Uploaded image for project: 'Artifactory Binary Repository'
  1. Artifactory Binary Repository
  2. RTFACT-17962

An invalid HA propagation token can be created due to an invalid adminToken

    XMLWordPrintable

    Details

    • Type: Bug
    • Status: Done
    • Priority: 3 - High
    • Resolution: Done
    • Affects Version/s: 6.4.0, 6.5.0, 6.5.8, 6.8.4
    • Fix Version/s: 6.10.0
    • Component/s: Access Tokens
    • Labels:
    • Severity:
      High

      Description

      The Admin Access token created is not revoked in case the Service ID was changed.

      This causes the the HA access token for HA propagation operations to be created with the wrong subject, which is composed of the service_id, to fail verification

      Sending node:

      2018-12-04 16:12:33,102 [art-exec-12] [WARN ] (o.a.a.h.p.HaPropagationServiceImpl:511) - Invalid serviceId jfrt@01cx654e53fp5e11m2p16n1vfh
      2018-12-04 16:12:33,102 [Thread-5] [ERROR] (o.a.a.h.p.HaPropagationServiceImpl:207) - Failed to propogate - sleeping...
      

      Receiving node:

      2018-12-04 16:12:34,826 [http-nio-8082-exec-1] [WARN ] (o.a.a.h.p.HaPropagationServiceImpl:511) - Invalid serviceId jfrt@01cx654e53fp5e11m2p16n1vfh
      2018-12-04 16:12:34,826 [http-nio-8082-exec-1] [ERROR] (o.a.a.h.r.HaRestAuthenticationFilter:73) - Error authenticating HA rest request from _system_@primary
      

      Steps to reproduce

      1. Import a new Service ID by placing creating a file under the primary node in $ARTIFACTORY_HOME/etc/security/access/keys/service_id. E.g.:

      jfrt@01cxw7ehyhf6yb025z7whn098v

      2. Check the artifactory.log and see that the service ID was updated:

      2018-12-04 16:49:42,832 [art-init] [INFO ] (o.a.s.a.AccessServiceImpl:370) - Initialized new service id: jfrt@01cxw7ehyhf6yb025z7whn098v

      3. See that the adminToken under the file system (above 6.4.0) remained unchanged:

      etc/security/access/access.admin.token

      4. See that the HA propagation token created and used would not be validated due to a mismatch of serviceID and HA propagation errors would occur.

      Workaround:

      Delete the adminToken on the primary node and restart the nodes one by one.

        Attachments

          Issue Links

            Activity

              People

              Assignee:
              omriz Omri Ziv
              Reporter:
              andreik Andrei Komarov
              Votes:
              0 Vote for this issue
              Watchers:
              6 Start watching this issue

                Dates

                Created:
                Updated:
                Resolved:

                  Sync Status

                  Connection: RTFACT Sync
                  RTMID-17962 -
                  SYNCHRONIZED
                  • Last Sync Date: