bamboo build as specific User

Greetings, We have Linux based Bitbucket and Bamboo installations, where for instance the bamboo service is started by a user "bambooadmin". This works well for most basic repository accesses, builds and compiles in our unrestricted environment of code development. However, we have certain software repositories that require restricted user rights and when bamboo checks out from Bitbucket repositories, it does so as the Linux user bambooadmin. For security purposes, we cannot use a generic username and ideally we do not want a generic user with access to both restricted and unrestricted areas. We also have back-end processes that require the Bitbucket committing user to execute a specific script which will ideally be automated as the bamboo builder.

 

Without creating a custom plugin or extensive build plan scripts; is there away to define which user bamboo builds as? Such that bambooadmin either builds using the committing Bitbucket / Bamboo username credentials (crowd/LDAP) or Sudo's (restricted by SSH keys) the committing username? 

1 answer

0 votes
Daniel Wester Community Champion Jun 21, 2016

All right so it seems you've got 2 questions in one here.

Let's split them up:

However, we have certain software repositories that require restricted user rights and when bamboo checks out from Bitbucket repositories, it does so as the Linux user bambooadmin. For security purposes, we cannot use a generic username and ideally we do not want a generic user with access to both restricted and unrestricted areas.

Why would you want this this? Bamboo is a generic utility. It will check out the code and store it on disk (and more than likely the code will stay on disk until wiped). What's your scm(not sure if you're using Bitbucket Cloud)? If it's git you can maybe use bamboo specific ssh keys? That way the bamboo user has access to the repositories and it can be tracked through that?

I would not use sudo from the bamboo user or other ways of sharing credentials since that's just opening up a huge security hole (anyone that can become the bamboo user can then access your repositories - or worse - become the real users).

 We also have back-end processes that require the Bitbucket committing user to execute a specific script which will ideally be automated as the bamboo builder.

Again this is a security hole waiting to happen. Git and Mercurial both will allow somebody to inject other usernames into the history so somebody could potentially push somebody else's name into the history that could trigger things. In addition to this, you might have multiple people doing commits in a history which would make automation difficult. That said - you are given the previous and current sha in the metadata so you could pass them in. But from a security perspective I wouldn't trust it to much. If you're using it to generate release notes and that type of thing you'll probably be safe but if you're changing user's etc - it might be a bit scary (you mentioned security).

Suggest an answer

Log in or Sign up to answer
Community showcase
Published 3 hours ago in Jira Service Desk

Frequently Asked Questions for Jira Service Desk (AKA JSD FAQ)

Just the FAQs! Welcome to the Community, and this Focused-FAQ! Here, we've pulled together some of the most frequently asked questions associated with Jira Service Desk (JSD). We hope ...

18 views 0 4
Read article

Atlassian User Groups

Connect with like-minded Atlassian users at free events near you!

Find a group

Connect with like-minded Atlassian users at free events near you!

Find my local user group

Unfortunately there are no AUG chapters near you at the moment.

Start an AUG

You're one step closer to meeting fellow Atlassian users at your local meet up. Learn more about AUGs

Groups near you