Michael Weimann
opened 5 years ago
-
Previous Value Current Value Cannot see job secrets
Display job secrets
-
Name Previous Value Current Value Assignee
robin
mweimann
-
@robin if you agree with the suggestion is okay I could provide the code.
Waiting for your response. -
It is designed this way for security reason. Something like GitHub does for secrets.
-
I agree with Robin.
We mainly use secret in a Job to connect to other server and access ressources. I accept my coworker can modify source code and/or launch job but not retrieve my secret (password)
-
One thing to note, if your coworker has administrative rights to the project, he/she can still reveal value of the secret by modifying build spec directly to print it.
-
One thing to note, if your coworker has administrative rights to the project, he/she can still reveal value of the secret by modifying build spec directly to print it.
That was my thought. If you can print the variables anyway the security benefit is not that high. GitLab does it the "reveal"-Button way.
-
Hmm... Maybe we should provide this feature (for project administrators only) for convenience, as it is not possible to keep the value really secret for project administrators.
-
Here is a screenshot from a GitLab project:
Maybe this could be the way:
- Empty field - if empty
- Otherwise fixed number of ● as a placeholder
- "reveal" button that shows the actual values
- I also like the "mask" option since it hides the values in the log
→ Improvement for admins to check their variables + avoiding to print secrets in the builds.
To separate things: this ticket is only about displaying the secrets for admins.
If the other points are useful I could write another issue. -
One thing to note, if your coworker has administrative rights to the project, he/she can still reveal value of the secret by modifying build spec directly to print it.
Wohhhh, you're right.
Hmm... Maybe we should provide this feature (for project administrators only) for convenience, as it is not possible to keep the value really secret for project administrators.
- as far as i know, the only use case of secret is for Job ?
- user without administrative rights to the project can't access to project setting
- BUT user with source code write rights can modify build to print secret !
There is a problem with (3) !! What about having a different rights for build editing ?
-
BUT user with source code write rights can modify build to print secret !
- You can set up the branches that have access to the secrets
- Also you can set up special review rules for these branches
- e.g. you have to review it
-
So effectively only project administrator can determine who can access the secret. So it is consistent to have them reveal the value.
-
Thank you for help and screenshoot about feature i didn't know. I've update all my project's config and now it's secure !
So you're right, it is consistent to have them reveal BUT admin have to setup config VERY CAREFULLY.
-
OneDev
changed state to 'Closed' 5 years ago
Previous Value Current Value Open
Closed
-
OneDev
changed state to 'Released' 5 years ago
Previous Value Current Value Closed
Released
| Type |
Improvement
|
| Priority |
Normal
|
| Assignee |
As a project admin I want to see the job secrets,
so I know that is in there.
Affected area:
At the moment it displays an empty input field.
Suggestions: