Our use case forces us to have several RTC connections configured in a Jenkins server. This means we can't always reuse the "default RTC connection" that is configured in the Global Jenkins configuration page.
When using the job configuration, there are two options:
a)Put the password in jenkins.
b)Point to a password file in the Jenkins master.
Both have downsides.
a) The password can be viewed by everyone that has access to the job, by looking the html (see attachment).
b) Passwords files are, per se, unsecured. Although they are obfuscated, they can be easily obtained by just showing the contents of the file. So basically anyone that has read access (or ability to configure/run a job). It also needs to be in the master, which makes it complex in a multi-tenant jenkins.
To solve this, I can think of:
-Add support for using credentials set up in credentials-plugin.
-Add support for having several "default" RTC Connections that are configured in the jenkins global page. This page is only accessed by admins and easier to ACL.
But I'm sure there are several security measures that can be implemented.
Thanks in advance.