Uploaded image for project: 'Artifactory Binary Repository'
  1. Artifactory Binary Repository
  2. RTFACT-18781

Build promotion shouldn't require build delete permission

    Details

    • Regression:
      Yes
    • Sprint:
      Leap 37

      Description

      Symptoms: After upgrading Artifactory, users can no longer promote builds.

      Steps to reproduce:

      1. Grant a regular Artifactory user the following permission set:
        For: All builds, relevant artifact repository

      Artifacts: Read, Annotate, Write 
      Builds: Read, Annotate, Write (not delete)

      1. Deploy a build as the regular user
      2. Attempt to promote the build with the same user
      3. Encounter a 403 Forbidden:

      curl -H"Content-type: Application/json" -ufrank:password -vv -XPOST --data @promo.json http://localhost:8081/artifactory/api/build/promote/maven-pipeline/2

      < HTTP/1.1 403 Forbidden
      < Server: Artifactory/6.7.0
      < X-Artifactory-Id: 4bffa16f00b34ba4:-6dd42b03:1697a60e3eb:-8000
      < Content-Type: application/json
      < Transfer-Encoding: chunked
      < Date: Fri, 15 Mar 2019 17:03:04 GMT
      <
      {
      "errors" : [

      { "status" : 403, "message" : "User 'frank' is not authorized to delete build info. Delete permission is needed." }

      ]

      }

      (promo.json)

      { "status":"staged", "timestamp":"2019-02-11T18:30:24.825+0200", "targetRepo":"libs-release-local", "copy":"true" }

      The exact same steps in Artifactory 6.5.9 and below succeed. This looks to be due to the new BuildInfo permission set, which treats the buildinfo.json as a file instead of metadata.

       

      Promotions do add additional information to the deployed JSON, which counts as an "overwrite." However, granting the "delete/overwrite" build permission allows users to both promote builds and delete other builds.

      In earlier versions, only Artifactory Admins could delete builds, but any user could run a promotion. In earlier versions only "artifact deploy" access was needed to promote (To move artifacts from one repo to another).

      If users want to maintain earlier Artifactory behavior, they must now choose either to allow broad delete access on builds or limit who can promote builds. Neither are ideal from an administration perspective.

       

      Artifactory should allow regular users to promote builds without granting them "delete builds" access. This would allow users with many build deployers to easily maintain their promotion pipeline securely without overhauling their entire Artifactory permission set.

        Attachments

          Issue Links

            Activity

              People

              • Assignee:
                yuvalr Yuval Reches
                Reporter:
                patrickr Patrick Russell
                Assigned QA:
                Alex Dvorkin
              • Votes:
                4 Vote for this issue
                Watchers:
                10 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved: