Uploaded image for project: 'Artifactory Binary Repository'
  1. Artifactory Binary Repository
  2. RTFACT-18781

Build promotion shouldn't require build delete permission

    XMLWordPrintable

    Details

    • Severity:
      High
    • Regression:
      Yes

      Description

      Symptoms: After upgrading Artifactory, users can no longer promote builds.

      Steps to reproduce:

      1. Grant a regular Artifactory user the following permission set:
        For: All builds, relevant artifact repository

      Artifacts: Read, Annotate, Write 
      Builds: Read, Annotate, Write (not delete)

      1. Deploy a build as the regular user
      2. Attempt to promote the build with the same user
      3. Encounter a 403 Forbidden:

      curl -H"Content-type: Application/json" -ufrank:password -vv -XPOST --data @promo.json http://localhost:8081/artifactory/api/build/promote/maven-pipeline/2

      < HTTP/1.1 403 Forbidden
      < Server: Artifactory/6.7.0
      < X-Artifactory-Id: 4bffa16f00b34ba4:-6dd42b03:1697a60e3eb:-8000
      < Content-Type: application/json
      < Transfer-Encoding: chunked
      < Date: Fri, 15 Mar 2019 17:03:04 GMT
      <
      {
      "errors" : [

      { "status" : 403, "message" : "User 'frank' is not authorized to delete build info. Delete permission is needed." }

      ]

      }

      (promo.json)

      { "status":"staged", "timestamp":"2019-02-11T18:30:24.825+0200", "targetRepo":"libs-release-local", "copy":"true" }

      The exact same steps in Artifactory 6.5.9 and below succeed. This looks to be due to the new BuildInfo permission set, which treats the buildinfo.json as a file instead of metadata.

       

      Promotions do add additional information to the deployed JSON, which counts as an "overwrite." However, granting the "delete/overwrite" build permission allows users to both promote builds and delete other builds.

      In earlier versions, only Artifactory Admins could delete builds, but any user could run a promotion. In earlier versions only "artifact deploy" access was needed to promote (To move artifacts from one repo to another).

      If users want to maintain earlier Artifactory behavior, they must now choose either to allow broad delete access on builds or limit who can promote builds. Neither are ideal from an administration perspective.

       

      Artifactory should allow regular users to promote builds without granting them "delete builds" access. This would allow users with many build deployers to easily maintain their promotion pipeline securely without overhauling their entire Artifactory permission set.

        Attachments

          Issue Links

          duplicates

          Bug - A problem which impairs or prevents the functions of the product RTFACT-18884 Promotion NPM build is not working without override permission

          • Done
          is related to

          Bug - A problem which impairs or prevents the functions of the product RTFACT-19287 Promote build plugin endpoint requires delete permissions

          • Done

            Activity

                People

                Assignee:
                yuvalr Yuval Reches (Inactive)
                Reporter:
                patrickr Patrick Russell
                Votes:
                4 Vote for this issue
                Watchers:
                10 Start watching this issue

                  Dates

                  Created:
                  Updated:
                  Resolved:

                    Sync Status

                    Connection: RTFACT Sync
                    RTMID-18781 -
                    SYNCHRONIZED
                    • Last Sync Date: