Creating an Automatic Admin Token
From Artifactory release 7.38.4.
JFrog enables companies to create their own admin-scoped access token without using the JFrog Platform UI or via another token. This Access admin-scoped token is designed to be used for a short time only and its purpose is to start up the system. This provides customers with the option of setting up their JFrog Platform in an automated, fully UI-free setup.
To securely-generate the "first" admin-scoped access tokens, without relying on a previous token or basic credentials:
Generate an admin-scoped token by placing a generate.token.json
file under the $JFROG_HOME/artifactory/var/bootstrap/etc/access/keys
directory. For example:
$JFROG_HOME/artifactory/var/bootstrap/etc/access/keys/generate.token.json
When bootstrapping, if this file is created, this will generate a token and set it under the $JFROG_HOME/artifactory/var/etc/access/keys/
directory
. For example:
$JFROG_HOME/artifactory/var/etc/access/keys/token.json
The generate.token.json
file will be deleted from the file system once the token has been generated. The file containing the token, token.json
, will be deleted by default after 1 minute. This can be changed via the access.config.yaml
, by modifying the parameter bootstrap-token-delete-in-minutes
(in $JFROG_HOME/artifactory/var/etc/access/access.config.template.yml
).
The resulting token's properties are as follows:
- The generated token is limited to a 15 minute expiry, after which the system will revoke the token.
- The token is admin-scoped for permissions
- The token has an audience of access service: jfac@*
- The token has the subject "admin" - even if the admin user does not exist
For Docker installations, you will need to mount the bootstrap directory.
Creating Your Keys
By default the join.key and master.key files are automatically generated by Artifactory during the initial start up of the service.
A different key (hexadecimal encoded) can be created using the following command.
openssl rand -hex 16 /or openssl rand -hex 32
Bootstrapping with Your Own Keys
There are two ways to manually update your keys: file copy and/or bootstrap via the system.yaml
file.
Bootstrapping Keys Using the system.yaml File
This method only applies if you have installed but not started your service yet.
- Save the security section of the system yaml file with the generated string for each key using masterKey parameter for the Master Key and joinKey parameter for the Join Key.
- Start the service.
Bootstrapping the join.key Using File System
This method can be used even if you already have a join.key
- Save the generated string file as join.key.
Delete the existing join.key from
$JFROG_HOME/artifactory/var/etc/security/
.- Place each file in the
$JFROG_HOME/artifactory/var
/bootstrap/access/etc/security
directory. Add the Artifactory permissions to the directories and the join.key file. For example,
chown -R artifactory:artifactory access/etc/security/join.key
- Start the service.
Managing the join.key
By default, a join.key is automatically generated and stored in the Access database during Access startup.
The join.key is then automatically copied by Access to Artifactory over the file system and is re-provisioned every time the services are restarted.
Access shares the join.key with Artifactory by copying it to the following location:
$JFROG_HOME/artifactory/var/etc/security/join.key
Upgrading to Artifactory 6.8 automatically initiates and generates the join.key
mechanism.
Managing join.keys in HA
There should only be one join.key
per HA cluster since the Access database is shared across all nodes of an HA cluster.
In case a join key is provided and not generated by the system, it can be provided to a single cluster node as it will be propagated to all nodes of the cluster by the system.