Summary
This document describes how to configure impersonation using passwordless credentials to allow an agent user (for example, ecbuild
) on Ubuntu to su
to another user without a password.
Solution
The following procedures show how to configure passwordless credentials. In this example, the CloudBees CD (CloudBees Flow) agent runs under a user named ecbuild
, and the following procedures show how to allow this user to su - testuser
without a password.
Configuring the Agent Machine
Perform the following steps on each agent machine:
-
(Optional) If you do not want to use an existing group, create a group by entering
`sudo addgroup `
-
(Optional) If you do not want to use an existing user, create a user by entering
`sudo adduser `
-
Make the password empty by entering
`sudo passwd -d `
For details, see "Can I set my user account to have no password?"
-
Allow the
ecbuild
user tosu - ` by adding the following two lines to the `/etc/pam.d/su
file just below thepam_rootok.so
line:auth [success=ignore default=1] pam_succeed_if.so user = testuser auth sufficient pam_succeed_if.so use_uid user = ecbuild
The first line ensures that the target user is
testuser
. If it is, the next line takes
control and authorizes thesu
if the calling user isecbuild
.You can also restrict
su
to a group. In the following example, the group
allowedpeople
cansu
without a password:auth sufficient pam_succeed_if.so use_uid user ingroup allowedpeople
For details, see "Allow user1 to "su - user2" without password."
Now you can run a procedure with credentials other than the
ecbuild
user without
specifying a password for this user.
Adding a New Credential to a Project
-
Open a project in the Automation Platform and click the Credentials tab.
For example:
-
On the right side of the tab, click the Create Credential button.
The New Credential dialog box appears:
-
Fill in the fields. For example:
Note that you do not need to enter a password in this dialog box. The
credential name (the Name field) can be different than the user name. -
Click OK.
Adding a New Credential to a Procedure
For every procedure that you want to run with the new credential:
-
Click the Use specific credential radio button.
-
Specify the Credential Name that you specified in the Name field above.
-
Click OK.
Running the Procedure to Test the Configuration
-
Click the Run button on the procedure to execute the procedure.
-
Check the Job Step Details >General tab for the job step that you just ran to ensure that the job was executed with the specified credential.
For example: