As an administrator, how do I get an API token for a user other than myself, without logging in as them? When I visit the user configuration page, all I see is that "Token is hidden", and I cannot change it either.
Asked
Active
Viewed 1.3k times
11
-
1I'd be surprised if you could get it. Think of the mayhem it would cause if an admin could just grab anyone's token, use it to totally destroy a bunch of stuff, and have that user blamed for it because it was all done under the user's token. – Ken White May 04 '16 at 18:36
-
But an admin can cause mayhem in much simpler ways, right? https://blogs.msdn.microsoft.com/oldnewthing/20060508-22/?p=31283 – Patrick Szalapski May 04 '16 at 18:40
-
2But using another user's token to do so would result in that user being blamed, without being able to trace the admin's involvement. *I want Patrick fired, so I'll use his token and do ....., and it will be clear to everyone that he did it.* is a little different. It's the same reason a Windows admin can not read a user's current password. – Ken White May 04 '16 at 18:41
-
3So this makes it difficult to set up a system account that can't log in but is used only for API calls. – Patrick Szalapski May 04 '16 at 19:16
-
Why? You set up the system account, and then you log in as that system account user to call the API functions. – Ken White May 04 '16 at 19:36
-
4"you log in as that system account user". For better security, we might want to make that account non-loginable. – Patrick Szalapski May 04 '16 at 19:37
1 Answers
19
There is a Jenkins System Property, jenkins.security.ApiTokenProperty.showTokenToAdmins . You need access to the master/OC process startup to change it.
Documented at the bottom of https://wiki.jenkins-ci.org/display/JENKINS/Features+controlled+by+system+properties
(We are going to do our best to leave this at false.)
Patrick Szalapski
- 8,738
- 11
- 67
- 129