使用 Jenkins 凭据插件以纯文本形式显示密码
Password shows in plain text using Jenkins credentials plugin
我正在尝试使用 Jenkins Credentials 插件获取用户输入并在 Jenkinsfile 中使用它进行处理。由于密码字段高度敏感,我希望凭据插件可以屏蔽密码,使其不显示在控制台输出中。但是似乎密码以纯文本显示。我注意到一个现有问题 https://issues.jenkins-ci.org/browse/JENKINS-38181,它讨论了 withCredentials 块之外的 echo 语句以纯文本显示密码,这是预期的。但就我而言,即使是 withCredentials 块内的 echo 语句也显示得很清楚。
我是不是做错了什么?我应该避免使用 echo 吗?
凭据绑定插件:1.12
凭据插件:2.1.16
node('someagent') {
stage 'input'
def userNameInput = input(
id: 'UserName', message: 'input your username: ', ok: 'ok', parameters: [string(defaultValue: 'user', description: '.....', name: 'DB_USER')]
)
def userPasswordInput = input(
id: 'Password', message: 'input your password: ', ok: 'ok', parameters: [string(defaultValue: 'password', description: '.....', name: 'DB_PASS')]
)
withCredentials(bindings: [usernamePassword(credentialsId: 'CREDS', usernameVariable: userNameInput, variable: userPasswordInput)]) {
echo ("My Username: ${userNameInput}")
echo ("My Password: ${userPasswordInput}")
}
}
控制台输出:
[Pipeline] {
[Pipeline] stage (input)
Using the ‘stage’ step without a block argument is deprecated
Entering stage input
Proceeding
[Pipeline] input
Input requested
Approved by UserId
[Pipeline] input
Input requested
Approved by UserId
[Pipeline] withCredentials
[Pipeline] {
[Pipeline] echo
My Username: user
[Pipeline] echo
My Password: password
[Pipeline] }
[Pipeline] // withCredentials
[Pipeline] }
[Pipeline] // node
[Pipeline] End of Pipeline
Finished: SUCCESS
您没有正确理解 withCredentials 的用法。当使用withCredentials时,表示凭证已添加到Jenkins中,withCredentials可以将用户和密码值提取到Shell变量中,然后您可以通过引用shell来使用它们变量。
因此无法将用户和密码提取到预定义的 Groovy 变量中。
withCredentials的正确用法:
withCredentials([usernamePassword(
credentialsId: 'CREDS', // the CREDS should be exist in Jenkins
passwordVariable: 'pwd', // you need to use a string, not a Groovy variable
usernameVariable: 'user') // you need to use a string, not a Groovy variable
]) {
sh '''
echo UserName: ${user} // the user and pwd injected into Shell Context as Environment variable
echo Password: ${pwd} // will show as *** in jenkins console
'''
// If you user `"` or `"""` to wrapper a string,
// Groovy will execute string substitution with Groovy variable if
// same name variable exist in Groovy Context
// otherwise the string keep nothing change
sh """
echo ${user}
echo ${pwd} // will show as *** in jenkins console
"""
// because the user and pwd not exist Groovy context
// so substitution will fail and the string keep no change
// then execute the string in Shell by sh(),
// the user and pwd can be found in Shell context
}
实际上你的下面的代码将首先执行 Groovy 的字符串替换。
这就是为什么您在 jenkins 控制台中看到密码以纯文本形式显示的原因
echo ("My Username: ${userNameInput}")
echo ("My Password: ${userPasswordInput}")
// because userNameInput and userPasswordInput exist in Groovy variables,
// so the ${userNameInput} and ${userPasswordInput} will be replaced to
// the value of Groovy variables before echo, as result ${userNameInput}
// and ${userPasswordInput} used variable from Groovy, rather then from Shell
我正在尝试使用 Jenkins Credentials 插件获取用户输入并在 Jenkinsfile 中使用它进行处理。由于密码字段高度敏感,我希望凭据插件可以屏蔽密码,使其不显示在控制台输出中。但是似乎密码以纯文本显示。我注意到一个现有问题 https://issues.jenkins-ci.org/browse/JENKINS-38181,它讨论了 withCredentials 块之外的 echo 语句以纯文本显示密码,这是预期的。但就我而言,即使是 withCredentials 块内的 echo 语句也显示得很清楚。
我是不是做错了什么?我应该避免使用 echo 吗?
凭据绑定插件:1.12
凭据插件:2.1.16
node('someagent') {
stage 'input'
def userNameInput = input(
id: 'UserName', message: 'input your username: ', ok: 'ok', parameters: [string(defaultValue: 'user', description: '.....', name: 'DB_USER')]
)
def userPasswordInput = input(
id: 'Password', message: 'input your password: ', ok: 'ok', parameters: [string(defaultValue: 'password', description: '.....', name: 'DB_PASS')]
)
withCredentials(bindings: [usernamePassword(credentialsId: 'CREDS', usernameVariable: userNameInput, variable: userPasswordInput)]) {
echo ("My Username: ${userNameInput}")
echo ("My Password: ${userPasswordInput}")
}
}
控制台输出:
[Pipeline] {
[Pipeline] stage (input)
Using the ‘stage’ step without a block argument is deprecated
Entering stage input
Proceeding
[Pipeline] input
Input requested
Approved by UserId
[Pipeline] input
Input requested
Approved by UserId
[Pipeline] withCredentials
[Pipeline] {
[Pipeline] echo
My Username: user
[Pipeline] echo
My Password: password
[Pipeline] }
[Pipeline] // withCredentials
[Pipeline] }
[Pipeline] // node
[Pipeline] End of Pipeline
Finished: SUCCESS
您没有正确理解 withCredentials 的用法。当使用withCredentials时,表示凭证已添加到Jenkins中,withCredentials可以将用户和密码值提取到Shell变量中,然后您可以通过引用shell来使用它们变量。
因此无法将用户和密码提取到预定义的 Groovy 变量中。
withCredentials的正确用法:
withCredentials([usernamePassword(
credentialsId: 'CREDS', // the CREDS should be exist in Jenkins
passwordVariable: 'pwd', // you need to use a string, not a Groovy variable
usernameVariable: 'user') // you need to use a string, not a Groovy variable
]) {
sh '''
echo UserName: ${user} // the user and pwd injected into Shell Context as Environment variable
echo Password: ${pwd} // will show as *** in jenkins console
'''
// If you user `"` or `"""` to wrapper a string,
// Groovy will execute string substitution with Groovy variable if
// same name variable exist in Groovy Context
// otherwise the string keep nothing change
sh """
echo ${user}
echo ${pwd} // will show as *** in jenkins console
"""
// because the user and pwd not exist Groovy context
// so substitution will fail and the string keep no change
// then execute the string in Shell by sh(),
// the user and pwd can be found in Shell context
}
实际上你的下面的代码将首先执行 Groovy 的字符串替换。 这就是为什么您在 jenkins 控制台中看到密码以纯文本形式显示的原因
echo ("My Username: ${userNameInput}")
echo ("My Password: ${userPasswordInput}")
// because userNameInput and userPasswordInput exist in Groovy variables,
// so the ${userNameInput} and ${userPasswordInput} will be replaced to
// the value of Groovy variables before echo, as result ${userNameInput}
// and ${userPasswordInput} used variable from Groovy, rather then from Shell