. encrypted passwords)

    XMLWordPrintable

    Details

    • Similar Issues:

      Description

      To be able to upload into a company's Maven Repository (like Nexus), Jenkins typically needs to know the passwort of the repo. The typical solution is to let the Config File Provider Plugin provide an account-specific settings.xml which contains this password. This works well already.

      Unfortunately, the password is in plain text in this file so every user having read access to Jenkins now can see the upload password, which is typically not wanted in production environments. Maven could encrypt the password, but to decrypt it, Jenkins would need to know the master password, which typically is stored in a separate settings-security.xml file.

      The Config File Provider plugin does not know directly how to handle settings-security.xml, so one has to put up a rather complex fixture with given paths and so on. This should work, but is neither smart now comfortable.

      Hence my proposal is that the Config File Provider plugin should learn to natively deal with settings-security.xml files, just as it already natively knows how to deal with settings.xml files. One could then simply tell the plugin to provide a settings-security.xml file, then tell the Maven job to use the provided settings-security.xml file (just as one tells the Maven job to use the provided settings-security.xml file already).

      This makes using settings-security.xml rather simple, smart, stable and secure, especially in environments with lots of clients and nosy users!

        Attachments

          Activity

          Show
          domi Dominik Bartholdi added a comment - released with 2.7 see https://wiki.jenkins-ci.org/display/JENKINS/Config+File+Provider+Plugin#ConfigFileProviderPlugin-MavenServerCredentials%28since2.7%29
          Hide
          balex4o Aleksandar Toshovski added a comment -

          I see this issue is resolved in 2013, but I don't understand how to use the settings-security.xml file. I have installed Config File Provider 2.9.3, but the only configuration file types are: Global Maven settings.xml, Maven settings.xml, JSON, Maven toolchains.xml, Simple XML file, Groovy file and Custom file. There is no settings-security section. How and where can I upload the file? On the wiki page there is no tutorial about that part.

          Show
          balex4o Aleksandar Toshovski added a comment - I see this issue is resolved in 2013, but I don't understand how to use the settings-security.xml file. I have installed Config File Provider 2.9.3, but the only configuration file types are: Global Maven settings.xml, Maven settings.xml, JSON, Maven toolchains.xml, Simple XML file, Groovy file and Custom file. There is no settings-security section. How and where can I upload the file? On the wiki page there is no tutorial about that part.
          Hide
          jglick Jesse Glick added a comment -

          I think what the wiki is saying is that settings-security.xml is not supported per se, but rather you can have a settings.xml without passwords and use the Credentials link to define those passwords to be injected during the build. It is a little hard to follow since the screenshots are too reduced in size to read the code samples.

          Show
          jglick Jesse Glick added a comment - I think what the wiki is saying is that settings-security.xml is not supported per se, but rather you can have a settings.xml without passwords and use the Credentials link to define those passwords to be injected during the build. It is a little hard to follow since the screenshots are too reduced in size to read the code samples.
          Hide
          jgangemi Jae Gangemi added a comment - - edited

          is there any movement on this issue? i would like to see the ability for the plugin to just drop a security-settings.xml file in place w/ the encrypted master password supplied from the credentials plugin.

          the plugin could drop the file directly in the .m2 directory or the location can be passed to maven using -Dsettings.security as described here:

          https://stackoverflow.com/questions/23782409/specify-custom-location-of-maven-security-settings-xml-file

          Show
          jgangemi Jae Gangemi added a comment - - edited is there any movement on this issue? i would like to see the ability for the plugin to just drop a security-settings.xml file in place w/ the encrypted master password supplied from the credentials plugin. the plugin could drop the file directly in the .m2 directory or the location can be passed to maven using -Dsettings.security as described here: https://stackoverflow.com/questions/23782409/specify-custom-location-of-maven-security-settings-xml-file
          Hide
          imod Dominik Bartholdi added a comment -

          no, there is no work going on on this one - PRs welcome...

          Show
          imod Dominik Bartholdi added a comment - no, there is no work going on on this one - PRs welcome...

            People

            • Assignee:
              domi Dominik Bartholdi
              Reporter:
              mkarg Markus KARG
            • Votes:
              1 Vote for this issue
              Watchers:
              10 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved: