Skip to end of metadata
Go to start of metadata

Overview

Most of the parameters governing the behavior of Access are configured through a YAML configuration file found in the $ACCESS_HOME/etc folder. Parameters relating to the Access administrator are configured through a separate credentials file, bootstrap.creds,  through which you can control the Admin password and allow REST API calls to be made from different servers.

The Access Administrator

In some cases, different services need to communicate with Access directly via direct REST API. These REST calls may be authenticated using the Admin user of the Access service to which you are making the call. 

By Default, there is only one user defined for an Access service; this is its Admin user which is:

access-admin

Upon installation, a random password is generated for the Access Admin user and is stored in the $ARTIFACTORY_HOME/etc/security/access/bootstrap.creds configuration file.

To modify the Access admin password, you need to modify the corresponding entry in the bootstrap.creds file.

Don't confuse the Access Admin user with Artifactory Admin users

Access is a service that is separate from Artifactory. By default, it only has one user defined, the Admin user, and is called access-admin.

Don't confuse this with any Admin user defined in Artifactory. Those can be used to make REST API calls on Artifactory. When setting up access federation in Artifactory, you are making REST API calls on the Access service, not on Artifactory.

Page Contents

 


Preparing The Credentials File

By default, the Access service comes with the password specified in the previous section, and can only be operated by REST API calls made from the same physical server on which the service resides (localhost). Using the credentials file, you can change the administrator password and let REST API calls be made from another server.

To prepare the credentials file:

  1. Create a file called bootstrap.creds 

    Artifactory HA version under 6.8.0

    In case you are running an Artifactory HA cluster, make sure to do the changes on the primary node. After the last step, perform a rolling restart to the cluster (restart each node starting from the master node).

  2. Populate the file with the following content:

    access-admin@<ipaddress>=password

    where:
    - <ipaddress>: the IP address of the server from which you want to make REST API calls to the Access service (to restrict this to be only from the same server, use localhost or 127.0.0.1). You can use wildcards to specify a range of IPs, for example, access-admin@*=password

    - password: the password to be used for the access-admin user
    You can create the file with multiple lines to create multiple Access Administrators

    access-admin1@<ipaddress>=password1
    access-admin2@<ipaddress>=password2
  3. Place the bootstrap.creds file under $ARTIFACTORY_HOME/access/etc on the server where the Access service resides 
  4. You now need to assign 600 Linux permissions (Owner read & write) to the file:

     $ chmod 600 bootstrap.creds


    Exactly 600

     The permission assigned must be exactly 600. Neither a more permissive, nor a more restrictive permission setting will work

  5. Restart the Access service by restarting the corresponding Artifactory instance.


Changing the Default Password

To change the default password for the access-admin user, simply follow the steps described in Preparing the Credentials File while populating the bootstrap.creds file with either of:

access-admin@localhost=<new-password>
or
access-admin@127.0.0.1=<new-password>

If you change the default password, make sure to exclude the Access administrator users from federation

Artifactory may use the Access administrator user and password to communicate with the Access service and perform different functions. When configuring access federation, if you synchronize the Access administrator user from a source Access service to a target Access service which has a different Access administrator password, the target Artifactory service will not be able to communicate with its Access service. Therefore, if you change the default password on either the source or target Access services, make sure to exclude the Access administrator user from access federation.

As a best practice, we recommend excluding the Access administrator user from access federation.



YAML Configuration File

As described, most of the parameters governing the behavior of Access are configured through a YAML configuration file found in the $ACCESS_HOME/etc folder. For details, please refer to YAML Configuration File.


Access Service Logs

The Access service uses the Logback Framework to manage logging. Activity is logged according to type in three different log files which can be found under the ARTIFACTORY_HOME/access/logs folder.

The following log files are available: 

access.log
This is the main Access service log file containing data on the Access server activity
request.log
The HTTP traffic information for requests coming in. Most of these are from Artifactory
audit.log
Auditing of the actions performed by the service. Currently only successful actions are recorded (e.g. token was created, token was refreshed or revoked)

Since the Access service runs under the same Tomcat as Artifactory, its logs (catalina.out. localhost etc.) contain entries for both Artifactory and Access.

Configuring Logging

Logging for the Access service is configured in the $ARTIFACTORY_HOME/access/etc/logback.xml file.

  • No labels