I want to use an OAuth Consumer to connect our Jenkins server to Bitbucket per the instructions here https://github.com/jenkinsci/bitbucket-branch-source-plugin/blob/master/docs/USER_GUIDE.adoc
However, I would like to restrict what repos an OAuth Consumer can access, either per repo, or per project. Several questions...
Hi Ryan and welcome to the community!
The access token obtained from an OAuth consumer can access all repos of the workspace the consumer belongs to.
Only admins of a workspace can create an OAuth consumer.
If you want to restrict access, instead of OAuth you could use the credentials (username and app password) of a Bitbucket account that has access only to the repositories that you want the plugin to access. This could be a new Bitbucket account that you set up only for CI purposes or an existing account.
Please feel free to reach out if you have any other questions.
Kind regards,
Theodora
@Theodora BoudaleWe would prefer to not use an existing user account. Our users tend to have more permissions than our restricted CI accounts and there's the question of what happens when a user leaves the org. Do all the builds break when their account is deactivated?
However, I suspect the the CI only account would contribute to our monthly bill. Can you confirm or deny this?
The OAuth consumer seemed like a good solution, until we saw (and you confirmed) that it has access to all repos in the workspace. We really do not want every Jenkins instance in our org to see all the repos in our workspace.
Is there a feature request for limiting what projects and/or repos an OAuth consumer can access. It seems pretty restrictive for an OAuth consumer to be able to access all projects and repos in the workspace.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hi Ryan,
A CI-only account will indeed count as a billable user if it has access to the workspace's private repos.
There is no existing feature request for limiting the repos an OAuth consumer can access. I went ahead and created one in our public issue tracker here:
Please feel free to let me know if you have any other questions.
Kind regards,
Theodora
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.