Uploaded image for project: 'Jenkins Artifactory Plug-in'
  1. Jenkins Artifactory Plug-in
  2. HAP-1219

Deploying artifacts from buildInfo fails to use the set credentialsId (uses anonymous)

    XMLWordPrintable

    Details

    • Type: Bug
    • Status: Resolved
    • Priority: 4 - Normal
    • Resolution: Done
    • Affects Version/s: 3.3.2
    • Fix Version/s: 3.4.0
    • Component/s: Release Management
    • Labels:
      None
    • Environment:

      Artifactory version: 6.8.7

      Jenkins: 2.164.2

      Description

      I have made a very simple scripted pipeline that basically does

      1. Configure an
        1. an Artifactory server reference, with a set of stored Jenkins credentials by referencing the credentialsId.
        2. A maven builder that doesn't automatically deploy artifacts when building them
      2. Builds a very simple java HelloWorld example
      3. Publishes the build information (this correctly uses the credentials referenced by the credentialsId
      4. Deploys the build artifacts using the buildInfo object
        1. This fails, as it is not using the referenced credentials, and thus uses the anonymous user which doesn't have access to deploy artifacts to the specified local repository in Artifactory.
        2. This is verified from the Artifactory access log, where the publishing of the buildInfo successfully has the service account user on the access line, however the deployment of the artifacts is rejects with "NA" as the user and then the IP of my Jenkins server.

      This requires me to either

      1. Hardcore the username / password in my Jenkins file, which is really not ideal
      2. Allow anonymous deployments, again not really ideal

      The used pipeline goes something like this:

      #!/usr/bin/env groovy
      
      node {
      
          def rtServer = Artifactory.server 'server-id'
          rtServer.credentialsId = "svc-user"   
      
          def buildInfo = Artifactory.newBuildInfo()
      
          def rtMaven = Artifactory.newMavenBuild()
          rtMaven.tool = 'maven3'
          rtMaven.resolver server: server, releaseRepo: 'libs-release', snapshotRepo: 'libs-snapshot'
          rtMaven.deployer server: server, releaseRepo: 'my-snapshots-local', snapshotRepo: 'my-snapshots-local'
          rtMaven.deployer.deployArtifacts = false
      
          stage ("checkout") {
              def scmVars = checkout scm
          }
      
          stage ("build") {
              rtMaven.run pom: 'pom.xml',
                  goals: 'clean package',
                  buildInfo: buildInfo
          }
      
          stage ("deploy") {
              // This step successfully uses the specified credentials
              rtServer.publishBuildInfo buildInfo
      
              // This step fails to use the specified credentials
              rtMaven.deployer.deployArtifacts buildInfo
          }
      }
      

      After looking in the source code a bit I figured that

       

      1. The buildInfo is published by GenericBuildInfoDeployer.deploy()#L62 which uses the external build-info utility (org.jfrog.build.extractor.retention.Utils) for all the heavy lifting.
      2. Regarding artifact deployment, then i traced the issue to somewhere around Deployer.deployArtifacts()#L182.  The credentials object obtained at L182 has an empty username and password set.

      I have tried building my own plugin with some added debug information from the deployer CredentialsConfig object.  

        1. Credentials.getUsername() and Credentials.getPassword() of the returned Credentials object of L182 returns the empty string.
        2. CredentialsConfig.isCredentialsProvided() is true
        3. CredentialsConfig.getCredentialsId() returns the credentials string that I supplied.
        4. CredentialsConfig.getUsername() and CredentialsConfig.getPassword() returns the empty string (obviously)

       I will try and debug the PluginsUtils.credentialsLookup method tomorrow and see if this helps narrow down the issue.

      Issue was found, see comment bellow.  Just for reference, this is another great example of how notoriously bad Artifactory us at giving useful error messages and/or log messages at the server side.

      The following is the error message you get when you try to publish build information, with insufficient permissions:

      java.io.IOException: Could not publish build-info: Failed to send build descriptor. 403 Response message: {
      "errors" : [ {
      "status" : 403,
      "message" : "User svc-jenkins-test is not permitted to deploy 'artifactory-test %3A%3A java-hello-world-with-maven %3A%3A master/6-1563200346539.json' into 'artifactory-build-info:artifactory-test %3A%3A java-hello-world-with-maven %3A%3A master/6-1563200346539.json'."
      

      Whereas this is the error you get when trying to deploy, with insuficient permissions:

      java.io.IOException: Failed to deploy file. Status code: 401 Response message: Artifactory returned the following errors: 
      Unauthorized Status code: 401

       

        Attachments

          Activity

            People

            Assignee:
            eyalb Eyal Ben Moshe
            Reporter:
            Reenberg Jesper
            Votes:
            0 Vote for this issue
            Watchers:
            2 Start watching this issue

              Dates

              Created:
              Updated:
              Resolved: