Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-49336

Plugin should be able to use SYSTEM scope credentials

    Details

    • Similar Issues:

      Description

      Currently credentials have to be in GLOBAL scope to be used by the github-branch-source plugin. For multibranch pipelines you configure the credentials to be used while setting up the pipeline and you cannot choose SYSTEM scope credentials.

      As the credentials are in GLOBAL scope the value can be retrieved in plain text using the withCredential pipeline action. In addition to that the credentials have full write access to private repositories (repo scope). This is bad in our case as we provide Jenkins to multiple teams and they should be able to use the preconfigured read-only credentials to set up pipelines but they should not be able to retrieve credentials with write access in plain text.

      My proposal would be to allow privileged credentials to be configured in SYSTEM scope for the plugin in the global system configuration. A user would then just have to choose the read-only credentials in the credentials setting while creating a pipeline. All privileged operations would be executed with the SYSTEM scope credentials, which could also not be retrieved in the pipeline.

      I have played around with the implementation here and would be happy to open a PR in case you're interested

      // Johannes

        Attachments

          Activity

          Hide
          joh_m Johannes Müller added a comment -

          any comments on this?

          Show
          joh_m Johannes Müller added a comment - any comments on this?

            People

            • Assignee:
              Unassigned
              Reporter:
              joh_m Johannes Müller
            • Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

              Dates

              • Created:
                Updated: