I am not sure if this was already asked/ discussed before.
In my Jenkins, I have setup LDAP authentication and that password is required in one of my jobs to remotely login to a different server using that password and execute some tasks there
Assume the remote task is executed via sshexec in ant task which requires username password. I dont want the user to enter the password again in the form of a build paramater, is there a way to get the password used for Jenkins authentication inside the build job ???
[I]s there a way to get the password used for Jenkins authentication inside the build job?
Not as such. Jenkins does not retain the password after you log in, it simply passes it to the LDAP server long enough to verify that you should be authenticated.
So what you need is to define Credentials persisted in Jenkins that can be used during a build. You can use the Credentials Binding plugin to set up a fixed username/password which the job will have access to.
If your requirement is for the credentials to not be available for any build of the job, but instead that a user manually initiating the build should have to supply them (meaning that scheduled or otherwise triggered builds are impossible), I think this is also supported as of version 1.1. Define a parameter of credentials type for the job, to be used via variable expansion in the binding. Then have the user define these credentials in their user configuration page (/me/configure
). Then when selecting Build with Parameters they should see their own personal credentials and be able to select them. The user needs the Credentials/UseOwn permission on the job.
Another option for the future would be a subtype of username/password credentials which does not store the password at all (maybe just a “salted” hash, using jBCrypt), and somehow prompts for you to enter the password before the credentials are considered valid, probably expiring after a few minutes. This mode has not been implemented but would be useful for sites with stricter security requirements.
(Regular credentials are stored encrypted, but the default secure storage mechanism keeps the master encryption key in $JENKINS_HOME
—so secure so long as you do not allow shell access to your server to anyone who is not already a Jenkins administrator, and of course so long as you configure the master computer to have zero executors so people cannot run builds on it, only on slaves. Another RFE would be an alternate storage mechanism that allows the master key to be injected by some other means.)