JFrog Distribution Features and Functionality
The following table displays the supported features and function for Distribution according to the required environment.
|Comprehensive REST API|
|Set Access Permissions|
|Create Release Bundles|
|Auditing and Traceability|
|Secured & Protected Release Bundles|
|Edge-based Software Distribution|
|Third-Party Access (Read-Only)|
The Distribution Flow
The high-level distribution flow has two main steps:
Creating a Release Bundle
A Release Bundle can be created in the JFrog Platform webUI or by calling the Create Release Bundle REST API endpoint in JFrog Distribution. This call specifies a variety of parameters including the files comprising the release bundle, and different properties associated with it. Since a release bundle is immutable, any file included in a release bundle cannot be deleted from Artifactory - they are automatically copied and saved into the Release Bundle separate repository where their contents cannot be edited or removed. JFrog Distribution collects the required metadata about the artifacts specified in the request by using an AQL query.
Info title Scanning Your Release Bundles by Xray
To scan your Release Bundle by JFrog Xray, the Release Bundle must first be declared as an indexed resource. For more information, see Indexing Resources
Distributing a Release Bundle
A release bundle can distributed in the JFrog Platform WebUI or by calling the Distribute Release Bundle REST API endpoint in JFrog Distribution.
Info title Blocking Release Bundle Distribution
Setting a Watch on a Release Bundle containing a Policy set with a Block Distributing action, will automatically block distributing the infected Release Bundle based on the Xray scanning results. For more information, see Distributing Release Bundles .
The distribution process includes the following steps:
- Start a distribution transaction
In steps 1-3, JFrog Distribution queries JFrog Mission Control for details of the distribution target nodes: JFrog Artifactory Edges ("Edge nodes"). It then primes the Edge nodes to receive the distributed packages by providing information about distributed files such as their checksum, and providing a GPG key to validate the authenticity of the bundle as a whole.
- Transfer files with smart replication
In steps 4-6, JFrog Distribution invokes the Replicator on the source Artifactory which distributes files over to the Edge nodes by replicating them.
- End a distribution transaction
In step 7, JFrog Distribution notifies the Edge nodes that the transaction is complete. In turn, each Edge node validates authenticity of the transferred bundle using the GPG key provided when the transaction started. It then validates the integrity of the transferred files by validating their checksum and hosts them in the correct place as specified in the release bundle.
- Start a distribution transaction
Downloading a Release Bundle
The artifacts distributed as a Release Bundle to Artifactory or Artifactory Edge can be downloaded using different package clients, such as Docker client, Npm client, etc. In addition, artifacts can be downloaded using the JFrog CLI:
jfrog rt dl --bundle bundle_name/bundle_version
The JFrog CLI provides additional options for download. For example the Release Bundle Bill of Materials can be filtered out, for example, to only download zip files from a specific Release Bundle version:
jfrog rt dl "*.zip" --bundle bundle_name/bundle_version