我正在尝试使用Jenkins凭据插件来获取用户输入,并在Jenkinsfile中使用它进行处理。由于密码字段高度敏感,因此我希望凭据插件可以屏蔽密码,使其不会在控制台输出中显示。但是似乎密码以纯文本显示。我注意到存在一个问题https://issues.jenkins-ci.org/browse/JENKINS-38181,该问题谈论withCredentials块之外的echo语句以纯文本形式显示密码,这是预期的。但是在我的情况下,withCredentials块中的echo语句也显示为纯色。
我在这里做错什么了吗?我应该避免使用echo吗?
凭证绑定插件:1.12
凭据插件:2.1.16
node('someagent') {
stage 'input'
def userNameInput = input(
id: 'UserName', message: 'input your username: ', ok: 'ok', parameters: [string(defaultValue: 'user', description: '.....', name: 'DB_USER')]
)
def userPasswordInput = input(
id: 'Password', message: 'input your password: ', ok: 'ok', parameters: [string(defaultValue: 'password', description: '.....', name: 'DB_PASS')]
)
withCredentials(bindings: [usernamePassword(credentialsId: 'CREDS', usernameVariable: userNameInput, variable: userPasswordInput)]) {
echo ("My Username: ${userNameInput}")
echo ("My Password: ${userPasswordInput}")
}
}
控制台输出:
[Pipeline] {
[Pipeline] stage (input)
Using the ‘stage’ step without a block argument is deprecated
Entering stage input
Proceeding
[Pipeline] input
Input requested
Approved by UserId
[Pipeline] input
Input requested
Approved by UserId
[Pipeline] withCredentials
[Pipeline] {
[Pipeline] echo
My Username: user
[Pipeline] echo
My Password: password
[Pipeline] }
[Pipeline] // withCredentials
[Pipeline] }
[Pipeline] // node
[Pipeline] End of Pipeline
Finished: SUCCESS
答案 0 :(得分:1)
您不正确理解withCredentials的用法。使用withCredentials时,意味着已将凭据添加到Jenkins中,withCredentials可以将用户名和密码值提取到Shell变量中,然后可以通过引用Shell变量来使用它们。
因此无法将用户名和密码提取到预定义的Groovy变量中。
withCredentials的正确用法:
withCredentials([usernamePassword(
credentialsId: 'CREDS', // the CREDS should be exist in Jenkins
passwordVariable: 'pwd', // you need to use a string, not a Groovy variable
usernameVariable: 'user') // you need to use a string, not a Groovy variable
]) {
sh '''
echo UserName: ${user} // the user and pwd injected into Shell Context as Environment variable
echo Password: ${pwd} // will show as *** in jenkins console
'''
// If you user `"` or `"""` to wrapper a string,
// Groovy will execute string substitution with Groovy variable if
// same name variable exist in Groovy Context
// otherwise the string keep nothing change
sh """
echo ${user}
echo ${pwd} // will show as *** in jenkins console
"""
// because the user and pwd not exist Groovy context
// so substitution will fail and the string keep no change
// then execute the string in Shell by sh(),
// the user and pwd can be found in Shell context
}
实际上,您的以下代码将首先由Groovy执行字符串替换。 这就是为什么您在jenkins控制台
中看到密码以纯文本显示的原因 echo ("My Username: ${userNameInput}")
echo ("My Password: ${userPasswordInput}")
// because userNameInput and userPasswordInput exist in Groovy variables,
// so the ${userNameInput} and ${userPasswordInput} will be replaced to
// the value of Groovy variables before echo, as result ${userNameInput}
// and ${userPasswordInput} used variable from Groovy, rather then from Shell