[jenkins] credentials should have special role with restricted access
Description
We are using a setup with gitlab EE and jenkins for CI. We are very happy to display in gitlab the status of a pipeline for each commit. However, we don't understand why jenkins needs to login with a user with developer role in all projects. This leads to 2 possibilities. Either we give jenkins credentials of a physical person in the company, which would lead to confusion since the gitlab pipeline would display him as the triggerer when he actually did not commit anything. Or we create an fake account specifically for this purpose. We chose to go the latter way. But:
- It uses a license we must pay for
- It gives privileged rights to a username which many in the company have credentials for.
Proposal
Would it be possible to make a new role for such fake users so that:
- they can only do the
gitlabCommitStatus
and the like - they would not be able to do any changes in the project itself, only the pipeline statuses
- they would not consume any license
(BTW, why do guests also consume licenses?)
Overview
What is it? Why should someone use this feature? What is the underlying (business) problem? How do you use this feature?
A fake user with special access without using any licence would help integration of jenkins together with gitlab. It might also help integration of gitlab with other tools with which I am not familiar. It allows to give this user privileges restricted to a very special case, with write rights on certain things but not on the project itself.
Use cases
Who is this for? Provide one or more use cases.
When configuring jenkins to run the CI of gitlab projects, a fake user can log in to gitlab to change the pipeline commit status.
Feature checklist
Make sure these are completed before closing the issue, with a link to the relevant commit.
-
Feature assurance -
Documentation -
Added to features.yml
/cc @Jerome-Phillot