Use volatile user/password for JJB configuration
Do not rely on any stored credentials for configuring the
jobs through the Jenkins Jobs Builder utility.
Storing the credentials of a user with permissions to change
the Jenkins jobs definition is risky and should be avoided
at all costs.
Jobs are not changed continunously and any modification needs
to be reviewed and merged by a Gerrit user with the maintainership
of the gerrit-ci-scripts. There isn't a big value in storing
the API token of a priviledged user, therefore accept the small
pain of triggering the build manually rather than risking a
much bigger vulnerability exposure.
Change-Id: Ie474043a513ee1faceeefb91198f82dbe1ac1507
diff --git a/jenkins/gerrit-ci-scripts.yaml b/jenkins/gerrit-ci-scripts.yaml
index 4fae473..ef0999b 100644
--- a/jenkins/gerrit-ci-scripts.yaml
+++ b/jenkins/gerrit-ci-scripts.yaml
@@ -2,6 +2,13 @@
name: gerrit-ci-scripts
description: Gerrit Jenkins Job Builder Scripts
node: server
+ parameters:
+ - string:
+ name: JJB_USER
+ description: 'Jenkins user authorised to configure jobs'
+ - password:
+ name: JJB_PASSWORD
+ description: 'Jenkins API user token'
scm:
- git:
url: https://gerrit.googlesource.com/a/gerrit-ci-scripts
@@ -42,6 +49,12 @@
node: server
parameters:
- string:
+ name: JJB_USER
+ description: 'Jenkins user authorised to configure jobs'
+ - password:
+ name: JJB_PASSWORD
+ description: 'Jenkins API user token'
+ - string:
name: CHANGE_NUMBER
description: 'Legacy Change ID of patch to build'
- string:
