bamboo build as specific User

Robert Donaldson June 21, 2016

Greetings, We have Linux based Bitbucket and Bamboo installations, where for instance the bamboo service is started by a user "bambooadmin". This works well for most basic repository accesses, builds and compiles in our unrestricted environment of code development. However, we have certain software repositories that require restricted user rights and when bamboo checks out from Bitbucket repositories, it does so as the Linux user bambooadmin. For security purposes, we cannot use a generic username and ideally we do not want a generic user with access to both restricted and unrestricted areas. We also have back-end processes that require the Bitbucket committing user to execute a specific script which will ideally be automated as the bamboo builder.

 

Without creating a custom plugin or extensive build plan scripts; is there away to define which user bamboo builds as? Such that bambooadmin either builds using the committing Bitbucket / Bamboo username credentials (crowd/LDAP) or Sudo's (restricted by SSH keys) the committing username? 

1 answer

0 votes
Daniel Wester
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
June 21, 2016

All right so it seems you've got 2 questions in one here.

Let's split them up:

However, we have certain software repositories that require restricted user rights and when bamboo checks out from Bitbucket repositories, it does so as the Linux user bambooadmin. For security purposes, we cannot use a generic username and ideally we do not want a generic user with access to both restricted and unrestricted areas.

Why would you want this this? Bamboo is a generic utility. It will check out the code and store it on disk (and more than likely the code will stay on disk until wiped). What's your scm(not sure if you're using Bitbucket Cloud)? If it's git you can maybe use bamboo specific ssh keys? That way the bamboo user has access to the repositories and it can be tracked through that?

I would not use sudo from the bamboo user or other ways of sharing credentials since that's just opening up a huge security hole (anyone that can become the bamboo user can then access your repositories - or worse - become the real users).

 We also have back-end processes that require the Bitbucket committing user to execute a specific script which will ideally be automated as the bamboo builder.

Again this is a security hole waiting to happen. Git and Mercurial both will allow somebody to inject other usernames into the history so somebody could potentially push somebody else's name into the history that could trigger things. In addition to this, you might have multiple people doing commits in a history which would make automation difficult. That said - you are given the previous and current sha in the metadata so you could pass them in. But from a security perspective I wouldn't trust it to much. If you're using it to generate release notes and that type of thing you'll probably be safe but if you're changing user's etc - it might be a bit scary (you mentioned security).

Suggest an answer

Log in or Sign up to answer
TAGS
AUG Leaders

Atlassian Community Events