Jenkins Credentials Plugin: Difference between revisions
(10 intermediate revisions by the same user not shown) | |||
Line 3: | Line 3: | ||
* https://wiki.jenkins.io/display/JENKINS/Credentials+Plugin | * https://wiki.jenkins.io/display/JENKINS/Credentials+Plugin | ||
* https://github.com/jenkinsci/credentials-plugin/blob/master/docs/user.adoc | * https://github.com/jenkinsci/credentials-plugin/blob/master/docs/user.adoc | ||
* https://github.com/jenkinsci/credentials-plugin | |||
=Internal= | =Internal= | ||
Line 22: | Line 23: | ||
==Implementation Details== | ==Implementation Details== | ||
Credentials are stored in credentials.xml | Credentials are stored in $JENKINS_HOME/credentials.xml. The following example contains just one [[Jenkins_Security_Concepts#Username_with_Password|Username with Password]] credential with the ID "github-service-account". The corresponding user name is "someuser" and the password is stored in-line, encrypted with [[#Secret_Key|$JENKINS_HOME/secrets/hudson.util.Secret]]. | ||
<syntaxhighlight lang='xml'> | <syntaxhighlight lang='xml'> | ||
Line 40: | Line 41: | ||
<id>github-service-account</id> | <id>github-service-account</id> | ||
<description>The GitHub service account</description> | <description>The GitHub service account</description> | ||
<username> | <username>someuser</username> | ||
<password>{ | <password>{AQAAABAACBAQtYXny9ArxRUnfwpbmn+W69DtK4APgb7achwoFa1ecmk=}</password> | ||
</com.cloudbees.plugins.credentials.impl.UsernamePasswordCredentialsImpl> | </com.cloudbees.plugins.credentials.impl.UsernamePasswordCredentialsImpl> | ||
Line 48: | Line 49: | ||
</domainCredentialsMap> | </domainCredentialsMap> | ||
</syntaxhighlight> | </syntaxhighlight> | ||
===Keys=== | |||
{{External|http://thiébaud.fr/jenkins_credentials.html}} | |||
====Secret Key==== | |||
$JENKINS_HOME/secrets/hudson.util.Secret is the secret key used to encrypt credentials stored in $JENKINS_HOME/credentials.xml with an AES-128-ECB algorithm. | |||
The secret key is also maintained in encrypted format, and the encryption key is [[#Master_Key|$JENKINS_HOME/secrets/master.key]]. | |||
====Master Key==== | |||
$JENKINS_HOME/secrets/master.key is the encryption key that is used to encrypt [[#Secret_Key|$JENKINS_HOME/secrets/hudson.util.Secret]] with an AES-128-ECB algorithm. | |||
====Instance Identity Key==== | |||
$JENKINS_HOME/secrets/org.jenkinsci.main.modules.instance_identity.InstanceIdentity.KEY |
Latest revision as of 00:01, 25 April 2018
External
- https://wiki.jenkins.io/display/JENKINS/Credentials+Plugin
- https://github.com/jenkinsci/credentials-plugin/blob/master/docs/user.adoc
- https://github.com/jenkinsci/credentials-plugin
Internal
Overview
The Credentials Plugin exposes an API for credential management. The API can be used by plugin authors to define credential types, integrate external credential stores with Jenkins and retrieve credentials those stores and existing stores and by users to manage credentials available in Jenkins. Concepts such as credential type, scope, domain, provider and store are Jenkins Credential Plugin concepts, but they are presented together with other Jenkins security concepts.
Credentials can be managed through the Web UI, via a REST API and with Jenkins CLI.
Internal Credential Store
The plugin provides a default internal credential store, stored in $JENKINS_HOME. The store is encrypted using a key that is also stored in $JENKINS_HOME. The JVM running Jenkins must have access to these files.
If a non-trusted user can gain access to the files in the J$ENKINS_HOME/secrets directory, all the secrets stored in the internal credential store are compromised.
Implementation Details
Credentials are stored in $JENKINS_HOME/credentials.xml. The following example contains just one Username with Password credential with the ID "github-service-account". The corresponding user name is "someuser" and the password is stored in-line, encrypted with $JENKINS_HOME/secrets/hudson.util.Secret.
<com.cloudbees.plugins.credentials.SystemCredentialsProvider plugin="credentials@2.1.16">
<domainCredentialsMap class="hudson.util.CopyOnWriteMap$Hash">
<entry>
<com.cloudbees.plugins.credentials.domains.Domain>
<specifications/>
</com.cloudbees.plugins.credentials.domains.Domain>
<java.util.concurrent.CopyOnWriteArrayList>
<com.cloudbees.plugins.credentials.impl.UsernamePasswordCredentialsImpl>
<scope>GLOBAL</scope>
<id>github-service-account</id>
<description>The GitHub service account</description>
<username>someuser</username>
<password>{AQAAABAACBAQtYXny9ArxRUnfwpbmn+W69DtK4APgb7achwoFa1ecmk=}</password>
</com.cloudbees.plugins.credentials.impl.UsernamePasswordCredentialsImpl>
</java.util.concurrent.CopyOnWriteArrayList>
</entry>
</domainCredentialsMap>
Keys
Secret Key
$JENKINS_HOME/secrets/hudson.util.Secret is the secret key used to encrypt credentials stored in $JENKINS_HOME/credentials.xml with an AES-128-ECB algorithm.
The secret key is also maintained in encrypted format, and the encryption key is $JENKINS_HOME/secrets/master.key.
Master Key
$JENKINS_HOME/secrets/master.key is the encryption key that is used to encrypt $JENKINS_HOME/secrets/hudson.util.Secret with an AES-128-ECB algorithm.
Instance Identity Key
$JENKINS_HOME/secrets/org.jenkinsci.main.modules.instance_identity.InstanceIdentity.KEY