7

I need to execute few of the Jenkins jobs such as "Release to Production" through Jenkins UI using logged on user credential. The reason is, we have separate Support Team Members, who have access to the production boxes and not the Dev team members. So, in order to deploy any code base to production, all the Windows Deploy Commands (ex, create, update files, folder etc.) needs to be run with specific user credential who has access to the Production Box. So that even the Dev team members who don't have access to the Production box but are Jenkins Admin, execute the same job should result in failure due to "Access Denied". The job should succeed only if its been run by Support Team members with their credential.

I tried using parameterized plugin but couldn't able to pass the Password successfully to the batch file which contains MSDeploy instructions. Even the Jenkins console log displays the parameter passed in its console output, which is a security issue.

I checked Role based security plugin, but that doesn't help me much. I just need a plugin which should ask for user to provide their credential before start building the Job and should use the user credential to get the job executed, so that my MSDeploy command will be able to deploy the code on Production boxes, when the Support team member build that Job using their credential. I wish there was support for impersonation.

Right now all the Jenkins Jobs are getting executed using the service account which the Tomcat service is configured to run with on which Jenkins is hosted.

Any help would be appreciated.

user1233802
  • 573
  • 1
  • 5
  • 21
  • I cannot comment the answer from Steve Radich-Bitshop above, thus creating a separate answer. The answer from Steve sent me on a wild-goose chase, so I want to make coming readers aware of it. Windows RUNAS do not allow a password on its command line, or piped to it. This is stated in other answers, like from stackoverflow : https://stackoverflow.com/a/16116329/5047366 PowerShell does allow credentials on the command-line, making it possible. Jenkins nowadays contain both a PowerShell plugin and a plugin for secret strings, making it a possible way forward. – Mats Bengtsson Dec 25 '18 at 13:00

3 Answers3

6

Just in case there is any confusion a Jenkins job will always run as the same OS user. The Matrix based security applies to users who log into the Jenkins server and controls features like creating or launching jobs.

You could configure the job to use a set of generic production credentials and then prevent your developers from invoking the job.

Perhaps a better approach would be to separate the process that builds the code from the one that deploys the code. The following diagram (Taken from the xebia-france project) demonstrates how some of my favourite tools Rundeck and Nexus can be integrated with Jenkins.

enter image description here

Finally, I highly recommend reading the following link:

Mark O'Connor
  • 76,015
  • 10
  • 139
  • 185
  • Thanks for reply. "You could configure the job to use a set of generic production credentials and then prevent your developers from invoking the job." Not sure how can we do this, as the Dev Team are Admin on both Jenkins web server as well as on Jenkins web application. My scenario is I want a job "Release To Production" which executes MSDeploy commands on the Production Web Server. But the problem here is, the hudson job executes using the credential of service account which the Tomcat service is running on which hudson is deployed. This service account doesnt have access to prod web server. – user1233802 Jun 22 '13 at 04:31
  • 1
    @user1233802 If your developers are admins on Jenkins you cannot realistically restrict their access.... Setting up a second instance of Jenkins just for deployment is option, but at that stage why not consider using rundeck to separate responsibility for build and deployment? Developers can be giving limited access to Rundeck enabling them to deploy onto dev and test system, but have no access to production Rundeck projects. – Mark O'Connor Jun 22 '13 at 07:48
  • hmmm that could be an option. But ideally I would love to get the jobs executed under the context of another user and not under the context of user account which Tomcat is using on which Jenkins is hosted. I will try rundeck, but is it possible to execute rundeck jobs under credential of some other user(Impersonation this is what I am interested in) or rundeck too uses user account which Tomcat is using? Please help – user1233802 Jun 23 '13 at 08:57
  • 1
    You're running on windows right? Install an SSH server and you can set it up to run jobs on local hosts under a different user id. This is how rundeck is configured and you could perhaps do the same using Jenkins. See the SSH plugins. – Mark O'Connor Jun 23 '13 at 11:59
5

Hi I know I'm coming late on this thread, but I just fell on this issue and had a hard time solving it, so I thought I might just share what I managed to set-up.

First things first: if you want to run a Jenkins job "as a specific user" (with all the correct habilitations) the easiest way is to run a Jenkins SLAVE as this user.

Then you might very well stumble into the following: you probably want to run serveral slaves on the same windows machine as windows services. This is very fine, as long as each slave has his own Remote root directory and probably have a specific "label" too.

Once you managed to run your slave as a windows service, launch the service console (run services.msc). Edit the newly created service properties, go to Log On tab. Select "Log on as: This account" and enter your account credentials.

Cheers :)

avi.elkharrat
  • 6,100
  • 6
  • 41
  • 47
1

You can utilize the built in windows runas or Powershell InvokeCommand cmdlet and -Credential to run - Both these would store the username/password in plain text - So do think about the risks, but this gives you flexibility.

I'm surprised this doesn't have a better answer of set an agent on another machine to run as another service and define agent as a special "type" which picks up the jobs - Something along those lines is what I would expect but I haven't seen an implementation like that in Jenkins (I'm new to Jenkins so was looking for an answer and found this thread).

Something else that could be considered for someone more familiar with Jenkins is when you set the custom path to MSBuild could you set that to runas /user:... msbuild.exe perhaps? I don't have an extra Jenkins server currently to try that on.

Steve Radich-BitShop.com
  • 377
  • 3
  • 6