I'm hoping someone can nudge me in the right direction because I have to believe we are doing something wrong. "Jenkins: The Definitive Guide" (O'Reilly) has been of no help toward solving this issue. Nothing turns up with net searching either. Your help would be greatly appreciated.
*SHORT*: *ALL* sensitive credential info is visible by any authenticated user. Non-Admin user Jimbo can see user Susie's Jenkins credentials' contents (private keys, etc!) *LONG*: Our current Jenkins instance is used by several projects with a few developers per project. Although all of the developers across all of the projects belong to the same company (ours), the Jenkins behavior we're seeing is unacceptable and we need to fix it: *ALL *sensitive credential info is visible by any authenticated user. Non-Admin user Jimbo can see user Susie's Jenkins credentials' *contents *(private keys, etc!). We're using the Role-Based authorization plugin, but I've confirmed this same problem exists with other authorization strategy plugins. Additionally, related, we're using the SSH Credentials plugin (and ~15 other unrelated plugins). The role "authenticated" has been granted "Credentials View", "Credentials Update", "Credentials Create", "Credentials Delete" privileges. This is obviously to allow authenticated users to see and manage *only their own *credentials. However, authenticated users are able to browse around and see *other peoples credentials' contents*. What are we doing wrong? Is that just how Jenkins is due to its origins as a ONE-jenkins-per-project tool? Is there a way to fix this so that authenticated users have the privileges above applied to only *their own * credentials? -- You received this message because you are subscribed to the Google Groups "Jenkins Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-users/fa037531-e069-4b0f-8713-773f134c9e6b%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
