-
Type:
Bug
-
Status: Done
-
Resolution: Done
-
Affects Version/s: 6.7.0
-
Fix Version/s: None
-
Component/s: Build Info, Build Info Repository
-
Labels:
-
Severity:High
-
Regression:Yes
Symptoms: After upgrading Artifactory, users can no longer promote builds.
Steps to reproduce:
- Grant a regular Artifactory user the following permission set:
For: All builds, relevant artifact repository
Artifacts: Read, Annotate, Write
Builds: Read, Annotate, Write (not delete)
- Deploy a build as the regular user
- Attempt to promote the build with the same user
- Encounter a 403 Forbidden:
curl -H"Content-type: Application/json" -ufrank:password -vv -XPOST --data @promo.json http://localhost:8081/artifactory/api/build/promote/maven-pipeline/2
< HTTP/1.1 403 Forbidden
< Server: Artifactory/6.7.0
< X-Artifactory-Id: 4bffa16f00b34ba4:-6dd42b03:1697a60e3eb:-8000
< Content-Type: application/json
< Transfer-Encoding: chunked
< Date: Fri, 15 Mar 2019 17:03:04 GMT
<
{
"errors" : [
]
}
(promo.json)
{ "status":"staged", "timestamp":"2019-02-11T18:30:24.825+0200", "targetRepo":"libs-release-local", "copy":"true" }The exact same steps in Artifactory 6.5.9 and below succeed. This looks to be due to the new BuildInfo permission set, which treats the buildinfo.json as a file instead of metadata.
Promotions do add additional information to the deployed JSON, which counts as an "overwrite." However, granting the "delete/overwrite" build permission allows users to both promote builds and delete other builds.
In earlier versions, only Artifactory Admins could delete builds, but any user could run a promotion. In earlier versions only "artifact deploy" access was needed to promote (To move artifacts from one repo to another).
If users want to maintain earlier Artifactory behavior, they must now choose either to allow broad delete access on builds or limit who can promote builds. Neither are ideal from an administration perspective.
Artifactory should allow regular users to promote builds without granting them "delete builds" access. This would allow users with many build deployers to easily maintain their promotion pipeline securely without overhauling their entire Artifactory permission set.
- duplicates
-
RTFACT-18884 Promotion NPM build is not working without override permission
- Done
- is related to
-
RTFACT-19287 Promote build plugin endpoint requires delete permissions
- Done