我们如何使用其他用户凭证执行Jenkins作业 [英] How can we execute Jenkins job using other user credential
问题描述
我需要使用登录的用户凭证通过Jenkins UI执行一些Jenkins作业,例如发布到生产".原因是,我们有单独的支持团队成员,他们可以访问生产区域,而不能访问开发团队成员.因此,为了将任何代码库部署到生产环境,所有Windows部署命令(例如,创建,更新文件,文件夹等)都需要使用有权访问生产环境的特定用户凭据来运行.因此,即使无法访问生产"框但是Jenkins Admin的开发团队成员,执行同一作业也应由于访问被拒绝"而导致失败.仅当该工作由支持团队成员及其凭据来运行时,该工作才能成功.
I need to execute few of the Jenkins jobs such as "Release to Production" through Jenkins UI using logged on user credential. The reason is, we have separate Support Team Members, who have access to the production boxes and not the Dev team members. So, in order to deploy any code base to production, all the Windows Deploy Commands (ex, create, update files, folder etc.) needs to be run with specific user credential who has access to the Production Box. So that even the Dev team members who don't have access to the Production box but are Jenkins Admin, execute the same job should result in failure due to "Access Denied". The job should succeed only if its been run by Support Team members with their credential.
我尝试使用参数化插件,但无法成功将密码传递给包含MSDeploy指令的批处理文件.甚至Jenkins控制台日志也显示在控制台输出中传递的参数,这是一个安全问题.
I tried using parameterized plugin but couldn't able to pass the Password successfully to the batch file which contains MSDeploy instructions. Even the Jenkins console log displays the parameter passed in its console output, which is a security issue.
我检查了基于角色的安全性插件,但这对我没有太大帮助.我只需要一个插件,该插件应在开始构建Job之前要求用户提供其凭据,并应使用用户凭据来执行作业,以便当支持人员使用MSDeploy命令时,可以将其部署在Production框上.团队成员使用他们的证书来构建Job.我希望能支持假冒.
I checked Role based security plugin, but that doesn't help me much. I just need a plugin which should ask for user to provide their credential before start building the Job and should use the user credential to get the job executed, so that my MSDeploy command will be able to deploy the code on Production boxes, when the Support team member build that Job using their credential. I wish there was support for impersonation.
现在,所有的Jenkins Jobs都使用服务帐户执行,该服务帐户已配置为运行Tomcat服务并托管Jenkins.
Right now all the Jenkins Jobs are getting executed using the service account which the Tomcat service is configured to run with on which Jenkins is hosted.
任何帮助将不胜感激.
推荐答案
以防万一,Jenkins作业将始终以同一OS用户身份运行.基于矩阵的安全性适用于登录到Jenkins服务器并控制诸如创建或启动作业之类的功能的用户.
Just in case there is any confusion a Jenkins job will always run as the same OS user. The Matrix based security applies to users who log into the Jenkins server and controls features like creating or launching jobs.
您可以将作业配置为使用一组通用生产凭据,然后阻止开发人员调用该作业.
You could configure the job to use a set of generic production credentials and then prevent your developers from invoking the job.
也许更好的方法是将构建代码的过程与部署代码的过程分开.下图(取自 xebia-france 项目)说明了一些我最喜欢的工具 Rundeck 和 Jenkins 集成.
Perhaps a better approach would be to separate the process that builds the code from the one that deploys the code. The following diagram (Taken from the xebia-france project) demonstrates how some of my favourite tools Rundeck and Nexus can be integrated with Jenkins.
最后,我强烈建议您阅读以下链接:
Finally, I highly recommend reading the following link:
这篇关于我们如何使用其他用户凭证执行Jenkins作业的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
