Uploaded image for project: 'Artifactory Binary Repository'
  1. Artifactory Binary Repository
  2. RTFACT-15146

Docker pull replication fail if anonymous user in replicating Artifactory doesn't have read permissions

    XMLWordPrintable

    Details

      Description

      To reproduce:
      1. Configure a pull replication between Docker repositories.
      2. In the replicating Artifactory (The one that holds the images), go to permission targets and remove all permissions from anonymous user. (Note: disabling Anonymous Access is not enough)
      3. Trigger the pull replication

      Error:
      The replicating Artifactory fails to transfer the Docker images:

      artifactory.log of the source Artifactory (The one that is triggering the pull replication)

      2018-01-17 15:01:00,915 [http-nio-8082-exec-9] [INFO ] (o.a.u.r.s.a.c.r.r.ExecuteRemoteReplicationService:105) - Scheduling remote replication task for repository docker-remote
      2018-01-17 15:01:00,916 [http-nio-8082-exec-9] [INFO ] (o.a.a.r.c.ReplicationAddonImpl:575) - Activating manual remote repository replication for 'docker-remote'
      2018-01-17 15:01:00,917 [http-nio-8082-exec-9] [INFO ] (o.a.a.r.c.ReplicationDescriptorHandler:174) - Replication activated manually for repository 'docker-remote'
      2018-01-17 15:01:00,917 [art-exec-257] [INFO ] (o.a.a.c.BasicStatusHolder:221) - Starting remote folder replication for 'docker-remote'.
      2018-01-17 15:01:00,937 [art-exec-257] [INFO ] (o.a.a.r.c.BaseReplicationProducer:146) - Executing file list request: 'http://IP_RETRACTED:8081/artifactory/api/storage/docker-local/?list&deep=1&listFolders=1&mdTimestamps=1&statsTimestamps=1&includeRootPath=1'
      2018-01-17 15:01:00,975 [replication-consumer-1516194060917-0] [WARN ] (o.a.r.s.RepositoryServiceImpl:952) - Cannot set properties on 'docker-remote-cache:ubuntu6/latest/manifest.json': Item not found.
      2018-01-17 15:01:00,976 [replication-consumer-1516194060917-0] [ERROR] (o.a.a.c.BasicStatusHolder:214) - Unable to set properties for docker-remote-cache:ubuntu6/latest/manifest.json
      2018-01-17 15:01:00,982 [replication-consumer-1516194060917-0] [WARN ] (o.a.r.s.RepositoryServiceImpl:952) - Cannot set properties on 'docker-remote-cache:ubuntu6/latest/sha256__00fd29ccc6f167fa991580690a00e844664cb2381c74cd14d539e36ca014f043': Item not found.
      2018-01-17 15:01:00,982 [replication-consumer-1516194060917-0] [ERROR] (o.a.a.c.BasicStatusHolder:214) - Unable to set properties for docker-remote-cache:ubuntu6/latest/sha256__00fd29ccc6f167fa991580690a00e844664cb2381c74cd14d539e36ca014f043
      2018-01-17 15:01:00,989 [replication-consumer-1516194060917-0] [WARN ] (o.a.r.s.RepositoryServiceImpl:952) - Cannot set properties on 'docker-remote-cache:ubuntu6/latest/sha256__275abb2c8a6f1ce8e67a388a11f3cc014e98b36ff993a6ed1cc7cd6ecb4dd61b': Item not found.
      2018-01-17 15:01:00,989 [replication-consumer-1516194060917-0] [ERROR] (o.a.a.c.BasicStatusHolder:214) - Unable to set properties for docker-remote-cache:ubuntu6/latest/sha256__275abb2c8a6f1ce8e67a388a11f3cc014e98b36ff993a6ed1cc7cd6ecb4dd61b
      2018-01-17 15:01:00,998 [replication-consumer-1516194060917-0] [WARN ] (o.a.r.s.RepositoryServiceImpl:952) - Cannot set properties on 'docker-remote-cache:ubuntu6/latest/sha256__50aff78429b146489e8a6cb9334d93a6d81d5de2edc4fbf5e2d4d9253625753e': Item not found.
      2018-01-17 15:01:00,998 [replication-consumer-1516194060917-0] [ERROR] (o.a.a.c.BasicStatusHolder:214) - Unable to set properties for docker-remote-cache:ubuntu6/latest/sha256__50aff78429b146489e8a6cb9334d93a6d81d5de2edc4fbf5e2d4d9253625753e
      2018-01-17 15:01:01,009 [replication-consumer-1516194060917-0] [WARN ] (o.a.r.s.RepositoryServiceImpl:952) - Cannot set properties on 'docker-remote-cache:ubuntu6/latest/sha256__9f15a39356d6fc1df0a77012bf1aa2150b683e46be39d1c51bc7a320f913e322': Item not found.
      2018-01-17 15:01:01,009 [replication-consumer-1516194060917-0] [ERROR] (o.a.a.c.BasicStatusHolder:214) - Unable to set properties for docker-remote-cache:ubuntu6/latest/sha256__9f15a39356d6fc1df0a77012bf1aa2150b683e46be39d1c51bc7a320f913e322
      2018-01-17 15:01:01,020 [replication-consumer-1516194060917-0] [WARN ] (o.a.r.s.RepositoryServiceImpl:952) - Cannot set properties on 'docker-remote-cache:ubuntu6/latest/sha256__f6d82e297bce031a3de1fa8c1587535e34579abce09a61e37f5a225a8667422f': Item not found.
      2018-01-17 15:01:01,021 [replication-consumer-1516194060917-0] [ERROR] (o.a.a.c.BasicStatusHolder:214) - Unable to set properties for docker-remote-cache:ubuntu6/latest/sha256__f6d82e297bce031a3de1fa8c1587535e34579abce09a61e37f5a225a8667422f
      2018-01-17 15:01:01,033 [art-exec-257] [INFO ] (o.a.a.c.BasicStatusHolder:221) - Removing item 'docker-remote-cache:ubuntu6/_uploads'.
      2018-01-17 15:01:01,035 [replication-consumer-1516194060917-0] [WARN ] (o.a.r.s.RepositoryServiceImpl:952) - Cannot set properties on 'docker-remote-cache:ubuntu6/latest/sha256__fc0342a94c89e477c821328ccb542e6fb86ce4ef4ebbf1098e85669e051ef0dd': Item not found.
      2018-01-17 15:01:01,035 [replication-consumer-1516194060917-0] [ERROR] (o.a.a.c.BasicStatusHolder:214) - Unable to set properties for docker-remote-cache:ubuntu6/latest/sha256__fc0342a94c89e477c821328ccb542e6fb86ce4ef4ebbf1098e85669e051ef0dd
      2018-01-17 15:01:01,049 [art-exec-257] [INFO ] (o.a.a.c.BasicStatusHolder:221) - Completed remote folder replication for docker-remote/ with 0 deployed files, 1 deleted files, 0 properties change, 0 statistics change, 0 mkDirs... average events per second 7.61 7 errors and 0 warnings were produced during the process.
      

      request.log of the replicating Artifactory:

      20180117150100|1|REQUEST|<ip>|anonymous|HEAD|/api/docker/docker-local/hello-world/latest/manifest.json|HTTP/1.1|403|0
      20180117150100|19|REQUEST|<ip>|admin|GET|/api/storage/docker-local/|HTTP/1.1|200|0
      20180117150100|2|REQUEST|<ip>|anonymous|HEAD|/api/docker/docker-local/hello-world/latest/sha256__ca4f61b1923c10e9eb81228bd46bee1dfba02b9c7dac1844527a734752688ede|HTTP/1.1|403|0
      20180117150100|3|REQUEST|<ip>|anonymous|HEAD|/api/docker/docker-local/hello-world/latest/sha256__f2a91732366c0332ccd7afd2a5c4ff2b9af81f549370f7a19acd460f87686bc7|HTTP/1.1|403|0
      20180117150100|2|REQUEST|<ip>|non_authenticated_user|GET|/api/storage/docker-local/ubuntu6/latest/manifest.json|HTTP/1.1|401|0
      20180117150100|2|REQUEST|<ip>|admin|GET|/api/storage/docker-local/ubuntu6/latest/manifest.json|HTTP/1.1|200|0
      20180117150100|1|REQUEST|<ip>|non_authenticated_user|GET|/api/storage/docker-local/ubuntu6/latest/sha256__00fd29ccc6f167fa991580690a00e844664cb2381c74cd14d539e36ca014f043|HTTP/1.1|401|0
      20180117150100|2|REQUEST|<ip>|admin|GET|/api/storage/docker-local/ubuntu6/latest/sha256__00fd29ccc6f167fa991580690a00e844664cb2381c74cd14d539e36ca014f043|HTTP/1.1|200|0
      20180117150100|1|REQUEST|<ip>|non_authenticated_user|GET|/api/storage/docker-local/ubuntu6/latest/sha256__275abb2c8a6f1ce8e67a388a11f3cc014e98b36ff993a6ed1cc7cd6ecb4dd61b|HTTP/1.1|401|0
      20180117150100|2|REQUEST|<ip>|admin|GET|/api/storage/docker-local/ubuntu6/latest/sha256__275abb2c8a6f1ce8e67a388a11f3cc014e98b36ff993a6ed1cc7cd6ecb4dd61b|HTTP/1.1|200|0
      20180117150100|1|REQUEST|<ip>|non_authenticated_user|GET|/api/storage/docker-local/ubuntu6/latest/sha256__50aff78429b146489e8a6cb9334d93a6d81d5de2edc4fbf5e2d4d9253625753e|HTTP/1.1|401|0
      20180117150100|3|REQUEST|<ip>|admin|GET|/api/storage/docker-local/ubuntu6/latest/sha256__50aff78429b146489e8a6cb9334d93a6d81d5de2edc4fbf5e2d4d9253625753e|HTTP/1.1|200|0
      20180117150101|2|REQUEST|<ip>|non_authenticated_user|GET|/api/storage/docker-local/ubuntu6/latest/sha256__9f15a39356d6fc1df0a77012bf1aa2150b683e46be39d1c51bc7a320f913e322|HTTP/1.1|401|0
      20180117150101|3|REQUEST|<ip>|admin|GET|/api/storage/docker-local/ubuntu6/latest/sha256__9f15a39356d6fc1df0a77012bf1aa2150b683e46be39d1c51bc7a320f913e322|HTTP/1.1|200|0
      20180117150101|2|REQUEST|<ip>|non_authenticated_user|GET|/api/storage/docker-local/ubuntu6/latest/sha256__f6d82e297bce031a3de1fa8c1587535e34579abce09a61e37f5a225a8667422f|HTTP/1.1|401|0
      20180117150101|3|REQUEST|<ip>|admin|GET|/api/storage/docker-local/ubuntu6/latest/sha256__f6d82e297bce031a3de1fa8c1587535e34579abce09a61e37f5a225a8667422f|HTTP/1.1|200|0
      20180117150101|2|REQUEST|<ip>|non_authenticated_user|GET|/api/storage/docker-local/ubuntu6/latest/sha256__fc0342a94c89e477c821328ccb542e6fb86ce4ef4ebbf1098e85669e051ef0dd|HTTP/1.1|401|0
      20180117150101|3|REQUEST|<ip>|admin|GET|/api/storage/docker-local/ubuntu6/latest/sha256__fc0342a94c89e477c821328ccb542e6fb86ce4ef4ebbf1098e85669e051ef0dd|HTTP/1.1|200|0
      

      Note this entry:

      20180117150100|1|REQUEST|<ip>|anonymous|HEAD|/api/docker/docker-local/hello-world/latest/manifest.json|HTTP/1.1|403|0
      

      The source Artifactory is sending a HEAD request to the replicating Artifactory. This HEAD request is being sent without credentials, therefore, returns 403.
      If the anonymous user has read permissions for this repository, the HEAD request returns 200 and the replication process proceeds.

        Attachments

          Activity

            People

            Assignee:
            yuvalr Yuval Reches
            Reporter:
            matank Matan Katz
            Votes:
            3 Vote for this issue
            Watchers:
            8 Start watching this issue

              Dates

              Created:
              Updated:
              Resolved: