Re: Failure with Github Actions from outside of the organization (out of a sudden!)

[Matt Sicker <bo...@gmail.com>]

Couple things about Jenkins credentials:

1. The credentials are stored encrypted in the controller and are
dynamically decrypted and bound to jobs over the Jenkins remoting
protocol. A malicious dependency would not be able to gain access to
other credentials in Jenkins unless you're running your jobs on the
controller itself (many people do this because they don't want to set
up agents; if you do that, keep that Jenkins instance fully private as
the security mechanisms can't do much without it due to the nature of
executing arbitrary code as a feature rather than as a bug). As such,
_no_ credentials are automatically injected into builds in Jenkins;
the only credentials that may be pre-configured are for things like
git checkout (in the job config itself), default email server
settings, and any other global settings that might be configured.

2. When using gitbox URLs to checkout a repo in our Jenkins instances,
these use a custom developed Jenkins plugin that doesn't require
credentials (plus it's publicly accessible) while also supporting
webhooks.

3. The only Jenkins agents we have that provide access to credentials
which can write to ASF infrastructure that I know of are all in the
websites node which have scripts and such explicitly to secure its use
case (mostly via the .asf.yaml config options for your site branch).

On Wed, 30 Dec 2020 at 04:42, Vladimir Sitnikov
<si...@gmail.com> wrote:
>
> Jarek>What credentials are you talking about?
>
> For instance, asfNexusUsername/asfNexusPassword (see
> https://cwiki.apache.org/confluence/display/INFRA/Gradle+Installations )
> I assume there exists something like git-websites Jenkins node label that
> has privileges to update project site (
> https://cwiki.apache.org/confluence/display/INFRA/Jenkins+node+labels )
>
> Jarek>Not as long as the build cannot write to the github repository and
> modify
> Jarek>code.
>
> ASF Jenknis nodes are stateful, and they do have credentials of some kind.
> On top of that, a malicious build script plugin could use developer's
> credentials
> to make changes to the repositories.
>
> Vladimir

Re: Failure with Github Actions from outside of the organization (out of a sudden!)

[Gavin McDonald <gm...@apache.org>]

Hi Matt,

You are still also correct:-

https://jenkins-ccos.apache.org/job/websites1/
https://jenkins-ccos.apache.org/job/websites2/

both are floating agents available for all client masters.

HTH

On Mon, Jan 4, 2021 at 8:45 PM Matt Sicker <bo...@gmail.com> wrote:

> Seems as though my information on that websites node is out of date.
> That's no longer a node and is handled separately:
>
> https://cwiki.apache.org/confluence/display/INFRA/git+-+.asf.yaml+features#git.asf.yamlfeatures-WebSiteDeploymentServiceforGitRepositories
>
> If I recall correctly, I believe some infra-specific jobs have been
> migrated to their own Jenkins controllers with the CloudBees CI
> migration.
>
> On Mon, 4 Jan 2021 at 13:18, Vladimir Sitnikov
> <si...@gmail.com> wrote:
> >
> > Thanks for explaining the Jenkins security model.
> >
> > Matt> which can write to ASF infrastructure that I know of are all in the
> > Matt> websites node which have scripts and such explicitly to secure its
> use
> > Matt> case (mostly via the .asf.yaml config options for your site
> branch).
> >
> > I am afraid I do not follow you.
> >
> > An arbitrary script (e.g. one of the Maven plugins) can write to ASF
> > repositories when it runs
> > at website node.
> > It sounds like a much more significant issue than GitHub Action.
> >
> > Vladimir
>


-- 

*Gavin McDonald*
Systems Administrator
ASF Infrastructure Team

Re: Failure with Github Actions from outside of the organization (out of a sudden!)

[Matt Sicker <bo...@gmail.com>]

Seems as though my information on that websites node is out of date.
That's no longer a node and is handled separately:
https://cwiki.apache.org/confluence/display/INFRA/git+-+.asf.yaml+features#git.asf.yamlfeatures-WebSiteDeploymentServiceforGitRepositories

If I recall correctly, I believe some infra-specific jobs have been
migrated to their own Jenkins controllers with the CloudBees CI
migration.

On Mon, 4 Jan 2021 at 13:18, Vladimir Sitnikov
<si...@gmail.com> wrote:
>
> Thanks for explaining the Jenkins security model.
>
> Matt> which can write to ASF infrastructure that I know of are all in the
> Matt> websites node which have scripts and such explicitly to secure its use
> Matt> case (mostly via the .asf.yaml config options for your site branch).
>
> I am afraid I do not follow you.
>
> An arbitrary script (e.g. one of the Maven plugins) can write to ASF
> repositories when it runs
> at website node.
> It sounds like a much more significant issue than GitHub Action.
>
> Vladimir

Re: Failure with Github Actions from outside of the organization (out of a sudden!)

[Vladimir Sitnikov <si...@gmail.com>]

Thanks for explaining the Jenkins security model.

Matt> which can write to ASF infrastructure that I know of are all in the
Matt> websites node which have scripts and such explicitly to secure its use
Matt> case (mostly via the .asf.yaml config options for your site branch).

I am afraid I do not follow you.

An arbitrary script (e.g. one of the Maven plugins) can write to ASF
repositories when it runs
at website node.
It sounds like a much more significant issue than GitHub Action.

Vladimir