问题
I am trying to use Jenkins Credentials plugin to get user input and make use of it in Jenkinsfile for processing. Since the password field is highly sensitive, I was hoping credentials plugin would mask the password from displaying in the console output. However seems like password is displayed in plain text. I noticed an existing issue https://issues.jenkins-ci.org/browse/JENKINS-38181 that talks about echo statements outside of withCredentials block displays passwords in plain text, which is expected. But in my case, even echo statements inside withCredentials block is displayed plain.
Am i doing something wrong here? Should I just refrain from using echo?
Credentials Binding Plugin: 1.12
Credentials Plugin: 2.1.16
node('someagent') {
stage 'input'
def userNameInput = input(
id: 'UserName', message: 'input your username: ', ok: 'ok', parameters: [string(defaultValue: 'user', description: '.....', name: 'DB_USER')]
)
def userPasswordInput = input(
id: 'Password', message: 'input your password: ', ok: 'ok', parameters: [string(defaultValue: 'password', description: '.....', name: 'DB_PASS')]
)
withCredentials(bindings: [usernamePassword(credentialsId: 'CREDS', usernameVariable: userNameInput, variable: userPasswordInput)]) {
echo ("My Username: ${userNameInput}")
echo ("My Password: ${userPasswordInput}")
}
}
Console Output:
[Pipeline] {
[Pipeline] stage (input)
Using the ‘stage’ step without a block argument is deprecated
Entering stage input
Proceeding
[Pipeline] input
Input requested
Approved by UserId
[Pipeline] input
Input requested
Approved by UserId
[Pipeline] withCredentials
[Pipeline] {
[Pipeline] echo
My Username: user
[Pipeline] echo
My Password: password
[Pipeline] }
[Pipeline] // withCredentials
[Pipeline] }
[Pipeline] // node
[Pipeline] End of Pipeline
Finished: SUCCESS
回答1:
You don't understand the withCredentials usage correctly. When use withCredentials, means the credential had been added into Jenkins, withCredentials can extract the user and password value into Shell variables, then you can use them by refer the shell variables.
So there is no way to extract the user and password into your pre-defined Groovy variable.
The correct usage of withCredentials:
withCredentials([usernamePassword(
credentialsId: 'CREDS', // the CREDS should be exist in Jenkins
passwordVariable: 'pwd', // you need to use a string, not a Groovy variable
usernameVariable: 'user') // you need to use a string, not a Groovy variable
]) {
sh '''
echo UserName: ${user} // the user and pwd injected into Shell Context as Environment variable
echo Password: ${pwd} // will show as *** in jenkins console
'''
// If you user `"` or `"""` to wrapper a string,
// Groovy will execute string substitution with Groovy variable if
// same name variable exist in Groovy Context
// otherwise the string keep nothing change
sh """
echo ${user}
echo ${pwd} // will show as *** in jenkins console
"""
// because the user and pwd not exist Groovy context
// so substitution will fail and the string keep no change
// then execute the string in Shell by sh(),
// the user and pwd can be found in Shell context
}
Actually your below code will execute string substitution by Groovy firstly. This why you see the password show in plain text in jenkins console
echo ("My Username: ${userNameInput}")
echo ("My Password: ${userPasswordInput}")
// because userNameInput and userPasswordInput exist in Groovy variables,
// so the ${userNameInput} and ${userPasswordInput} will be replaced to
// the value of Groovy variables before echo, as result ${userNameInput}
// and ${userPasswordInput} used variable from Groovy, rather then from Shell
来源:https://stackoverflow.com/questions/51834768/password-shows-in-plain-text-using-jenkins-credentials-plugin