Hi Karl Heinz, Charles, Justin, Curtis Many thanks for your feedbacks.
[Karl Heinz] I would suggest to put them into the settings.xml file outside > your pom file, cause the pom file will be checked in into version control > system.. > I agree it is the most simple way, but if all users (and the CI platform) have not the same *settings-security.xml *file (and they should not), the passwords should be in clear :-(. [Charles] It sounds as though you wish to share a credential set amount > multiple users. This is an example of what the security community calls “a > bad idea”. > For the project perimeter yes. When you have some multiple credentials for one project (deploy on repository, push on quality platform, publish on staging platform, ...), I don't see how project team can't share this credentials or tokens ; if you want a simple process to use. I agree that having one settings.xml by project with your own credentials or an only settings.xml with your credentials for each projects is better ... but when you work on many projects in same time, it is a little hard to deal with that. [Justin] You might want to look into secrets management tools such as Vault > from HashiCorp and KeyWhiz from Square. > Thanks for this link, I will see how to use it/them with Maven ecosystem. [Curtis] For what it's worth, here is how the ImageJ project does it for > Travis CI [...] > I agree it is the most elegant solution without a central secret platform management. Credentials are not shared, but I understand this is a bad practice ;-) I will see how manage a secret by projects in our CI platform. In short, I did not want launch a troll on what is good or not :-) ... just have an idea of the best practice used to manage passwords (simply) for teams working on multiple projects. The access problems are often a waste of time when you have some project team turnover (even is security is important), I always dream of a simple way how resolve that :-) Have a good weekend all. Best regards 2017-03-17 16:05 GMT+01:00 Curtis Rueden <[email protected]>: > Hi Alix, > > For what it's worth, here is how the ImageJ project does it for Travis CI > builds: > > https://github.com/imagej/imagej/blob/2bfd8a23a5ff427fabe12ea3f71146 > 04e8485a75/.travis.yml > https://github.com/imagej/imagej/blob/2bfd8a23a5ff427fabe12ea3f71146 > 04e8485a75/.travis/build.sh > https://github.com/imagej/imagej/blob/2bfd8a23a5ff427fabe12ea3f71146 > 04e8485a75/.travis/settings.xml > > To summarize the key points: > > * The build invokes mvn with "--settings .travis/settings.xml", which is a > settings.xml committed to SCM > * This settings.xml uses "${env.MAVEN_PASS}" for the password. > * This MAVEN_PASS environment variable is stored encrypted in the > .travis.yml file; see: > https://docs.travis-ci.com/user/environment-variables/ > > In our case, we are fine hardcoding the Maven deploy user as "travis", but > of course you could also make that configurable with MAVEN_USER variable or > similar. > > For manual deployment, developers use their own ~/.m2/settings.xml with > their own credentials—i.e., for us, the .travis/settings.xml is _only_ for > Travis builds. > > HTH, > Curtis > > -- > Curtis Rueden > LOCI software architect - https://loci.wisc.edu/software > ImageJ2 lead, Fiji maintainer - https://imagej.net/User:Rueden > > > On Fri, Mar 17, 2017 at 8:38 AM, Alix Lourme <[email protected]> > wrote: > > > Dear community, > > > > I'm searching the best practice for password encryption in a maven POM > > file *by > > project*, could by used by properties (like in ANT or WAGON). Sample : > > --- > > <plugin> > > <artifactId>maven-antrun-plugin</artifactId> > > <version>1.8</version> > > <configuration> > > <target> > > <echo message="Get docker certificates" /> > > <mkdir dir="cert" /> > > <scp file="root:${docker.password}@ > > 10.xx.xx.xx:/root/.docker/*" > > todir="cert" trust="yes" /> > > </target> > > </configuration> > > </plugin> > > --- > > > > In this case, my *docker.password* could be a properties (pom or > > settings.xml) but must not be in clear text. > > > > The problem with Maven encryption > > <https://maven.apache.org/guides/mini/guide-encryption.html>: > > - I have a master password defined in *settings-security.xml* (locally) > for > > my user need (like proxy password encryption in MY *settings.xml*) > > - The CI tools contains the same mechanism (own *settings-security.xml*) > > for global needs, like server encryption used in *settings.xml* for jar > > publication in repository ; and I can't retrieve this file > > > > => I can't use this mechanism for password encryption who works locally > and > > on the CI server. > > > > *Is there a way to have a encryption mechanism for the project's > perimeter > > ?* (and not for user's perimeter, current Maven encryption works > perfectly > > for that). > > > > --- > > > > Using -s and -gs Maven options (=> user/global settings override) could > be > > a workaround but : > > - Server item definition or properties defining password must be in clear > > text > > - Using this Maven settings for each build depending the project > workspace > > is a little boring > > > > Perhaps is there a best way like a "private key by project" ... but I > > didn't found entry point about that. > > > > Thanks in advance. Best regards > > *NB*: This question was firstly on stackoverflow > > <https://stackoverflow.com/questions/33784790/maven- > > password-encryption-by-project>, > > but no really interest ^^. > > -- > > Alix Lourme > > > -- Alix Lourme
