-
Suggestion
-
Resolution: Fixed
-
None
-
0
-
1
-
In our Bamboo environment, we have over 100 actively used plans. Each of those plans checks out code from Subversion. When entering authentication credentials for the repository in the plans initial configuration stage, we use an Active Directory account that was created specifically for Bamboo (we call it a BPID, Business Process ID) instead of having the developers authenticate using their own credentials. We do this so that the repository settings do not need to be updated every time a developer leaves the company or changes his/her password. However, there are several problems with this approach. First of all, the BPID credentials are supposed to be private (not written down on a sticky note on every developers desk). Second, the BPID password is supposed to be changed every 90 days (which is nearly impossible, seeing as how it would require going into each and every one of our 100+ plans and updating the source code repository settings). I was somewhat hopeful that the new "Shared Repository" feature would solve this issue, but while it does save the authentication credentials and store them centrally, it only allows us to save one specific repository URL and does not allow for plan-specific modifications to that URL.
What I'm looking for is a way to allow all plans to specify their individual repository URLs while not having to worry about the authentication credentials. There needs to be a way to have some sort of root-level configuration in the Administration tab that allows me to say "Here's my base-level repository URL, and here are the credentials to use" and then that would let me reconfigure the individual plans to use that base-level URL and then tack on their plan-specific URL on to that one. The developer would never have to worry about the authentication piece. But then I would have the ability to keep my BPID private and I could also go to that setting in the Administration tab once every 90 days and update the password in one place and one place only.
Is this just wishful thinking, or do you think it can be done? And do you know of any workaround that I could use in the meantime? I'm using version 4.4.4.
- duplicates
-
- Closed
[BAM-12966] Centralized credential management
I want this feature in Bamboo.
https://wiki.jenkins-ci.org/display/JENKINS/Credentials+Plugin
Tim Wundke
added a comment - I very much hope that Atlassian doesn't consider this issue resolved now that they've introduced Shared Credentials in Bamboo 5.2. Not everyone uses SSH authentication. Shared usernames/passwords is also a must.
Tim Wundke
added a comment - I very much hope that Atlassian doesn't consider this issue resolved now that they've introduced Shared Credentials in Bamboo 5.2. Not everyone uses SSH authentication. Shared usernames/passwords is also a must. Re-opening this one. I think we can do a better job at sharing and managing credentials not just for repositories but for SSH servers, Tomcat servers, etc
Jordan Packer
added a comment - What about adding the ability to put in a global variable as the SVN password in the Shared Repository? That way, everyone could create their own plan-specific repository URLs and when they enter the authentication credentials, they could just reference the global variable. Then, I could keep it secret (since you guys were kind enough to start masking those passwords on the Global Variables page), and I could change it when needed and I would only need to update it in that one spot.
Unless you guys have a reason why you don't allow global variables to be passed in as a password, I think that would be the easiest solution.
Jordan Packer
added a comment - What about adding the ability to put in a global variable as the SVN password in the Shared Repository? That way, everyone could create their own plan-specific repository URLs and when they enter the authentication credentials, they could just reference the global variable. Then, I could keep it secret (since you guys were kind enough to start masking those passwords on the Global Variables page), and I could change it when needed and I would only need to update it in that one spot.
Unless you guys have a reason why you don't allow global variables to be passed in as a password, I think that would be the easiest solution. Jordan Packer
added a comment - Okay, that works to some extent.... I didn't realize that you could override a global variable at the plan level just by creating one with the same name. That was my fault for not reading the documentation closely enough.
However, I still have a problem with this method because some of our plans are currently composing their SVN URLs by using plan-level variables (in order to specify different branches, tags, etc. on the fly). So using the workaround you suggest, I would require the ability to nest variables within other variables. This is currently not a standard option for Bamboo. I would have to pay for a third-party plugin in order to get that functionality.
Jordan Packer
added a comment - Okay, that works to some extent.... I didn't realize that you could override a global variable at the plan level just by creating one with the same name. That was my fault for not reading the documentation closely enough.
However, I still have a problem with this method because some of our plans are currently composing their SVN URLs by using plan-level variables (in order to specify different branches, tags, etc. on the fly). So using the workaround you suggest, I would require the ability to nest variables within other variables. This is currently not a standard option for Bamboo. I would have to pay for a third-party plugin in order to get that functionality. You can override global variables at the plan level (See the variables tab on the plan configuration).
I can't remember off the top of my head if a global variable has to exist as well or if you could leave it blank.
Jordan Packer
added a comment - That's what I wanted to do, but in your example, wouldn't the ${bamboo.repositorySubPath} have to be a global variable? And if that's the case, then it could only be set to one sub-path at a time? I definitely can't have people manually overriding the global variable each time they run a plan...
Jordan Packer
added a comment - That's what I wanted to do, but in your example, wouldn't the ${bamboo.repositorySubPath} have to be a global variable? And if that's the case, then it could only be set to one sub-path at a time? I definitely can't have people manually overriding the global variable each time they run a plan... A possible (though not particularly nice) workaround is to use variables.
So you define a global repository for http://svn.blah.com/pathcommontoallrepositories/${bamboo.repositorySubPath}. Then for each individual plan define the repositorySubPath variable.
It's resolved with Shared Credentials feature introduced at v5.13.0.1. It doesn't have coverage for Subversion, so vote and watch BAM-18088.