Uploaded image for project: 'Artifactory Binary Repository'
  1. Artifactory Binary Repository
  2. RTFACT-18781

Build promotion shouldn't require build delete permission

          Details

          • Regression:
            Yes
          • Sprint:
            Leap 37

            Description

            Symptoms: After upgrading Artifactory, users can no longer promote builds.

            Steps to reproduce:

            1. Grant a regular Artifactory user the following permission set:
              For: All builds, relevant artifact repository

            Artifacts: Read, Annotate, Write 
            Builds: Read, Annotate, Write (not delete)

            1. Deploy a build as the regular user
            2. Attempt to promote the build with the same user
            3. Encounter a 403 Forbidden:

            curl -H"Content-type: Application/json" -ufrank:password -vv -XPOST --data @promo.json http://localhost:8081/artifactory/api/build/promote/maven-pipeline/2

            < HTTP/1.1 403 Forbidden
            < Server: Artifactory/6.7.0
            < X-Artifactory-Id: 4bffa16f00b34ba4:-6dd42b03:1697a60e3eb:-8000
            < Content-Type: application/json
            < Transfer-Encoding: chunked
            < Date: Fri, 15 Mar 2019 17:03:04 GMT
            <
            {
            "errors" : [

            { "status" : 403, "message" : "User 'frank' is not authorized to delete build info. Delete permission is needed." }

            ]

            }

            (promo.json)

            { "status":"staged", "timestamp":"2019-02-11T18:30:24.825+0200", "targetRepo":"libs-release-local", "copy":"true" }

            The exact same steps in Artifactory 6.5.9 and below succeed. This looks to be due to the new BuildInfo permission set, which treats the buildinfo.json as a file instead of metadata.

             

            Promotions do add additional information to the deployed JSON, which counts as an "overwrite." However, granting the "delete/overwrite" build permission allows users to both promote builds and delete other builds.

            In earlier versions, only Artifactory Admins could delete builds, but any user could run a promotion. In earlier versions only "artifact deploy" access was needed to promote (To move artifacts from one repo to another).

            If users want to maintain earlier Artifactory behavior, they must now choose either to allow broad delete access on builds or limit who can promote builds. Neither are ideal from an administration perspective.

             

            Artifactory should allow regular users to promote builds without granting them "delete builds" access. This would allow users with many build deployers to easily maintain their promotion pipeline securely without overhauling their entire Artifactory permission set.

              Attachments

                Issue Links

                duplicates

                Bug - A problem which impairs or prevents the functions of the product RTFACT-18884 Promotion NPM build is not working without override permission

                • Normal - Major loss of function.
                • Resolved

                  Activity

                    People

                    • Assignee:
                      yuvalr Yuval Reches
                      Reporter:
                      patrickr Patrick Russell
                      Assigned QA:
                      Alex Dvorkin
                    • Votes:
                      4 Vote for this issue
                      Watchers:
                      10 Start watching this issue

                      Dates

                      • Created:
                        Updated:
                        Resolved: