[
https://issues.apache.org/jira/browse/MBUILDCACHE-33?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17652089#comment-17652089
]
Alexander Ashitkin edited comment on MBUILDCACHE-33 at 12/27/22 2:30 AM:
-------------------------------------------------------------------------
[~gnodet] putting credentials in settings.xml is either insecure or
inconvenient. Imagine large enterprise team with hundreds of projects. Imagine
level of inconvenience to create hundreds of identical settings.xml just to put
the same credentials hundreds of time there? Imagine how much pain is to change
such credentials. Even not speaking of build containers in the [old good
Jenkins build secrets are normally injected to build with environment
variables|[https://www.jenkins.io/doc/pipeline/steps/credentials-binding/]].
Convenient setup is to manage maven config in settings.xml and manage
credentials in a centralized secret manager. You're right the problem is not
limited to the cache. Ideally it should be supported in Maven core because. But
at this point it is possible to solve it in cache at least which will allow to
use cache in compliant manner in a properly secured build environments
was (Author: alex_ashitkin):
[~gnodet] putting credentials in settings.xml is either insecure or
inconvenient. Imagine large enterprise team with hundreds of projects. Imagine
level of inconvenience to create hundreds of identical settings.xml just to put
the same credentials hundreds of time there? Imagine how much pain is to change
such credentials. Even not speaking of build containers in the [old good
Jenkins build secrets are normally injected to build with environment
variables.|[https://www.jenkins.io/doc/pipeline/steps/credentials-binding/]]
Convenient setup is to manage maven config in settings.xml and manage
credentials in a centralized secret manager. You're right the problem is not
limited to the cache. Ideally it should be supported in Maven core because. But
at this point it is possible to solve it in cache at least which will allow to
use cache in compliant manner in a properly secured build environments
> Support remote cache credentials from environment variables
> ------------------------------------------------------------
>
> Key: MBUILDCACHE-33
> URL: https://issues.apache.org/jira/browse/MBUILDCACHE-33
> Project: Maven Build Cache Extension
> Issue Type: New Feature
> Reporter: Alexander Ashitkin
> Priority: Major
> Labels: pull-request-available
>
> In my current environment settings.xml are managed by a build team which is
> not allowing any modification because the same build service is used by all
> teams. Atop of that, maven build runs in a fresh container which doesn't have
> any credentials injected for security reasons. Because of that cache cannot
> read/deploy build artifacts to an authenticated http server. Still, our build
> service allows to inject credentials from environment variables into build
> container. Need to support cache setup without settings.xml by injecting
> environment variables:
> * MAVEN_BUILD_CACHE_DIRECT_CONNECT
> * MAVEN_BUILD_CACHE_USER
> * MAVEN_BUILD_CACHE_PASSWORD
> * MAVEN_BUILD_CACHE_PROXY_USER
> * MAVEN_BUILD_CACHE_PROXY_PASSWORD
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
