Uploaded image for project: 'Artifactory Binary Repository'
  1. Artifactory Binary Repository
  2. RTFACT-11955

GitLFS repositories that require authentication don't work when "Allow Anonymous Access" is enabled



    • Type: Bug
    • Status: Resolved
    • Priority: Normal
    • Resolution: Fixed
    • Affects Version/s: None
    • Fix Version/s: 5.0.0
    • Component/s: Git LFS
    • Labels:


      A newly git init'd GitLFS directory won't try to authenticate on the first push – it attempts to connect anonymously. GitLFS expects the LFS server to respond with an HTTP 401 error if authentication is required. Upon receiving the 401 response, Git will:

      a. Retry with authentication.
      b. Update ./.git/config with an entry for the specific repo (host:port/reponame), which contains an "access=basic" flag.

      After the "access=basic" flag is written to the config file, GitLFS will always authenticate with the repo.

      In Artifactory, if the global, "Allow Anonymous Access" option is enabled under Security -> Admin -> General, but the GitLFS repo permissions don't allow anonymous deploy, Artifactory denies the deploy and responds with an HTTP 200. This causes GitLFS to never try to authenticate, and the to-be-deployed files are skipped.

      Suggested fix is to have Artifactory respond to git with a 401 rather than a 200 when anonymous access is denied, so that GitLFS knows that it needs to authenticate.

      Workaround: If "Allow Anonymous Access" is disabled under the general security settings and another push attempt is made: Artifactory responds with 401, GitLFS retries with authentication, and the files are deployed. GitLFS then updates the config file with "access=basic" and remembers to authenticate in the future. "Allow Anonymous Access" can then be re-enabled, and GitLFS will continue to authenticate. This needs to be done for each individual repository and project, however, since the config entry is inside of the .git directory and is written for (host + port + repo_path).

      Another option is to update the config file/s manually on the client (create the same lines that gitLFS would upon receiving a 401 response).

      Steps to reproduce

      1. Set up a new Artifactory instance (tested with standalone 4.9.1). Leave all settings default.

      2. Create a new local GitLFS repo called "gitlfs."

      3. git clone an lfs-sample project, add some files to the directory, and track/add the file/s.
      Sample: https://github.com/abhilekh/lfs-sample

      4. Update ~/.gitconfig to point to the "gitlfs" repo.

      $ cat ~/.gitconfig
      url = ""

      5. Try to push. Credentials are not used and file uploads are skipped.

      $ git lfs push origin master
      Git LFS: (0 of 2 files, 2 skipped) 0 B / 89.89 MB

      Artifactory logs show a rejection against the anonymous user with a 200 response, request logs show the request came in from "anonymous," and "git lfs env" shows that it doesn't think it needs to authenticate against the repository:

      2016-07-16 13:07:55,320 [http-nio-8081-exec-6] [WARN ] (o.a.a.g.r.h.GitLfsLocalRepoHandlerImpl:186) - User anonymous, has no deploy permissions on path gitlfs/
      $ git lfs env
      git-lfs/1.2.0 (GitHub; linux amd64; go 1.6.1; git 9bd3b8e)
      git version 2.7.4
      Endpoint= (auth=none)

      6. In Artifactory, under admin -> security -> general, uncheck "Allow Anonymous Access."

      7. Try to push again. You will be prompted for credentials. Artifactory logs show that a 401 was returned to the "non_authenticated_user" request, and "$ git lfs env" shows that it's now using basic authentication against the repository:

      $ git lfs env
      git-lfs/1.2.0 (GitHub; linux amd64; go 1.6.1; git 9bd3b8e)
      git version 2.7.4
      Endpoint= (auth=basic)

      8. Now you can toggle "Allow Anonymous Access" to any state, and Git will always authenticate. This is because git has stored the authentication flag in the git directory, in ./.git/config

      ~/gitlfs/sample/lfs-sample/.git$ cat config
      [lfs ""]
       access = basic




            nadavy Nadav Yogev
            mikem Mike Mitchell (Inactive)
            4 Vote for this issue
            5 Start watching this issue