Jean-Louis Schricke (mesulog)2019-04-21 09:57 Thomas, I will suggest a very simple improvement in order to ensure the confidentiality of jobs within Jenkins plugin for Tuleap. When defining the job properties, it should be possible to select one Tuleap project member which will be used for Jenkins connection. This could be optional (which is the actual behaviour with anonymous login). Of course the correspondance between Tuleap user and Jenkins user will be Under the responsability of the administrator (if LDAP is not used).
Thomas Gerbet (tgerbet)2019-04-19 19:30 > My customers have access to the job results attached to their projects and are able, by consulting them, to improve the code they produce and commit on our Subversion server. That's good, I'm all for improving code quality and continuous integration is an important part of it nowadays. > I couldn't imagine that one of my customer may see all the job results available on my Continuous Integration platform. But it is what will happen if I want to add access to the Jenkins job results through Jenkins plugin. But it is what will happen if I want to add access to the Jenkins job results through Jenkins plugin. In this case I will have to use anonymous logon and give access to all jobs to this anonymous user. It seems we all agree on that and this is exactly why this feature is not as trivial as it may seem on the first look. The accesses to the Jenkins resources needs to be carefully designed. Again, if someone wants to contribute, I'm all up to help drafting a proposal on how the whole thing should work. In the meantime, it could be interesting to state explicitly the current limitations in the web UI. Status changed from New to AcknowledgedPlatform cleared values: CentOS 6
Jean-Louis Schricke (mesulog)2019-04-19 18:43 Thomas, I am using Jenkins and I appreciate it. My customers have access to the job results attached to their projects and are able, by consulting them, to improve the code they produce and commit on our Subversion server. I couldn't imagine that one of my customer may see all the job results available on my Continuous Integration platform. But it is what will happen if I want to add access to the Jenkins job results through Jenkins plugin. In this case I will have to use anonymous logon and give access to all jobs to this anonymous user. That's why I don't use the Jenkins plugin into Tuleap.
Thomas Gerbet (tgerbet)2019-04-19 17:54 Hello, I'm unsure this request can be qualified as a security leak, neither the availability, the integrity nor the confidentiality of the Tuleap instance is impacted. By all means, please do not open up your Jenkins instance if it is not intended to have it public and, as usual but it is even more important in this case, closely follow Jenkins and Jenkins plugins updates. I however acknowledge there is a feature gap here. This is however not as bad as it seems, even in this scenario, a push in a Git repo can still trigger builds when it's configured according to the recommendation (poll SCM enabled on the Jenkins job + Git Jenkins webhook). Also all the features where Jenkins interacts with Tuleap also work like publishing commit status on a PR, reporting tests success or failure in the Test Management plugin or using the Tuleap Branch Source plugin for Jenkins (https://plugins.jenkins.io/tuleap-git-branch-source). To close this request we would need a way to authenticate against Jenkins and to store securely the credentials used for the authentication. We would also need to define the access scope of the resources displayed within Tuleap with those credentials (should only users with the capability of modifying the credentials have access to the associated resources?). We can start working on a draft proposal together if you intend to contribute.
Jean-Louis Schricke (mesulog)2019-04-18 09:12 Any news on this subject ? Because of this security leak, I cannot use the Tuleap plugin...